The Complicated Relationship Between CIOs and CSOs
Modernizing Authentication — What It Takes to Transform Secure Access
Security expert Eric Cole discusses Target's gigantic data breach, a company's need for a CIO and CSO, and what CSOs wish CIOs understood about security.
How can CIOs and CSOs work together better? What has made CIO-CSO relationships work in situations you've observed?
In order for the CIO and CSO to have an effective working relationship, they must have clear boundaries of responsibility. Typically what works best is for the CSO to define the proper level of security, the CIO to implement the security, and the auditor to validate that the security is being done correctly.
The security that is defined by the CSO should be based off of metrics that are used as a reporting structure to the executives so they can understand the proper level of risk to accept for the organization. Metrics-based security is key to success. With metrics there are clear guidelines of what must be done and an easy way to measure compliance.
How can CIOs help convince their CEO and board of directors that their organization needs a CSO?
As more and more breaches become public, it is easier to convince executives that they need a CSO. The problem is, many CIOs don’t want a CSO because it is easier for the CIO to accomplish their job if they control all aspects of the IT infrastructure. Imagine someone coming in and pointing out security flaws and vulnerabilities. Therefore, it is rare that the CIO will lobby for a CSO.
There needs to be another advocate convincing the CEO. The simple questions to sell the CEO include “Are you comfortable with the level of security at your organization? and Are you receiving the proper security metrics to make decisions?” The problem today is many CEOs want to create a CSO position, but the CIO convinces them they do not need one for the reasons previously stated.
From a CSO's perspective, what do you think CIOs don't understand about security today?
Typically, CIOs do not understand security because that is not their job. CIOs are often measured on uptime and availability. Five 9s is a common benchmark used to measure the success of a CIO. While security could potentially impact uptime, it is not the primary driver and, therefore, often not a top priority for the CIO.
The bigger problem is many organizations know they need to have a CSO, but they do not know what they need them to do. Since they do not have clear requirements, they promote another person within the company to be the CSO. The problem is the person has minimal to no security experience. Since CSO is a relatively new field, finding someone with the proper skills is important, but if the person responsible for security does not understand security, it will do more damage than good.
Looking ahead to the rest of 2014, what cybersecurity trends should CIOs be more aware of?
Organizations need to remember that no matter what is implemented, an organization will be targeted, will be attacked, and will be compromised. Organizations need to recognize that they are going to be attacked. Therefore, prevention is ideal but detection is a must.
Organizations need to recognize that this trend of stealthy, targeted, and data-focused attacks is going to continue, unless they perform more timely detection. The key motto that organizations need to follow is “Prevention is ideal but detection is a must; however, detection without response has minimal value.” Prevent-Detect-Respond is the secret to having effective security this year and in future years.
In terms of cybersecurity threats, what worries you the most?
What worries me the most is that organizations are still looking for the silver bullet to solve all security problems. It does not exist. To protect themselves, organizations must focus on the core areas of security. The Critical Controls is a great starting point. The second thing that worries me is organizations are still not focusing energy on defense. Penetration testing is important, forensics is important, but if you do not have proper defense, organizations will still suffer monetary losses. Only by implementing an effective cyberdefense, will organizations start to win and get ahead of the curve.
About the Author
Jack Rosenberger is the managing editor of CIO Insight. You can follow him on Twitter via @CIOInsight. To read his previous CIO Insight article, “The Future of Enterprise Mobility" click here.