Where's the dividing line between CIO and CSO?

582 readers like this.
Shadow IT CIO

CIOs have plenty of responsibility already. In recent data breaches it’s often been the CIO who has been called to task for allowing systems to be exploited because of lack of proper security precautions. But is it the CIO’s responsibility to maintain security levels and protect corporate data? Many would say the entire IT infrastructure and its contents are the responsiblity of the CIO.

I asked David Baker, chief security officer of Okta, for his take on the dividing line between CIO and CSO responsibility.

“The CIO is responsible for enabling the business through the use of technology — and that includes the enablement of secure practices through which technology is accessed, managed and deployed. This includes, but is not limited to, turning on and off access to applications, provisioning user accounts and managing data infrastructures," Baker says.

“It’s the CSO’s duty to define the security controls to which the CIO adheres in doing all of this. That includes auditing practices, identifying possible vulnerabilities and providing guidance on how to alleviate issues. Whether it’s a traditional company where the CIO implements internal-facing initiatives, or a software company where the CTO or vice president of engineering delivers customer-facing products, the CSO is responsible for auditing and defining security policy across all business functions, as well as proactively identifying security flaws and issues.

“That’s the dividing line. The CIO implements and builds technology while the CSO provides security controls, audit and testing, and secure implementation guidance. This is why many companies have changed the reporting structure, moving the CSO outside of the CIO for independence of interests and accountability.

“Of course, that line is often blurred. This dynamic hinges on the CIO and CSO defining the business needs vs. potential business exposures evident in each deployment – and then collaborating to meet demands from both sides. Depending on the type of company, the initiative and scope, the line will jump around, but it’s undeniably rooted in a shared mindset to implement technology in a secure fashion and find middle ground where both parties feel comfortable.”

Scott Koegler practiced IT as a CIO for 15 years. He also has more than 20 years experience as a technology journalist covering topics ranging from software and services through business strategy.