"The CSO, by definition of their job, would like things to be more stringent than a CIO would practically allow," says Marc Hoit, interim CIO and professor of civil and coastal engineering at the University of Florida.
Some argue a CSO should not report directly to a CIO, as happens at the University of Florida and many other organisations. Just as you wouldn't want a financial controller reporting to an auditor, a company's chain of command should give the CSO somewhere to turn when the CIO takes on too much risk, argues Andreas M. Antonopoulos, senior vice president and founding partner of Nemertes Research.
"The job of the CIO is to maximise return on investment, which by definition requires taking risk," Antonopoulos says. "The job of the CSO is to maximise the amount of risk a company can take safely without going over the company's [preferred level of] risk tolerance."
When CSOs see too much risk being taken, "they can't report to the person who's creating risk," he says. "The thing is, it's the job of the CIO to create risk. That's what innovation is."
Even CIOs and CSOs who report having amicable relationships with their security or technology counterpart acknowledge there is a fundamental conflict between the roles.
"The goal of the CIO is to get the application deployed today," says Joseph Granneman, chief technology and security officer for the Rockford Memorial Hospital in Illinois. "When you add security analysis to the front end of a project, sometimes it can delay it. If you do find security risks, that's not good news for the CIO."
Granneman, who reports to his CIO, says they have developed a strong working relationship over the past decade. CSOs must accept that businesses are in the business of accepting risk, Granneman says. Compromise is essential: "There's always a way to get them what they need to make the business run," he says. "That's what you're really there for. You are not there to say 'no'. You are there to say 'no, but'."
At the Caregroup Healthcare System in Boston, CIO John Halamka says the CSO - who reports to him - would prefer to have very few websites available on the public internet. Before making data available on the website, Halamka says he and the CSO evaluate the potential risk and classify into one of four categories, which range from no risk at all to a risk that could compromise many patient records.
"We do a risk assessment of each website... and then engineer a security solution that is appropriate for the level of protection needed. The balance between ease of use and the need for security is ensured using this objective approach," Halamka writes in an e-mail.
The University of Florida's Hoit acknowledges that having the security officer report to the CIO makes life simpler - for the CIO. "It makes it a little easier," he says.
Ruling with an iron fist, however, isn't the right approach, Hoit says, and it wouldn't work at the university. Big decisions involve a governance committee consisting of IT staff from each school - and then they must be considered by a faculty committee, deans, administrators and a faculty senate.
The university is trying to find a proper way to ensure the security of student data, as federal law requires, while giving professors easy access to files they need for grading. "Open, transparent conversation" involving input from multiple parties is the key to finding a good compromise, Hoit says.
Beyond securing applications and the personal information of customers and employees, businesses must comply with regulatory standards, such as Sarbanes-Oxley, the Payment Card Industry data security standard and the Health Insurance Portability and Accountability Act.
CSO do's, don'ts
Antonopoulos argues that when a CSO must report to a CIO, the business is more likely to pursue too-risky technologies and skirt the edges of compliance.
"The CSO should have the equivalent powers you would give to an auditor or audit department and should report, ideally, to the board," Antonopoulos says. "That's actually higher than a CIO, quite frankly.... We believe the CSO should be an officer of the company. His duty should lie with the shareholders. The CSO is controlling the risk of the company so as not to expose the shareholders to the most risk."
The CSO also should not be allowed to take only risk into consideration, he says. The best way to avoid risk, he notes, is to close a business entirely. Antonopoulos recommends tying the financial compensation of security officers to their ability to balance risk and innovation.
The location of the CSO in an organisation is what "largely impacts the dialogue and potential conflicts you have," says Lloyd Hession, CSO of BT Radianz in New York City. Hession reports to his CEO, making the CIO his peer, he says. This has pros and cons, he notes. Being outside the technology group, Hession must make a concerted effort to understand the needs of IT. But it also gives him a better view of what is happening in the business at large, he says.
"You police yourself to the point where you only try to achieve what you know makes sense for the business," he says.
Hession says he also faces additional pressure to reach agreements with department heads because nobody wants to waste the CEO's time with an unresolved conflict.
To whom should CSOs report?
In a very small minority of companies, the CIO reports to the CSO. This happens in financial services and other companies where regulatory compliance poses a huge burden, Antonopoulos says.
In 30% of companies, the CSO works for the CIO, Antonopoulos says. There are probably 15 other types of reporting relationships in the remaining 70% of businesses, he adds.
One approach has the CSO reporting to the security team. Sunoco has considered this, but CIO Peter Whatnell says he is concerned security executives will not understand the needs of IT. Currently, the CSO works for Whatnell.
"We have talked several times about, should our CSO move into the security organisation," Whatnell says. "We're not opposed to that, but we just think there's a level of maturity on their side to understand what's the difference between somebody scaling a barbed-wire fence as opposed to... trying to access our accounts-payable system."
At WebEx Communications in California, CSO Randy Barr reports to the general counsel. Barr used to report to a CIO, but WebEx has not had one since it was acquired by Cisco.
"It's actually better [reporting to legal counsel] in my opinion," Barr says. "There is a lot of work we have to do which may impact regulatory requirements. . . . [The legal team] can immediately confirm what it is we need to do to meet regulatory concerns. They don't make a lot of decisions on the IT or operations side that would present a conflict."