The Complicated Relationship Between CIOs and CSOs

By Jack Rosenberger  |  Posted 03-11-2014
Eric Cole

The Complicated Relationship Between CIOs and CSOs

By Jack Rosenberger

In the wake of the news that Target's profit fell more than 40 percent during the fourth quarter of 2013, due in large part to a data breach that affected up to 110 million customers, CIO Insight interviewed Eric Cole, a SANS Institute Faculty Fellow and the head of SANS's Cyber Defense Foundations program, about the Target breach, how the retailer's lack of a chief security officer (CSO) might have affected the incident's outcome, the complicated relationship between CIOs and CSOs, and upcoming cybersecurity trends.

A lot of people were surprised when Beth M. Jacob, Target's CIO, resigned last week, following the fallout from the retailer's massive data breach. What are your thoughts about these events?

Eric Cole: When a major event like this occurs, someone needs to be held responsible for the negligence. Therefore, it is not surprising that someone was blamed for the breach. What was surprising, however, is that security was a responsibility of the CIO. The fact that a large organization did not have a separate CSO, who is a peer with the CIO, is most concerning about this story.

Clearly, many things went wrong during the Target breach and whoever had the responsibility of security needs to be held accountable. However, it was not fair that the executives structured the company in the way they did. Running the IT infrastructure, which is typically a role of the CIO, and protecting the information, which is typically a role of the CSO, are two different roles. It is unfair to have one person expected to do both effectively.

What should Target have done to prevent the data breach or mitigate its impact, but didn't?

First and foremost, organizations of any size, especially one the size of Target, need to have an executive that is responsible for security. With the large interdependence that organizations have on a digital infrastructure, security needs to have a seat at the table in the boardroom. If security gets buried under IT, whose primary responsibility is running a reliable infrastructure, bad decisions will be made and breaches will happen.

Second, there should have been a more keen focus on both the infrastructure and device security. From an infrastructure perspective, better segmenting with proper boundary defense would have reduced the impact of one system having full visibility into the entire network. From a device security perspective, organizations need to perform asset inventory, configuration management and strict change control. Organizations cannot protect what they do not know. If the organization had more carefully tracked and secured the devices on its network, it could have better managed the impact of the breach.

What's your opinion of Target's cryptology practices?

The golden rule of cryptography is “the secrecy of the information is based on the secrecy of the key, not the secrecy of the algorithm.” Key management is the core to success in using cryptography. In the case of Target, plain text, unencrypted information was stolen. Therefore, if the information is not encrypted and protected at all times, an organization is only as secure as the weakest link. If you do not encrypt the information, cryptography cannot do its job.

In order to ensure success with cryptography, organizations must follow three core components of the cryptographic lifecycle: 1) protecting the information at rest, 2) protecting the information in transit, and 3) protecting and managing the keys. There is no partial credit with security. If an organization does not all do all three, cryptography will not work correctly.

Target had a CIO, but not a CSO. How might the lack of a CSO have contributed to Target's data breach?

Not having a CSO today is like a football team not having a quarterback. You can have the best playbook in the world, but if you do not have someone on the field calling the plays, you are not going to win many games. In order for organizations to be successful, they must have a reliable infrastructure and proper protection of information. If an organization only has a CIO and not a CSO, no one is focusing in on security, which means bad things will happen. Lack of a CSO means a lack of security.

It is almost a guarantee that Target had an amazing security team, and they were screaming and yelling about all of the security issues, but there was no advocate who was listening to them and fighting for their cause with the executives. There needs to be a communication path from the engineers to the CEO, and the CSO is that channel. Without a CSO, the proper security communication does not make it to the executives. Therefore, if the Target executives had received the proper information about security, my guess is they would have made different decisions and this story would potentially have a happy ending.

The Complicated Relationship Between CIOs and CSOs

How can CIOs and CSOs work together better? What has made CIO-CSO relationships work in situations you've observed?

In order for the CIO and CSO to have an effective working relationship, they must have clear boundaries of responsibility. Typically what works best is for the CSO to define the proper level of security, the CIO to implement the security, and the auditor to validate that the security is being done correctly.

The security that is defined by the CSO should be based off of metrics that are used as a reporting structure to the executives so they can understand the proper level of risk to accept for the organization. Metrics-based security is key to success. With metrics there are clear guidelines of what must be done and an easy way to measure compliance.

How can CIOs help convince their CEO and board of directors that their organization needs a CSO?

As more and more breaches become public, it is easier to convince executives that they need a CSO. The problem is, many CIOs don’t want a CSO because it is easier for the CIO to accomplish their job if they control all aspects of the IT infrastructure. Imagine someone coming in and pointing out security flaws and vulnerabilities. Therefore, it is rare that the CIO will lobby for a CSO.

There needs to be another advocate convincing the CEO. The simple questions to sell the CEO include “Are you comfortable with the level of security at your organization? and Are you receiving the proper security metrics to make decisions?” The problem today is many CEOs want to create a CSO position, but the CIO convinces them they do not need one for the reasons previously stated.

From a CSO's perspective, what do you think CIOs don't understand about security today?

Typically, CIOs do not understand security because that is not their job. CIOs are often measured on uptime and availability. Five 9s is a common benchmark used to measure the success of a CIO. While security could potentially impact uptime, it is not the primary driver and, therefore, often not a top priority for the CIO.

The bigger problem is many organizations know they need to have a CSO, but they do not know what they need them to do. Since they do not have clear requirements, they promote another person within the company to be the CSO. The problem is the person has minimal to no security experience. Since CSO is a relatively new field, finding someone with the proper skills is important, but if the person responsible for security does not understand security, it will do more damage than good.

Looking ahead to the rest of 2014, what cybersecurity trends should CIOs be more aware of?

Organizations need to remember that no matter what is implemented, an organization will be targeted, will be attacked, and will be compromised. Organizations need to recognize that they are going to be attacked. Therefore, prevention is ideal but detection is a must.

Organizations need to recognize that this trend of stealthy, targeted, and data-focused attacks is going to continue, unless they perform more timely detection. The key motto that organizations need to follow is “Prevention is ideal but detection is a must; however, detection without response has minimal value.” Prevent-Detect-Respond is the secret to having effective security this year and in future years.

In terms of cybersecurity threats, what worries you the most?

What worries me the most is that organizations are still looking for the silver bullet to solve all security problems. It does not exist. To protect themselves, organizations must focus on the core areas of security. The Critical Controls is a great starting point. The second thing that worries me is organizations are still not focusing energy on defense. Penetration testing is important, forensics is important, but if you do not have proper defense, organizations will still suffer monetary losses. Only by implementing an effective cyberdefense, will organizations start to win and get ahead of the curve.

About the Author

Jack Rosenberger is the managing editor of CIO Insight. You can follow him on Twitter via @CIOInsight. To read his previous CIO Insight article, “The Future of Enterprise Mobility" click here.