CSOs, CIOs: Who's in Control?
Bill Spernow's problems began soon after he was hired as the new chief information security officer at the Georgia Student Finance Commission in 2001. The agency, which issues loans to state high school students going on to college, suddenly discovered that its applicants' Social Security numbers were showing up on the Internet. Spernow's job: Secure the enterprise and keep it secure. "The operational folks under the CIO weren't doing the job," says Spernow. "So they brought me in the door."
For Spernow, a former security consultant, making the commission's Web site more secure soon translated into conflict with the CIO, who like Spernow, reported directly to the nonprofit's executive director. It began after Spernow set up an alert system to page him every time the site went down so that he could make sure the problem wasn't security related. But the CIO deleted the setup, preventing Spernow from getting the bad news as fast as possible. The reason, he says: She didn't want the agency's executive director to find out about the alerts. "The CIO didn't want it revealed that the job wasn't being done," he says.
Other conflicts arose. At one point, the CIO wanted to install intermittent tape backups to handle disaster recovery, while Spernow preferred disc-to-disc images that exactly replicated the information on the system. He won. "That was a typical battle," says Spernow, who has since left the commission, a victim of state budget cuts. "When we couldn't agree, we let the executive director decide."
In Spernow's view, he was fortunate to be able to take such disagreements to a higher authority. But it's an atypical setup. And it brings out the inevitable potential for conflict between CIOs and chief information security officers. "The CISO has goals that conflict with the CIO's," says Roberta Witty, a research director at Gartner Inc. "The CIO's job is to make sure that technology gets implemented according to timespans, budget, etc. The CISO's role is to make sure it gets implemented safely." Meanwhile, the two may compete for the same funds to do their jobsall under the umbrella of hazy and contradictory corporate security policies. The question that remains: How are these competing goals best served?
Many independent security analysts believe the solution is to position security officers at a peer level with the CIO and have them report directly to the CEO or COO. This setup, they insist, makes security a business issue, not an IT issue. But that's still a rare occurrence. According to this month's CIO Insight research on security management (page 61), more than a quarter of all companies have no chief security officer at all, and of those that do, more than half report to the CIO. This despite the fact that 90.2 percent of CIOs feel confident in their level of information security protection. "Shoot-from-the-hip security management is the norm in IT organizations," says Steve Hunt, an analyst at Forrester Research. "The trouble is that most CISOs don't have the training, internal power structure, staff or budget to get anything done."
Yet most companies get by with a less powerful CISO. At AFLAC, the primary driver is CIO Jim Lester, two levels above Joel Garmon, director of IT security. Accountable to the CIO, Garmon requests security standards for application development, along with other operational matters. He has also aligned the 10-person strong IT security unit along functional lines. This helps the $10.3 billion life and health insurer to be more efficient at providing service to its business units, Garmon says. "The business unit manager's job is to make the company profitable," he says. "My job is to make sure they're doing their job securely." That translates into a lot of negotiation. "If a business unit manager wants to put customer data on the company's Web site, I say, great, let's see how we can do that," says Garmon. Then the business units state their requirements and Garmon states his, typically centering on how much functionality he can give them securely. "You look at the cost benefits and decide what you're going to work out," he says.
Still, the potential for miscommunication is rife, Garmon concedes. "The business units view security as an inhibitor rather than an enabler," he says. As the chief communicator, Garmon must stay in touch with as many as 10 business unit liaisons per project. He also holds weekly and monthly cross-team meetings with IT management. "We discuss all the projects that are going, not just the big ones," he says. "I make sure we're plugged into the right areas and focused on critical issues."
The dark side to the less powerful CISO position, though, is that the managers are stuck lobbying for more influence. So CISOs willing to take matters into their own hands must invent their jobs as they go along. And it's an uphill battle, with all too many CIOs keeping a hammerlock on security since they're ultimately responsible. "Too many CISOs are like figureheads," says Forrester's Hunt. "It's the Tom Ridge syndrome."
As important as it is for a higher authority to referee the conflicts between the CIO and CISO, the best solution, according to some, is to design the organization so that authority for both resides with the CIO. That's the position taken by Mark Doll, a partner and director of security services for Ernst & Young. "Do you need a CSO independently implementing security in a different vein from the CIO? No, the CIO should be baking security in, putting it into every process, every new application, every new component, engineering it into the quality-assurance program," says Doll.
"This is starting to trickle down in terms of what I'll call accountability and responsibility in corporate America," Doll adds. "The most successful CIOs, the ones who are going to be on the cover of your magazine in five years, will be the ones who had the most controlled organization, the secure organization, who could be an adapter but still be secure and in control. It's not going to be the guy who says, 'I slammed in seven applications in six months, look how fast I am. I moved all my production offshore and saved 22 cents.' Leading CIOs who are business-oriented and who get the technologythose are the ones to whom CEOs will look to drive the control agenda into the organization."