Where's the dividing line between CIO and CSO?

Where's the dividing line between CIO and CSO?

310 readers like this
Digital transformation security

CIOs have plenty of responsibility already. In recent data breaches it’s often been the CIO who has been called to task for allowing systems to be exploited because of lack of proper security precautions. But is it the CIO’s responsibility to maintain security levels and protect corporate data? Many would say the entire IT infrastructure and its contents are the responsiblity of the CIO.

I asked David Baker, chief security officer of Okta, for his take on the dividing line between CIO and CSO responsibility.

“The CIO is responsible for enabling the business through the use of technology — and that includes the enablement of secure practices through which technology is accessed, managed and deployed. This includes, but is not limited to, turning on and off access to applications, provisioning user accounts and managing data infrastructures," Baker says.

“It’s the CSO’s duty to define the security controls to which the CIO adheres in doing all of this. That includes auditing practices, identifying possible vulnerabilities and providing guidance on how to alleviate issues. Whether it’s a traditional company where the CIO implements internal-facing initiatives, or a software company where the CTO or vice president of engineering delivers customer-facing products, the CSO is responsible for auditing and defining security policy across all business functions, as well as proactively identifying security flaws and issues.

“That’s the dividing line. The CIO implements and builds technology while the CSO provides security controls, audit and testing, and secure implementation guidance. This is why many companies have changed the reporting structure, moving the CSO outside of the CIO for independence of interests and accountability.

“Of course, that line is often blurred. This dynamic hinges on the CIO and CSO defining the business needs vs. potential business exposures evident in each deployment – and then collaborating to meet demands from both sides. Depending on the type of company, the initiative and scope, the line will jump around, but it’s undeniably rooted in a shared mindset to implement technology in a secure fashion and find middle ground where both parties feel comfortable.”

Scott Koegler practiced IT as a CIO for 15 years. He also has more than 20 years experience as a technology journalist covering topics ranging from software and services through business strategy. He has written white papers and directed and published video interviews.

7 New CIO Rules of Road

CIOs: We welcome you to join the conversation

Related Topics

Submitted By Stephanie Overby
October 20, 2020

CIOs and IT leaders need to know artificial intelligence in reasonable depth to understand its pragmatic adoption. Otherwise, you may either overestimate or underestimate AI’s impact.

Submitted By Jay Jamison
October 19, 2020

Throughout this year, industries have had to completely change how they do business. To foster buy-in for large scale digital transformation, consider these techniques.

Submitted By Peter Jackson
October 16, 2020

Between the pressure to accelerate digital transformation and external stress right now,  IT teams are in serious danger of burnout. IT leaders can take these three steps today to make a difference to teammates


Email Capture

Keep up with the latest thoughts, strategies, and insights from CIOs & IT leaders.