Much of the discourse around enterprise IT security has centered on tools and best practices. But the vital question of who ultimately has ownership of what aspect of security is often left unanswered.
In many enterprises, says one expert, there’s a confusion and misunderstanding about the “security” responsibilities of two key stakeholders: the CIO and the CSO (Chief Security Officer). Perceptions and approaches to security often vary significantly between these two executives and their teams, according to Syd Hancock, who coordinates the IS security program at Algonquin College in Ottawa.
According to Hancock, the conflict between the two sides has been growing steadily over time as the two positions have matured. It arose because in the past the CSO has never been comfortable with technical security issues and tended to leave them with the CIO. Now the trend is to ensure the CSO is well trained in technical security issues. CIOs, he said, see security as one of many things they need to take care of, and it makes CSOs a little nervous.
According to Hancock, while both the executives want a piece in the security pie, it is the CEO who is the final arbiter. It is the CEO’s responsibility, he said, to set rules for IT security such as compliance with legislation, improving client and public confidence, and demonstrating due diligence in managing resources. The CEO should get the CIO and CSO to sit together and divvy up that pie based on those rules. Failure to do so, he said, could have unfortunate consequences.
He suggests the CIO should be responsible for such things as technical security standards and procedures as well as security software and hardware. CSO responsibilities, he said, should be in areas of physical and personnel security; information security; security threat assessments and security investigations. Responsibility for grey areas like security policy, security audit and certification of systems can be re-delegated any time if certain functions are not working for either the CIO or the CSO.