Example 2: The CSO complains that the CIO's networking staffs are compromising corporate security by running fast and loose. The CSO has established corporate governance, policy and procedure for the security configurations and management of the network perimeter. These policies encompass firewalls, routers, hubs, switches, and other key network components. A network security audit discovers that a number of wireless access points throughout the network did not go through any security review or risk analysis when implemented. They were implemented by network support staff to provide increased speed of response to network service ticket resolution.
Effectively, in the interest of providing superior response times to service requests, the network security was compromised. Now the CSO is being criticized for being unaware of the exposure, but the CSO feels the CIO is not supporting security requirements. In both cases, there is ample opportunity for teamwork and mutual support. For various reasons this simply did not happen. In both cases each person feels the other created the problem. The end result of each example is increased cost and business delays.
The Ideal Relationship
The CIO and the CSO need each other. Each of them has a functional degree of overlap with the other. Each can assist in the successful completion of the other's responsibilities, and each can negatively impact the other if they do not have a solid working relationship. I attend trade shows and conferences from both the physical security world and the information security world. Both sides recognize that convergence is taking place at least in the technology used by both groups, if not in the functions themselves. Both feel that they should lead the charge to the ideal CSO position in corporate America.
Ironically, both sides seem to feel they are the only ones who truly understand what security is all about. My experience tells me that neither of those disciplines has any natural ownership of this topic, nor does either have an automatic advantage over the other. I believe the talent and ability of the individuals involved will determine who will lead that charge.
To quote Richard P. Tracy, CSO of Telos and Xacta Corporations: "Based on research, security is clearly a critical business priority. The CIO position owns the overall responsibility for IT performance and return on investment, while the emerging CSO position champions secure computing practices. These different objectives can result in unproductive tension between two important executive positions. For organizations to realize the maximum business efficiencies without exposing the IT infrastructure to dangerous vulnerabilities or compromising the integrity of information assets, a cultural shift must occur by which CIOs and CSOs forge synergistic, rather than silo-ed, relationships based on common goals."
Since they effectively speak the same language, the CSO and CIO have the opportunity for mutual respect and support. They can start by simply getting to know each other and spending some time finding out each other's goals and objectives. With that level of understanding they can develop a dialog for mutual support.
I've always believed in the philosophy that anyone in a leadership position needs to be focused externally. A leader's job is not to win, it is to help his peers, his subordinates, and of course his boss, be winners. Think of the CIO and the CSO as the offense and defense of a football team. If one of them is successful and the other is not, the whole team loses.
Eduard Telders has been the security manager for PEMCO Financial Services for 16 years. His responsibilities include physical security, information security, corporate contingency planning and safety programs. Mr. Telders has been providing security management for information and physical security in the banking, insurance, and financial industries since 1981. He is active in a number of security trade groups and associations, such as ASIS and ISACA, and has been a frequent contributor of security articles and speaking engagements for journals, conferences and seminars.