The new C-level position appearing in companies nationwide is the Chief Security Officer. While different businesses handle this role differently, the CSO is commonly charged with responsibility for strategic vision and leadership in the provision and management of all security functions in support of the company's goals and objectives. ASIS provides an excellent source for understanding this role. Its Chief Security Officer Guideline can be accessed at www.asisonline.org.
The CSO and CIO appear to be set up for conflict. To better understand the nature of the tension and evaluate its legitimacy, we should look at the target achievements for each role. What makes these two professionals sit up and take notice?
Let's start with the CIO. What yardsticks does the organization use to determine whether the CIO is effective? They include system and network availability, system and network throughput, system response times, and innovative uses of new technology to enhance and support business objectives. The CIO makes sure things can be done and gets them done efficiently and cost effectively. The CIO often has a level of responsibility for the security of the corporation's information as well, but indirectly or through the influence of other resources, like the CISO.
The CSO, on the other hand, is responsible for the security of the information and assets of the corporation. He lives in a world of risk assessments and risk management, policy and establishing governance, access controls, prevention controls, detection controls and mitigation strategies. The CSO prevents bad things from happening to information and assets. He has a responsibility for ensuring availability of information as well, but indirectly or through the influence of others.
To illuminate these differences, we can look at the focuses of the CIO and the CSO in several security scenarios and functions.
- Theft of a laptop. The CSO is responsible for preventing theft and investigating it when it occurs. If the laptop has sensitive information on it, the CSO must consider the safety of trade secrets, privacy issues, company confidential information, and the recovery of that information. The CIO may also have an interest in the lost information; however, if the information is recoverable from a backup, the CIO is often done at that point. The CSO has to answer questions such as how many thefts have occurred this year, their cost, and what the company is doing about it.
- Managing a firewall. In some companies, the operational aspects of firewalls fall under the CIO, while the policy and governance of the use of the firewalls is controlled by the CSO. In others, firewalls fall under direct control of technical security staff under the CSO. All this depends on each executive's level of expertise.
- Controlling an IP-enabled CCTV system. The CSO is on point for requirements, governance, operational controls and use of the system. The CIO provides the appropriate bandwidth and availability of the connections over the corporate backbone.
These examples illustrate that the overlap between these positions can be peaceful. But there are plenty of examples out there of the relationship not working the way it should.
Let's consider two examples that illustrate some of the potential tensions in the CSO/CIO relationship.
Example 1. The CIO complains that the CSO's security controls are slowing things down. The impact of the security controls is perceived to be interfering with the delivery of business benefit to application users. The complaint revolves around a proposed business-to-business connection over the Internet. The company, a financial institution, wants to take advantage of a particular vendor of services and needs to establish a network connection with that vendor.
The CSO has a rigorous process that screens potential vendor connections for a battery of security-related issues and controls to ensure no connection presents an unreasonable risk to the organization. The connection is evaluated based on risk management, compensating controls, mitigation strategies and recovery considerations. Establishing all of this takes some time. In addition, because the company is a financial institution, it requires anyone requesting access to its network to undergo a criminal background check. The vendor in question does not have a criminal background check to offer and refuses to submit to one out of philosophical disagreement with that concept. Therefore, the connection is rejected on the grounds that it violates company policy. The CIO is being criticized for not finding a solution to the challenge, but he feels that the CSO is inflexible and is not offering any other solution to meet the need.