Much of the discourse around enterprise IT security has centered on tools and best practices.
The vital question of who ultimately has ownership of what aspect of security is often left unanswered.
In many enterprises, says one expert, there’s a confusion and misunderstanding about the “security” responsibilities of two key stakeholders: the Chief Information Officer (CIO) and the Chief Security Officer (CSO).
Perceptions and approaches to security often vary significantly among these two executives and their teams, according to Syd Hancock who coordinates the information systems security program at Algonquin College in Ottawa.
For instance, he said, it’s not uncommon in the CIO world to hear sentiments such as: “Security is getting in my way,” and the complaint that CSOs are unwilling or incapable of understanding technical issues.
Likewise, he said, the CSO team often doesn’t trust CIO staff to acknowledge threats and vulnerabilities if doing so gets in the way of system design. “All they (CIO staff) care about is performance,” is the common gripe from the CSO side.
According to Hancock, the conflict between the two sides has been growing steadily over time as the two positions matured. It arose because in the past the CSO has never been comfortable with technical security issues and tended to leave them with the CIO. Now the trend is to ensure the CSO is well trained in technical security issues. CIOs, he said, see security as one of many things they need to take care of and it makes CSOs a little nervous.
“The CSO is expected to know the total state of security within a company. You can’t know that if someone else owns a major part of the security pie without sharing it.”
According to Hancock, while both the executives want a piece in the security pie, it is the CEO who is the final arbiter.
It is the CEO’s responsibility, he said, to set rules for IT security such as compliance with legislation, improving client and public confidence, and demonstrating due diligence in managing resources. Then the CEO should get the CIO and CSO to sit together and divvy up that pie up based on those rules.
Failure to do so, he said, could have unfortunate consequences. For example, Hancock said, if a company does business with the government and security is part of the contract, it needs to be addressed comprehensively. If not, the contract could be in jeopardy. Also, if a company is not seen as taking care of sensitive privacy information, then customers and partners can sue them. “If they don’t have a grip on security then their systems can be hacked and used against other companies. Then two things can happen: police come knocking on your door and the CIO and CSO point fingers at each other.”
To stop the blame game, Hancock said, the security pie should be divided up immediately.
He suggests the CIO should be responsible for such things as technical security standards and procedures as well as security software and hardware. CSO responsibilities, he said, should be in areas of physical and personnel security; information security; security threat assessments and security investigations.
Then there are the grey areas where both (the CIO and CSO) want responsibility like security policy, security audit and certification of systems. Responsibilities can be re-delegated anytime if certain functions are not working for either CIO or CSO.
Hancock believes even with the IT security pie divided up, there will always be some tension between CIO and CSO. But if their roles are clearly defined, it makes the job of the CEO and the board of directors much easier to point out who does what if they are every audited.