We are often confused about who’s to blame when security fails. There is this dilemma called the “CIO vs CSO” that keeps employers and customers afloat.
Whenever a breach occurs, it sometimes serves as a reality check for businesses. Hence, it reveals weaknesses security approach.
The Need for a CSO
One of those reveals is that CIOs (Chief Information Officer) is mostly to blame. That is when the company catered all the security responsibilities at the CIOs shoulders. Wherein fact, some companies don’t have a CSO (Chief Security Officer).
More importantly, organizations need to have an executive who is solely in charge of security. That is where CSOs pays their dues.
Furthermore, a security officer is something the company must address.
IT’s primary responsibility is to run a reliable infrastructure. Bad decisions will happen and breaches will occur if you bury it to ITs.
Unfortunately, if an organization has no CSO and only has a CIO, further damages may arise.
If being successful is what you’re aiming for, reliable infrastructure and proper protection must mesh together.
Lack of a CSO Means A Lack of Security
Some security team might scream and yell about security issues. The problem is, no advocate is listening to them. Isn’t it some kind of an organizational structure error?
Quite frankly, engineers need to have a line of communication with the CEO. CSO provides that bridge. Without a CSO, critical security information does not make it to the executive levels.
As more breaches become public, it should become easier to convince executives that they need a CSO. The real problem is that many CIOs do not want to have a CSO, because it is easier for them to perform their jobs if they control all aspects of the IT infrastructure.
The Chief Information Officer and Chief Security Officer need to be friends and have equal representation in the board room. Typically the CIO will report to the COO (Chief Operating Officer), and the CSO (Chief Security Officer) will report to CFO (Chief Finance Officer).
Then, the COO and CFO directly report to the CEO (Chief Executive Officer). Despite the organizational framework, CIOs and CSOs must have separate reporting compositions.
And, for the CIO and CSO to have a productive working relationship, they must have clear limits of accountability.
Typically, what molds best is for the CSO to determine the precise level of security. Then, the CIO executes security. Lastly, the auditor confirms that the security is accurate.
The security determined by the CSO should be based on metrics that manifests an organization’s acceptable level of risk. Also, it needs to offer clear guidelines on what must be done, and provide an easy way to gauge compliance.
What’s the dividing line? The CIO performs and creates technology while the CSO provides security directions, audit and testing, and secure implementation guidance.
This is why many companies have changed the reporting construction, prompting the CSO outside of the CIO for the independence of interests and accountability.
Rate this post: