Skip Links

Network World

  • Social Web 
  • Email 
  • Close

CIOs, CSOs struggle with conflicting roles

Relationship of CIO and CSO must balance security, risk and the need for innovation
By Jon Brodkin , Network World , 07/05/2007

This is the third in a series of stories on key security issues being discussed at The Security Standard event scheduled for Sept. 10-11 in Chicago.

Any chief security officer can tell you there’s a fine line between managing risk and fostering innovation. And the CSO’s relationship with the company’s CIO largely determines where that line is drawn.

“The chief security officer, by definition of their job, would like things to be more stringent than a CIO would practically allow,” says Marc Hoit, interim CIO and professor of civil and coastal engineering at the University of Florida.

Some argue a CSO should not report directly to a CIO, as happens at the University of Florida and many other organizations. Just as you wouldn’t want a financial controller reporting to an auditor, a company’s chain of command should give the CSO somewhere to turn when the CIO takes on too much risk, argues Andreas M. Antonopoulos, senior vice president and founding partner of Nemertes Research.

“The job of the CIO is to maximize return on investment, which by definition requires taking risk,” Antonopoulos says. “The job of the CSO is to maximize the amount of risk a company can take safely without going over the company’s [preferred level of] risk tolerance.”

When CSOs see too much risk being taken, “they can’t report to the person who’s creating risk,” he says. “The thing is, it’s the job of the CIO to create risk. That’s what innovation is.”

Fundamental conflict

Even CIOs and CSOs who report having amicable relationships with their security or technology counterpart acknowledge there is a fundamental conflict between the roles.

“The goal of the CIO is to get the application deployed today,” says Joseph Granneman, chief technology and security officer for the Rockford Memorial Hospital in Illinois. “When you add security analysis to the front end of a project, sometimes it can delay it. Or if you do find security risks, that’s not good news for the CIO.”

Partner Content

Brilliantly simple security and control solutions for email, web and endpoint

www.sophos.com

Stopping data leakage

Learn how to exploit your current security investment to control the information that flows into, through and out of your network.

Download the white paper.

Why detection rates aren't enough

Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask to prospective vendors to get the right endpoint solution.

Download the white paper.

Unauthorized applications: Taking back control

Employees installing and using unauthorized applications like IM, VoIP, games and peer-to-peer file-sharing applications cause many businesses serious concern. How do you control these applications?

Download the white paper.

Comment
Login
Forgot your account info?
Add comment
Anonymous comments subject to moderator approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Videos

rssRss Feed
Save The Date!
What They Are Saying

If the IT manager is knowledgeable regarding Cisco technology, he would have 2 options. Option 1 - Consult...- Anonymous

Join the Discussion