A disturbing disconnect between CSOs and CIOs

Bill Brenner reached a troubling conclusion as he reported this year's Global Information Security Survey results: CSOs and CIOs are not exactly on the same page when it comes to corporate security.

By , Senior Editor

September 28, 2010CSO

I can always tell how comfortable a person is with the concept of information security when I interview them. Someone who really has a passion for it and knows their stuff will keep me on the phone for hours and take me deep into the weeds of their procedures. Someone who is uncomfortable will simply clam up.

2011 Global State of Information Security analysis

As I did the reporting for the Eighth Annual Global Information Security Survey -- which CSO conducts each year along with sister publication CIO and PricewaterhouseCoopers -- I noticed a few things. Of the 12,847 respondents, only 6.5 percent described themselves as a chief information officer. Meanwhile, CSOs and CISOs were asked who they report to. Most said the company CEO or board of directors. Less than a quarter of respondents said they report to the CIO.

After more than six years of writing about various security surveys, I've learned you should never take the numbers as Gospel. Survey numbers are ALWAYS open to interpretation. There are a lot of hidden variables that go into a final number. So while those numbers stuck out for me, I didn't make any conclusions.

Instead, it was time to get on the phone with some CSOs and CIOs to see how the numbers reflected their own realities.

The CSOs and CISOs lined up to be interviewed quickly. Ken Pfeil, CSO for a large mutual fund company in the Boston area, was brutally honest with me about the security problems found in business partnerships and cloud computing, for example.

Then I started reaching out to CIOs.

I had a long list of names and contact information given to me by my friends at CIO magazine. I sent out some 30 e-mails and lost count of the phone calls I made. In the end, I found three CIOs who were willing to talk. One of them, James Pu, does double duty as his organization's security officer.

The rest either didn't respond or sent me back nice, apologetic notes on how they simply weren't able to discuss security issues.

It's no big deal. Being told "no" is one of those things you deal with a lot as a journalist. I also got the sense that some of them would have been happy to talk but were pressured by corporate communications people to beg off.

I mentioned the trouble I was having with CIOs to one of my security associates, who shall remain nameless because his response was: "That's because when it comes to security, a lot of CIOs don't know what they're talking about."

RESOURCE CENTER