CSO do's, don'ts

Antonopoulos argues that when a CSO must report to a CIO, the business is more likely to pursue too-risky technologies and skirt the edges of compliance.

"The CSO should have the equivalent powers you would give to an auditor or audit department and should report, ideally, to the board," Antonopoulos says. "That's actually higher than a CIO, quite frankly. . . . We believe the CSO should be an officer of the company. His duty should lie with the shareholders. The CSO is controlling the risk of the company so as not to expose the shareholders to the most risk."

The CSO also should not be allowed to take only risk into consideration, he says. The best way to avoid risk, he notes, is to close a business entirely. Antonopoulos recommends tying the financial compensation of security officers to their ability to balance risk and innovation.

The location of the CSO in an organization is what "largely impacts the dialogue and potential conflicts you have," says Lloyd Hession, CSO of BT Radianz in New York City. Hession reports to his CEO, making the CIO his peer, he says. This has pros and cons, he notes. Being outside the technology group, Hession must make a concerted effort to understand the needs of IT. But it also gives him a better view of what is happening in the business at large, he says.

"You self-police yourself to the point where you only try to achieve what you know makes sense for the business," he says.

Hession says he also faces additional pressure to reach agreements with department heads because nobody wants to waste the CEO's time with an unresolved conflict.

To whom should CSOs report?

In a very small minority of companies, the CIO reports to the CSO. This happens in financial services and other companies where regulatory compliance poses a huge burden, Antonopoulos says.

In 30 percent of companies, the CSO works for the CIO, Antonopoulos says. There are probably 15 other types of reporting relationships in the remaining 70 percent of businesses, he adds.

One approach has the CSO reporting to the security team. Sunoco has considered this, but CIO Peter Whatnell says he is concerned security executives will not understand the needs of IT. Currently, the CSO works for Whatnell.

"We have talked several times about, should our CSO move into the security organization," Whatnell says. "We're not opposed to that, but we just think there's a level of maturity on their side to understand what's the difference between somebody scaling a barbed-wire fence as opposed to . . . trying to access our accounts-payable system."

At WebEx Communications, CSO Randy Barr reports to the general counsel. Barr used to report to a CIO, but WebEx hasn't had one since it was acquired by Cisco.

"It's actually better [reporting to legal counsel] in my opinion," Barr says. "There is a lot of work we have to do which may impact regulatory requirements. . . . [The legal team] can immediately confirm what it is we need to do to meet regulatory concerns. They don't make a lot of decisions on the IT or operations side that would present a conflict."