Good Reasons to Hand Off Security to the CSO

For 40 years there has been little reason for anything computer related to fall outside IT’s command. But that era is coming to an end. The evolving and increasingly important role of information security requires the background of a geek and the instincts of a cop. Information security crashes together two functions: traditional corporate security and IT. The ex-cops over in corporate security who watch the doors and suspicious behavior are using more and more technology to get their jobs done. And the stakes in an IT security breach have risen so high that IT people who know firewalls but can’t fathom the motives of a disgruntled employee are no longer able to protect their companies from what could be serious financial losses, extended network downtime and badly damaged relationships with customers.

So struggle over who gets information security is growing: IT, the traditional security group or a new function that is distinct from both groups. There is already clear evidence that IT is going to lose the fight-and more important, that it should. In an October 2003 CIO magazine survey, respondents who described themselves as “very confident” in their companies’ security were nearly twice as likely to have information security reporting outside of IT than those who described themselves as “not at all confident” in their security. The reasons for the confidence are clear: Confident companies suffered nearly six times fewer security events, had less downtime and fewer financial losses than the less confident companies. And they allotted more money toward security: The percentage of the IT budget that confident companies spent on security was double that of the not confident group (14 percent versus 7 percent), and they paid more attention to organizational reporting and security policy issues.

There are other reasons to move security. Some argue that keeping responsibility for policing security within IT can pose a potential conflict of interest for the CIO, who may be tempted to give short shrift to security concerns in favor of getting IT projects in on time and under budget. And catching hackers requires the ability to think like a criminal, something IT employees are not trained to do. Then there’s the workload issue: Don’t CIOs have enough on their plates these days without having to deal with the burgeoning and evolving challenge of worrying about all aspects of a company’s security? Having security responsibilities reside in the hands of a CSO or equivalent-and in particular someone who reports outside of IT-could be better for the CIO’s career and the health of the IT group as well as the overall organization. A CSO can focus full-time on security, unlike a CIO who is often pulled in several different directions.

But the issue is still up for debate. Some CIOs are concerned that if security policy is moved out of the IT department, they would lose influence but still be held accountable if something goes wrong. CIOs for small and midsize companies argue that it’s not practical to create a separate role that is responsible for security. And CIOs in industries heavily regulated by the federal government also worry that letting go of security could mean falling out of compliance.

With the debate raging, if you’re not seriously examining where information security falls on your org chart, it’s time to do so. And there is mounting evidence that owing to its growing complexity and importance to besieged organizations, security probably should be separate from IT. The dialogue about the future of IT security is just beginning. Chances are, the discussions should be going on inside your company too. In this story, we’ll outline the main issues to debate.

Cut Security Loose

Security experts say that most IT security threats are from within the company. If that’s the case, then keeping IT security within IT is a simmering conflict of interest. “If you think of information security as a policing function, then having [security staff] report to the CIO has the IT infrastructure policing itself,” says Bill Spernow, a security consultant and former chief information security officer of the Georgia Student Finance Commission. Samantha Thomas, director of the information security office for the California State Teachers’ Retirement System (CalSTRS) puts it more starkly: “If you’re in IT and they’ve given you security, how can you conduct an unbiased investigation of the friend you’ve sat next to for years?” Thomas and her fellow CISOs in all California state departments now report to their department chiefs because of an executive order from then-Gov. Gray Davis in 2002.

Those who advocate moving security out of IT say that new, complicated challenges require someone who can look at the bigger strategic picture of security across the company, advocate for tougher security measures in all functions of the company and report security issues to a higher authority than the CIO.

These are the issues that made William Murphy, CTO of financial data and analytical software provider Capital IQ, ask his company to hire a CSO in 2002. “I had handled security adequately since the company began in 1998, but I wanted security to be more than adequate; I wanted it to eventually become a competitive advantage for us,” says Murphy. The growth of the company (from five people when Murphy started to 900 today) combined with a growing customer base, a much broader product line of security-sensitive products and customers that had increasing security expectations sparked the switch.

But Murphy says he also felt ethically compromised-not to mention overworked-by hanging on to security. He specifically requested that the new CSO report to a managing principal, not him. “I said, ’I don’t think the CSO should report to me because I have competing motivations,’” he recalls. “As a CTO you have these constant internal pressures to get functionality out and keep performance high and all these other typical IT issues. And it’s too easy to push security to the side. I felt like Dr. Jekyll and Mr. Hyde, constantly trying to do in-the-moment risk analysis on things” from the typical performance issues on the one hand and security on the other. “I felt like I needed a church and state separation,” he adds. “Security and IT should be like the Supreme Court and the executive branch. You want them to work together, but you want that independent oversight into what you’re doing so that you don’t make bad decisions. I just don’t believe that putting that much power in one person’s hands is the right thing for shareholders.” Murphy says the new setup is effective.

