Dividing the security pie: Who should get what?

In the 1980s and 1990s, organizations recognized that information was strategic to their operations and that they needed to put a Chief Information Officer in charge of IT. But in this era of cyberattacks, it's hard if not impossible to isolate IT from security. Quite often, however, the Chief Information Officer (CIO) - the Chief Security Officer (CSO) relationship has been a frosty one, marked by no small amount of tension and frequent turf battles.

The origin of the friction centers on the fact that the dividing line between CIOs and CSOs is blurry. What’s more, not all CIOs are enamored of the idea that there ought to be an independent CSO function in the reporting structure. (Clearly, they’re still getting used to the concept; consider that only half of CIOs report that their organizations actually employ a CSO.)

But that history doesn’t mean there can’t be fruitful collaboration.

Indeed, 38% of CIOs surveyed by IDG reported that they already meet with their CSO or CISO (Chief Information Security Officer) on a daily basis, while 65% interact at least once a week. They also share a joint interest in making sure that line of business execs don’t jam through technology solutions without first letting them examine the potential security ramifications.

Unfortunately, there’s no indelible demarcation between the two functions and the line of separation varies from company to company. Still, a working relationship is key and management can take steps to help make it better by clarifying the respective roles.

Don’t put the CSO under the CIO. That security function should exist in an independent structure as part of a separate organization outside of IT. That’s also the way to prevent conflicts of interest while maintaining a vigorous watchdog posture. The CSO should report directly to the CEO or another C-level official to be able to offer independent assessments of the organization’s information security preparedness.

Let CIOs legislate overall practices for technology deployment and define the security controls for the organization. Also, it should be up to CIOs to implement and build the cybersecurity infrastructure.

CSOs have a complementary — not subservient — role and should take charge of security controls, auditing, and testing. They also should be able to freely advise top management on information security and asset protection without needing to look over their shoulders.

CIOs and CSOs should hold frequent strategy sessions to review cybersecurity readiness along with new regulatory and compliance issues. Both sides should coordinate when it comes to vetting the security implications of new technologies such as cloud computing or the Internet of Things.

No single blueprint guarantees that CSOs and CIOs will always work hand in glove. If they do cooperate, however, they can work to mitigate the many tactical and strategic cybersecurity challenges that loom on the horizon. What is certain is that the threats will not stop coming. That should be incentive enough to put aside any corporate politics, roll up their sleeves, and figure out how to make their odd couple relationship work.

Charles Cooper has covered technology and business for the past three decades. All opinions expressed are his own. AT&T has sponsored this blog post.

Cybersecurity market research: Top 15 statistics for 2017