- Bank Web sites full of security holes
- SCO Group: Its future is all used up
- Maligned feature being added to IPv6
- I returned my iPhone 3G after six days!
- VPNs: Six burning questions
News | Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
This is the third in a series of stories on key security issues being discussed at The Security Standard event scheduled for Sept. 10-11 in Chicago.
Any chief security officer can tell you there’s a fine line between managing risk and fostering innovation. And the CSO’s relationship with the company’s CIO largely determines where that line is drawn.
“The chief security officer, by definition of their job, would like things to be more stringent than a CIO would practically allow,” says Marc Hoit, interim CIO and professor of civil and coastal engineering at the University of Florida.
Some argue a CSO should not report directly to a CIO, as happens at the University of Florida and many other organizations. Just as you wouldn’t want a financial controller reporting to an auditor, a company’s chain of command should give the CSO somewhere to turn when the CIO takes on too much risk, argues Andreas M. Antonopoulos, senior vice president and founding partner of Nemertes Research.
“The job of the CIO is to maximize return on investment, which by definition requires taking risk,” Antonopoulos says. “The job of the CSO is to maximize the amount of risk a company can take safely without going over the company’s [preferred level of] risk tolerance.”
When CSOs see too much risk being taken, “they can’t report to the person who’s creating risk,” he says. “The thing is, it’s the job of the CIO to create risk. That’s what innovation is.”
Even CIOs and CSOs who report having amicable relationships with their security or technology counterpart acknowledge there is a fundamental conflict between the roles.
“The goal of the CIO is to get the application deployed today,” says Joseph Granneman, chief technology and security officer for the Rockford Memorial Hospital in Illinois. “When you add security analysis to the front end of a project, sometimes it can delay it. Or if you do find security risks, that’s not good news for the CIO.”
Rss FeedRss Feed
If the IT manager is knowledgeable regarding Cisco technology, he would have 2 options. Option 1 - Consult...- Anonymous
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask to prospective vendors to get the right endpoint solution.
Download the white paper.
Unauthorized applications: Taking back control
Employees installing and using unauthorized applications like IM, VoIP, games and peer-to-peer file-sharing applications cause many businesses serious concern. How do you control these applications?
Download the white paper.
Comment