- 4chan hell raisers finding fame brings heat?
- The 10 dumbest mistakes network managers make
- NetApp quits bidding war in face of EMC opposition
- CompuServe closes after 30 years
- Google to launch open-source Chrome OS this year
CHICAGO – IT chiefs and security officers might seem likely to view the corporate world similarly from their c-level positions, but that’s often not the case.
To explain why, the CIO of one company and the CSO of another took the stage at The Security Standard conference in Chicago Tuesday and aired some universal gripes that these executives typically have about each other.
If CIOs would be more forthcoming with their technology plans and consult CSOs in advance, security professionals wouldn’t be put in the position of always having to retrofit security, said Andy Ellis, senior director of information security and chief security architect with Akamai.
“Maybe in the long run we could reduce the amount of risk we have,” he said.
But Geir Ramleth, senior vice president and CIO at Bechtel, has a different impression of what happens when CIOs ask CSOs for advice.
“Security people have this phrase, ‘yes, but…’” he said. “They want to agree with you, but only for three letters long and then they go on: ‘Yes, but we should really have a policy on this.’ OK, fine, go and write one.”
The phrase Ramleth dislikes the most? “’Yes, but you have to wait.’ That means `I agree with you, but I don’t agree with you, and therefore I’m going to mess you up,’” he said.
Ellis also has a pet-peeve phrase: “When you bring a risk forward and [take the time to] explain it, I get `I don’t see why that matters.’ Maybe I didn’t communicate the risk well enough, but it’s often used as a defense mechanism. That means 'If it’s not clear to me, I don’t have to do anything about it.’”
Both executives agreed that part of the conflict stems from the fact that they have different missions. For most CIOs, security is important, but not the top priority.
“Speed, agility, and serving the needs of the business often drives you. It doesn’t mean we do all those things and then think about security, but [it’s not] top priority,” Ramleth said. “At Bechtel, we’re a project company, so risk to us is anything that changes the scope, budget, and schedule [of a project]. The CSOs out there change the scope, increase the budget, and [what they do] takes longer than I expected.”
Having more information about the business drivers behind technology decisions would help CSOs understand the priorities, Ellis added. “If we understand the business problem and we can get security in there first, maybe we can do it in an agile function,” he said.
The Leader in Network Knowledge
Comments (3)
Why can't CIOs and CSOs just get alongBy Anonymous on September 13, 2007, 6:18 pmCIOs and CSOs should be the best of friends especially in today's online environment. But that is only if the CSO doesn't report to the CIO. An independent CSO...
Reply | Read entire comment
RE: Why can't CIOs and CSOs just get along?By kwinegardner on September 13, 2007, 11:09 amFrom the responses in the article, I am wondering if Mr. Ramleth has ever had the pleasure of experiencing a breach, or an enterprise wide DDoS? It seems that those...
Reply | Read entire comment
RE: Why can't CIOs and CSOs just get along?By Anonymous on September 12, 2007, 4:43 pmThis is truly the situation in the current industry situation. We security guys always get the look of "what else do you want to block off" when confront the IT...
Reply | Read entire comment
View all comments