WASHINGTON, D.C. -- Chief security officers suffer from something of an identity crisis in the enterprise. Primarily, they're entrusted with establishing and enforcing the policies that secure a company's most valuable assets. Yet they're often looking up longingly at the top tier of the corporate ladder from several rungs below, thinking all the while that they belong up there, too.
Most CSOs report to the chief information officer but, ideally, they should be sitting shoulder-to-shoulder with the CIO, in order to avoid the political games that could delay or derail critical security projects, some CSOs said Monday at the Gartner IT Security Summit.
"It's not prevalent at all that CSOs or CISOs [chief information security officers] are peers to the CIO. And companies should be driving in that direction," said Carl Cammarata, CISO for the Auto Club Group, in Dearborn, Mich. "In too many situations, critical security issues get buried. Also, risk is not often conveyed to senior management."
Cammarata said that this type of corporate organization often leads to security by obscurity. He said that putting the CSO on the same level as the CIO should be a requirement.
"Security is a business enabler and a risk management tool," Cammarata said. "If it's implemented properly, it is not an obstacle. If the CSO is given access to executives, he will be better aligned with business strategy. By reporting to the CIO, a CSO doesn't have free access to management, and it becomes a political issue."
Roberta Witty, a research director with Gartner Inc., agreed with Cammarata and said that, ideally, the CSO, CIO and CEO should be peers and report to the board. Witty does concede that this is the exception, rather than the rule in today's enterprise.
"Often, there are IT and information security steering committees, a mix of business and technology groups that support information security requirements," Witty said. "Security reports to the IT organization headed by the CIO. If they are further down, like in the data center operations group, they will be too buried and miss big issues. The role of the CISO is to align security with a business strategy."
Arguably, CSOs are not popular figures in the enterprise. Their policies are often met with resistance and their job is thankless. Also, they have only 4% to 5% of the IT budget to play with, Witty said. These realities contribute to the way CSOs design their enterprise security programs.
CSOs, for example, must decide whether to centralize security. Witty said that this decision depends on the enterprise culture and whether most policies are centralized. If different business units have different security needs, security may be decentralized, she said.
"CSOs have to have an ear in the business units to understand what is needed and not force a security solution, for example, if one is not needed," Witty said.
She added that security functions like virus and firewall management, identity and access management, and security software management are often centralized functions. Policy development and compliance are also centralized.
CSOs also have to decide whether to integrate physical and IT security under the same umbrella and whether to correlate security and business continuity plans.
"Things are changing," Witty said. "Information security is not a technology conversation and, frankly, it should never have been. Enterprises have to raise security to a business conversation."
Witty also identified some of the prevalent issues driving enterprise security. Regulation like the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Sarbanes-Oxley Act and the Basel Accord, along with standards like ISO 17799, have to be foremost on a CSO's agenda when he is formulating a security plan.
All the while, it would help if the CSO and the CIO were considered peers.
"It ultimately has to be a peer role to get rid of potential conflicts of interest over deployment and oversight," said Kevin Youngblood, security manager for Toledo, Ohio-based HCR Manor Care, an assisted-living center and nursing home chain. "Government regulations like Sarbanes-Oxley and HIPAA are helping those of us down the corporate ladder get the attention of senior management."
FOR MORE INFORMATION: