CIOs, CSOs struggle with conflicting roles

This is the third in a series of stories on key security issues being discussed at The Security Standard event scheduled for Sept. 10-11 in Chicago.

Any chief security officer can tell you there’s a fine line between managing risk and fostering innovation. And the CSO’s relationship with the company’s CIO largely determines where that line is drawn.

“The chief security officer, by definition of their job, would like things to be more stringent than a CIO would practically allow,” says Marc Hoit, interim CIO and professor of civil and coastal engineering at the University of Florida.

Some argue a CSO should not report directly to a CIO, as happens at the University of Florida and many other organizations. Just as you wouldn’t want a financial controller reporting to an auditor, a company’s chain of command should give the CSO somewhere to turn when the CIO takes on too much risk, argues Andreas M. Antonopoulos, senior vice president and founding partner of Nemertes Research.

“The job of the CIO is to maximize return on investment, which by definition requires taking risk,” Antonopoulos says. “The job of the CSO is to maximize the amount of risk a company can take safely without going over the company’s [preferred level of] risk tolerance.”

When CSOs see too much risk being taken, “they can’t report to the person who’s creating risk,” he says. “The thing is, it’s the job of the CIO to create risk. That’s what innovation is.”

Fundamental conflict

Even CIOs and CSOs who report having amicable relationships with their security or technology counterpart acknowledge there is a fundamental conflict between the roles.

“The goal of the CIO is to get the application deployed today,” says Joseph Granneman, chief technology and security officer for the Rockford Memorial Hospital in Illinois. “When you add security analysis to the front end of a project, sometimes it can delay it. Or if you do find security risks, that’s not good news for the CIO.”