Siemens, the German manufacturing, IT and services giant, had this epiphany eight years ago, according to Harald Hoefler, CIO of Siemens Canada. Information security has reported to the CFO’s office ever since. “If the CSO reported to the CIO, security would not be strong enough,” says Hoefler. The CSO has two primary roles at Siemens: To secure the systems and to audit them for adequate security. The CSO can do neither well without independence from the CIO, Hoefler argues. “Say I have problems with the network and I haven’t done my work correctly,” he says. “If I have this information security officer in my area, he’d point it out, but I’d try to fix the problem in a way that it doesn’t get [revealed to the other top executives]. What you want is to have all the top executives aware of the problems and working together to fix them.” Hoefler says that kind of disclosure and cooperation can occur only when security reports to an executive with broad managerial responsibilities for the company as a whole, like the CEO, CFO or COO. “The CFO is in a position to influence all the C-level managers and get the budget to do [information security],” adds John Pomeroy, CSO for Siemens Canada. Though different divisions of Siemens handle the specific security role differently, increasingly the divisions are combining information and traditional corporate security under a CSO, like Pomeroy, who reports to the CFO.

Move Accountability

Of course, it’s one thing to transfer responsibility for information security outside IT, but if accountability doesn’t move with it, the CIO will be in big trouble. That’s why some CIOs do not even want to consider letting go of information security. “Even if IT security was moved out of IT, if something happened, I would still be on the hook,” says Tom Smith, former CIO of Waste Management, who retired in March. “I think IT security is part of a CIO’s role and responsibility as opposed to a conflict of interest. I feel personally responsible for internal IT security, whether it be physical security or data security. To delegate that to a third party such as another security group outside of IT, I just think it’s the wrong thing to do.”

But proponents of jettisoning security out of IT disagree. “I hear that concern 100 percent,” says Capital IQ’s Murphy. “But when there is a breach, the CSO and I go to the CEO’s office together. It’s a teamwork issue. It’s not ultimately who’s on the hook for something-it’s a question of having people full-time worried about security versus IT. It’s the future of the company, and as executives you should both be accountable.” Murphy says he’d rather have Capital IQ’s CSO, Ken Pfeil, go with him to see the CEO than go by himself.

When a CIO keeps information security inside IT, even if he creates a CSO-type role, he is much less likely to seek someone from outside the department or the company to cast a fresh eye on the ways the company handles security, says Spernow. The CIO is more likely to give it to a trusted lieutenant who shares the same views on security that he does. “How many bosses are going to be receptive to the information security person saying here’s how you’re screwing up? They can’t. It’s just human nature,” says Spernow. “Typically CSOs are best when they come from the outside because they have to be a change agent, and if you’re bringing the baggage of people you owe favors to, it’s tough.”

Think Like a Criminal

When corporate security began to be a distinct function in most companies during the ’50s and ’60s, companies usually wanted someone experienced at looking for and handling bad guys-former cops, mostly. IT security rarely requires wrestling anyone to the ground, but the mind of a malicious hacker isn’t that much different from that of a more physically oriented bad guy, argue security experts. So why do companies automatically assume that IT people can think like criminals? “Every information security policy I’ve ever seen is a joke because they are written by people who can be trusted,” says Spernow, who has worked in corporate security for Fidelity Investments. “We have these exercises we do with IT people to try to show them that their intuitive response is to trust people. I wouldn’t hire anyone for a security position unless they were really paranoid.”

IT people also don’t have much experience at developing policies and procedures for handling security issues beyond the technical issues, says Anne Rogers, director of information safeguards for Waste Management. According to Rogers, responsibility for security polices and procedures across the company has moved from IT to Waste Management’s corporate security function, while responsibility for selecting technology platforms and implementation remains with IT (a security management structure that former CIO Smith disagrees with). “We’re looking at security policies and procedures above and beyond IT and how those systems affect other areas in the company,” she says. “There are skills and background for doing this that security people have and most IT people don’t.” For his part, Smith says IT retains responsibility for security policies and procedures that affect IT systems. It’s an example of the struggle over security that is beginning to occur in many companies.

