CIOs and CSOs have a costly disconnect

When it comes to securing business-technology systems, CIOs face a challenge that won't go away.

The problem isn't necessarily new attack techniques, insecure software or even the latest government regulations. Rather, it's the challenge of seeing eye-to-eye with the CSO about how much security is enough.

The tenth annual Global Information Security Survey, conducted by PricewaterhouseCoopers and CIO's sister publication, CSO magazine, found that many of the 12,052 business and technology execs surveyed think that an overall lack of security leadership remains a serious obstacle to getting CIOs and CSOs on the same page, and others feel they lack an effective information security strategy.

Consider this: Only a third of respondents said security policies were tightly aligned with business goals, and 46 percent said they were only somewhat aligned.

With CIOs, business executives and IT security teams misaligned, it's next to impossible to build a consistent, sustainable security and risk management program that is capable of stopping the highly intelligent, motivated adversaries organizations face today.

This lack of cohesiveness between executive and security teams is also a large part of why so many believe that IT security gets insufficient capital and operating budget, says Jayson Street, CIO at Stratagem 1 Solutions, a security services provider.

"Much of this disconnect falls at the feet of the IT security profession," Street says. "It is IT security that, too often, is failing the business. We don't communicate risk well enough, and why the risk is worth mitigating."

Frank Cervone, vice chancellor for information services and CIO at Purdue University Calumet, says many security professionals focus more on specific risks and not on how those risks stack up against other pressing issues. "There is a difference in scope as to what the CIO has to look at as opposed to the CSO. The CSO doesn't always see the larger issues and needs to do a better job relating IT risks to overall business risk," says Cervone.

Mark Lobel, a principal in the advisory services division of PwC, agrees. "The business leaders have to manage what is burning, and rarely does security rise to be a pressing issue, unless a breach or something bad has just occurred," says Lobel. "It's hard to explain and quantify such an abstract risk to the business."

Lobel advises CIOs to work more closely with their security teams, and says that CSOs should link security needs to the overall direction and strategy of the business. For instance, if an important part of the business is Web applications, being able to keep those applications secure is key to the business's success.

Everyone interviewed encourages CIOs to focus on building out security programs based on measurable risks and outcomes. Too many organizations today are operating on gut instinct, our survey revealed.

The largest percentage of respondents (35 percent) measure the effectiveness of security spending by professional judgment, followed by reduced security incidents and breaches (29 percent), and total cost of ownership (24 percent). Less than a quarter of firms (24 percent) measure improvement against security metrics. One in five respondents do not know how the effectiveness of their IT security program is measured.

Those results are surprising, considering the substantial costs of security events when do they happen. Financial losses, according to our survey, average more than $1.6 million per incident.

Follow everything from on Twitter @CIOonline, on Facebook, and on Google + .

Read more about security in CIO's Security Drilldown.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George Hulme

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts