Why CSOs Should Report to the Board, not CIOs

In a lot of companies, a CSO may be an afterthought–or he is a deputy to the CIO (let’s face it, CSO sounds a lot cooler than Deputy CIO, both on the resume and the business card).

This attitude could compromise the security of an organization because the CIO is today expected to be in tune with the business, while the CSO may need to be slightly out of sync with business realities to enforce security. The CIO is the engine, but the CSO represents the brakes–and no engine can function without brakes.

Now, let’s take a large company called Acme Inc. The Board–of which the CIO is a part of–believes in security and open standards. They therefore decide to use the OpenSSL protocol.

Now, if the CSO is in effect the Deputy CIO, he will get a call from his boss, the CIO, who will tell him, “Implement OpenSSL.” And he will have to do it. That’s that.

Unfortunately, a recent report says that OpenSSL reuses prime numbers when using the Diffie-Hellman protocol. According to Wikipedia, Diffie–Hellman was first published by Whitfield Diffie and Martin Hellman in 1976 and research published in October 2015 suggests that the parameters in use for many D-H Internet applications at that time are not strong enough to prevent compromise by very well-funded attackers, such as the security services of large governments.

What is the CSO to do? Given the fact that today’s CIO is more involved with the business than with technology, he may not get a patient hearing; and in any case, if he is reporting to the CIO, ego problems may crop up and he may be forced to implement a flawed protocol and then face flak later if there’s a breach (the classic case of being responsible but not being in charge).

However, if the CSO reports to the board, he can tell them about the problem, and they may listen. Even if they don’t, a breach becomes the collective responsibility of the Board.

Additionally, in this era of corporate espionage, it helps the Board to have a CSO who reports directly to it rather than to the CIO; this way, they can have a second person whom they can trust. The CSO can then even keep tabs on the CIO if need be, or act as an interim CIO if the CIO quits.

Also, in terms of reputation, if the CIO has implemented an IT system poorly, it may only hurt the brand image to an extent. But a security breach can ruin the reputation of a company completely, so it is very important that the CSO, along with the CIO, is given his due.

Of course, in today’s era of outsourcing and cloud computing, the CIO’s wings are severely trimmed, and some may resist the move to have a CSO who doesn’t report to them. But most astute CIOs will see the wisdom in having a completely independent CSO.