I was recently asked the question, “Where does the CSO belong in an organization?”
It is an intriguing question, and one that I hear many professionals discuss with fervor. Currently most CSOs report to the CIO or CTO. In a few cases, they report to the Chief Risk Officer (CRO) or Legal. One of the positions many of us hear is that the CSO should report directly to the CEO to make their voices heard and make security a priority.
Where does the question originate?
Decades ago, security was rudimentary, and security breaches were rarely seen as having a meaningful business impact. As attacks evolved, breaches became more costly, and embarrassing. Security was still often viewed as a less than material issue. Security professionals clamored for organizations to take security more seriously.
Various organizations attempted to step in and remedy this problem through regulation (Sarbanes-Oxley, PCI, HIPAA) and standards (ISO 27001, SOC 2). In the midst of all this activity, security professionals began to take up the cause that they “needed a seat at the table” – a reference to needing a direct audience with executives. While some regulations mandated the creation of ‘Chief Security Officers’ and ‘Chief Privacy Officers’, none have (yet) stated a mandatory reporting structure.
It is in this landscape that I take up the question: “Where should the CSO report in an organization?”
“Risk and Opportunity are two sides of the same coin”
Security’s role is to help the organization realize the opportunity its pursuing by addressing the risks that can destroy the opportunity.
At face value, the preceding statement seems to easily fit with everyone’s perception of what security does. However, there is subtlety in the statement that might be overlooked. The goal of security is “to help the organization realize the opportunity”. How often have you heard a security team say, “over my dead body”, “that will never happen” that reflects an outright resistance to a project or a technology. I’ve heard it said about online banking in the early 2000s. I heard it said about mobile payments in the early 2010s. My point isn’t that opportunities proceed despite security, but rather that they have proceeded by solving for security. They have succeeded by creating solutions that made it possible for them to work.
You might ask what this has to do with where a CSO reports. I’ll give you a very simple answer – the CSO and the security group should exist in the structure the enables them to best collaborate with groups generating opportunities. Security should be just as embedded in building solutions that lead to opportunities as everyone else in the organization.
It is all about how to contribute
Based on the view that a CSO should be in a position to collaborate and contribute to opportunities, there are some natural outcomes. The CSO should:
Inform teams developing opportunities about the probable security threats that can have a meaningful impact on their opportunities.
Collaborate and help teams working on opportunities to design solutions that mitigate the security risks with the greatest impact on the opportunity. (If you say they must address all risks then we need to have a discussion on how we all pursue opportunities without absolute certainty that they will succeed.)
Ensure that security, regulatory, and compliance regimens are met by designing, building, and operating the opportunities in ways that still allow the opportunity to proceed.
Focus on early engagement, collaboration, frequent testing, and early feedback on all security issues.
There is one outstanding question to all of this – who enforces ‘the rules’ when a team, or opportunity does not follow the security or compliance regimens. In my opinion, that is up to the executive team, and board of directors. The CSO’s role is to inform and provide guidance, not to enforce or punish.
The CSO should:
*Identify security incidents and risks that can disrupt the opportunity
*Refine designs with a focus on making the opportunity a success, and ensuring it stays that way
The CSO should not:
*play enforcer - this conflates the roles of enforcement and of guide. When security thinks of itself as an enforcement function it separates itself from those creating opportunity. It creates an “us-vs-them” dynamic that is counter to building. What is needed is an “Us” approach that helps to create solutions that are secure, that meet regulatory and compliance regimens, and protect the opportunity from risks that can disrupt.
So back to the original question, where should the CSO report?
At the end of the day, where the CSO reports should be a reflection of where he is best positioned to inform and contributes to the opportunities of the organization, rather than where he can wield the largest stick of enforcement.
If the CSO acts as a Chief Risk Officer and informs and collaborates with opportunities and initiatives outside of IT (such as legal risks, workplace safety, or business continuity), then the role can be one that reports into a senior executive team. Their position becomes a reflection of the cross organizational role that they play. Care should be taken not to simply conflate the role of CSO and CRO. The role and responsibilities of a CRO within a financial services organization are much broader than the skills of most CSOs.
If the CSO is only focused on IT issues, then that CSO should remain within the IT organization, and report to the CIO. Their role is to collaborate with the IT organization for the sake of the success of IT opportunities.
CSOs should not lose sight that security issues are only one of many risks that can make an opportunity fail! While breaches can cause losses, delayed projects also cause losses in sunk costs and lost opportunities. This should by no means diminish the role of the CSO, as their work helps an opportunity succeed as much as any other part of the organization - but let’s not inflate the importance of security over the need for an organization to take risks, experiment, and pursue new opportunities. For the CSO, that should be an opportunity to help the organization take these chances in ways that balance risk and opportunity.
Want to find out more about how Virtual Clarity can help your organization with security? Email email@example.com now!