News Stay informed about the latest enterprise technology news and product updates.

Gartner: Where does a CSO fit in the enterprise chain?

Chief security officers at the Gartner IT Security Summit weren't jockeying for power, but they were making a case for being at a level equal to that of the CIO.

WASHINGTON, D.C. -- Chief security officers suffer from something of an identity crisis in the enterprise. Primarily, they're entrusted with establishing and enforcing the policies that secure a company's most valuable assets. Yet they're often looking up longingly at the top tier of the corporate ladder from several rungs below, thinking all the while that they belong up there, too.

Survey Results

Gartner released the results of several research projects Monday during its IT Security Summit. Notably, Gartner predicted that, by 2005, 60% of enterprises will outsource the monitoring of at least one security technology. Also, Gartner said, 60% of security-breach costs incurred by businesses will result from incidents that are financially or politically motivated.

Gartner said that enterprises will look toward managed security services providers, especially if they lack in-house expertise or the resources to hire competent security professionals.

"The target customers include those enterprises without core competencies in information security," said Richard Hunter, a Gartner vice president. "Such enterprises have addressed perimeter security and gained experience in putting their security architectures in place, and they are looking for efficient operations, but not at the expense of their security postures."

As for financial losses, Gartner blames insiders working alone or with someone on the outside for the majority of problems. Gartner also pointed out that collaboration and knowledge management requires information sharing between businesses that exposes data and assets.

"Most businesses don't have procedures for establishing and enforcing agreements on shared use of intellectual property," said managing vice president Victor Wheatman. "Without such legal agreements, misuse is more likely and less subject to recovery."

Most CSOs report to the chief information officer but, ideally, they should be sitting shoulder-to-shoulder with the CIO, in order to avoid the political games that could delay or derail critical security projects, some CSOs said Monday at the Gartner IT Security Summit.

"It's not prevalent at all that CSOs or CISOs [chief information security officers] are peers to the CIO. And companies should be driving in that direction," said Carl Cammarata, CISO for the Auto Club Group, in Dearborn, Mich. "In too many situations, critical security issues get buried. Also, risk is not often conveyed to senior management."

Cammarata said that this type of corporate organization often leads to security by obscurity. He said that putting the CSO on the same level as the CIO should be a requirement.

"Security is a business enabler and a risk management tool," Cammarata said. "If it's implemented properly, it is not an obstacle. If the CSO is given access to executives, he will be better aligned with business strategy. By reporting to the CIO, a CSO doesn't have free access to management, and it becomes a political issue."

Roberta Witty, a research director with Gartner Inc., agreed with Cammarata and said that, ideally, the CSO, CIO and CEO should be peers and report to the board. Witty does concede that this is the exception, rather than the rule in today's enterprise.

"Often, there are IT and information security steering committees, a mix of business and technology groups that support information security requirements," Witty said. "Security reports to the IT organization headed by the CIO. If they are further down, like in the data center operations group, they will be too buried and miss big issues. The role of the CISO is to align security with a business strategy."

Arguably, CSOs are not popular figures in the enterprise. Their policies are often met with resistance and their job is thankless. Also, they have only 4% to 5% of the IT budget to play with, Witty said. These realities contribute to the way CSOs design their enterprise security programs.

CSOs, for example, must decide whether to centralize security. Witty said that this decision depends on the enterprise culture and whether most policies are centralized. If different business units have different security needs, security may be decentralized, she said.

"CSOs have to have an ear in the business units to understand what is needed and not force a security solution, for example, if one is not needed," Witty said.

She added that security functions like virus and firewall management, identity and access management, and security software management are often centralized functions. Policy development and compliance are also centralized.

CSOs also have to decide whether to integrate physical and IT security under the same umbrella and whether to correlate security and business continuity plans.

"Things are changing," Witty said. "Information security is not a technology conversation and, frankly, it should never have been. Enterprises have to raise security to a business conversation."

Witty also identified some of the prevalent issues driving enterprise security. Regulation like the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Sarbanes-Oxley Act and the Basel Accord, along with standards like ISO 17799, have to be foremost on a CSO's agenda when he is formulating a security plan.

All the while, it would help if the CSO and the CIO were considered peers.

"It ultimately has to be a peer role to get rid of potential conflicts of interest over deployment and oversight," said Kevin Youngblood, security manager for Toledo, Ohio-based HCR Manor Care, an assisted-living center and nursing home chain. "Government regulations like Sarbanes-Oxley and HIPAA are helping those of us down the corporate ladder get the attention of senior management."

FOR MORE INFORMATION: news exclusive: "Does your CSO need to be a techie?" news exclusive: "CSOs bring security to their market" news exclusive: "Security must become central in an enterprise culture"

Dig Deeper on Enterprise disaster recovery and business continuity planning

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.