One of the great debates in recent months has been whether the chief security officer should report to the company's CIO or CEO. The fact that information security is first and foremost a technology issue fuels the argument for the CIO reporting line. The reasoning is that the CSO, as the person who safeguards the organization's information assets, should report to the CIO.
But the other side argues that security is more than a technology concern. Information security is a business issue that also includes physical security at the corporate level. Securing information is key to the organization's long-term growth and survival. This puts the responsibility for setting security policy squarely on the CEO and suggests that the CSO should report directly to him.
Lost in this debate is the real issue. Organizational structure is secondary to how security -- IT and otherwise -- is defined and implemented to support or enable corporate objectives. Who has the skills and knowledge to design a proper security methodology and to implement appropriate policies across the corporation? Who is responsible for defining, implementing and managing the enterprise architecture?
It's not the traditional security chief. The skills and expertise required of a CSO are quite different from those invoked while worrying about access doors and security-guard rounds.
A CSO needs a strong technology background coupled with the political and interpersonal skills to implement policies across the organization. A CSO must also stay current with laws and regulations that affect information security deployment and keep the CEO, CFO and board of directors apprised of security matters.
All C-level executives are liable for any loss of information, even if it's stolen the old-fashioned way -- taken from the mailroom, for example. Criminal and civil penalties are the norm if a company is found negligent in protecting information, and ignorance of the law is no defense.
So yes, the CSO should report to the CEO. But ideally, the CIO and the CSO should be one and the same person.
I have held the title of CIO/CSO three times in my career while reporting to a CEO or COO. The dual job expands the CIO role to address corporatewide risk issues with a broad range of technical and nontechnical security processes and initiatives.
And the number of risks are increasing. According to FBI statistics, a company has a 90% chance of experiencing a computer or network security breach within the next year, an 80% chance of suffering a financial loss due to a security breach and a 44% chance that the loss will exceed US$4 million.
New laws and regulations regarding information security are the result of dramatic increases in the loss of personal and financial information through cybercrimes and fraud.
Given the threat, the CIO/CSO needs to address three top-level network security challenges. The first is to prevent infestation of the network by viruses, worms, Trojan horses and so on, as well as to isolate and remove any infestation without affecting the operational ability of the corporation. Network infestation alone will cause more than US$100 billion in financial losses globally in 2004. The second challenge is to protect private information from intruders who pose as legitimate users after gaining unauthorized network access. The final task is to defend against denial-of-service attacks in which legitimate business resources or customer access are diminished or denied.
I know from experience that no one can do this job alone. As custodian of the corporate information assets, the CIO/CSO must make information owners in the business units aware of their responsibility for information security. He can do this by involving them in business impact analysis, risk assessment, business continuity planning and security policy development.
He must also work closely with the CFO, the human resources executive and the board audit committee. Together, they must ensure consistency of security policies and procedures and open administration of the security program, including clearly defined audit trails. This collaboration, with the CSO/CIO in the lead, is the best way to effectively protect the information and physical assets of the firm.
Norbert J. Kubilus is a CIO partner at Tatum Partners in San Diego. He can be contacted at Norbert.Kubilus@tatumpartners.com.