Use Independent Audits

Mary Finlay, deputy CIO of Partners HealthCare System, has information security reporting to her. She acknowledges the conflict of interest. For health-care companies like hers, she says, the conflict is swept away by external regulations like the Health Insurance Portability and Accountability Act (HIPAA) and auditing bodies that have strict terms for compliance. “There are three arms to HIPAA, and one of them is all about security,” Finlay says. She says Partners also has internal and external auditing groups and an internal compliance group that monitor information security issues. That’s a lot of checking and balancing. For companies that don’t have that kind of external scrutiny and regulation, a separate information security function may be their only independent voice. “I do agree that you need the checks and balances in place somehow,” says Finlay. “I like that there is this separate part of the organization that is keeping us on our toes.”

Rod Hamilton, CIO of Hygeia, a health-care provider network, says the size of his company and his budget doesn’t warrant having a separate information security function. He was able to bring in a person who spends half his time on security tasks by devoting the rest of the time to database analysis. HIPAA defines the more strategic, high-level thinking about security that this staffer does not have the time for. “HIPAA is a godsend in a way because it gives us a clear definition of what we should be doing and gives us the opportunity to bring someone else in to say whether we are meeting the requirements,” says Hamilton.

But are external regulations or audits really dependable alternatives to an independent, internal CSO? Capital IQ’s Murphy doesn’t think so. “Sarbanes-Oxley isn’t going to help you make a decision when a powerful executive comes to you and says we can get important new functionality that a client is demanding up and running tomorrow if you install this untested software patch right now,” he says. Capital IQ’s Pfeil agrees. “By using regulations or auditors, all you’re doing is shifting accountability,” he adds. “But it will come back full circle no matter what you do. The ones who have to implement the day-to-day security operations are still going to be on the hook. If you centralize the responsibilities for security and make one person responsible, then you’ve got one neck to choke.”

Make a Strong Security Policy

If it’s not possible to move information security out of IT, then an ironclad security policy should ensure that even if the person in charge of security is IT-based, he at least has the ability to report to someone senior to the CIO, say security advocates. “If nothing else, the CSO must have real access to the other C-level people,” says George Campbell, a security consultant and former CSO at Fidelity Investments. “As long as the CEO and board back a strong policy around corporate protection, that’s an internal legal system that the CSO can use to manage the function.”

But Campbell and others stress that unless the policy is clear and detailed-for example, all breaches must be reported immediately to the COO and immediately recorded in a report-it won’t be much of a tool. “Unless it’s grounded in a strong policy infrastructure that gives good guidance to employees and functions in the organization on the how-tos of corporate protection, it won’t happen because people won’t know what to do,” says Campbell. CIOs should try to get advice from companies that are bound by law to secure and protect, like health-care and financial services companies. “You can’t find a financial services company that isn’t concerned about how it protects customer information or continuity, and that is founded on a good policy,” he says.

And the conflict of interest that lies at the heart of the CSO-to-CIO reporting relationship can erode the best policy, says Siemens’ Pomeroy. “It has to be like an independent internal auditor function within IT if it’s going to work,” he says. “An organization can think it has a good information security review process, but because the CIO has the final say, you’re going to have problems potentially.”

Security Is Converging

There is a small though growing trend of IT security moving under the corporate security umbrella so that security decisions all come out of one place. But experts we spoke to said there is no formula for making the decision. It depends on factors like culture, governance structure, size (and size of customer base), sensitivity of corporate data and demands of customers. Companies that are feeling increasing pressure in any of these areas should at least consider whether information security and corporate security should be consolidated into a single group.

The strongest argument for keeping information security within IT is purely pragmatic. Much of information security has to do with hard-core IT issues, and non-IT people don’t understand how complex it can be. People from a pure security background can become so fixated on security that they ignore the need to make systems flexible and usable, says Finlay. “There are times when I’ve seen security people advocating something that makes the system so hard to use that people wouldn’t use it. The job of CIO is to find the right balance.” To which CalSTRS’s Thomas responds, “That’s why it’s important for us to have a close working relationship with IT and work together as a team.”

But regardless of where the CSO reports, he cannot be a shrinking violet. CSOs need an independent voice and the ability to promote the position and the need for security inside the company (see “Who Is the CSO?” this page). “If CSOs can clearly communicate their role and the role of security in the organization, it doesn’t matter where they report to,” says J. R. Biggs, managing director at Network Security Consulting and a former CSO for a financial services company. “You have to be able to communicate and justify your role and responsibilities and make sure everyone understands that security is the responsibility of everyone in the organization.”

That sure sounds like independence to us.