November 15, 2010, 4:53 PM — When CSO teamed up with PricewaterhouseCoopers to conduct its Eighth Annual Global Information Security Survey earlier this year, one question asked was who CISOs are reporting to these days. What the majority of respondents said was somewhat surprising.
Of the 12,847 respondents, only 6.5% described themselves as a chief information officer. Meanwhile, when CISOs were asked who they report to, most said the company CEO or board of directors. Less than a quarter of respondents said they report to the CIO.
A follow-up column questioned whether that's a good thing. The response to that was more jolting than the surprise over reporting structure.
The majority of the feedback mirrored this observation from Robert Alberti, a Minneapolis-based security and IT professional:
"CIOs and CISOs will always have an adversarial relationship, and that's as it should be," he wrote in the comments section of the column. "In my opinion, CISOs should never report to the CIO."
He explained that the CIO's role is operational, that their job is to keep things running. The CISO's role, on the other hand, is to reduce IT risk. If the CISO reports to the CIO, he reasoned, then risk reduction would always take a back seat to operations.
"While it would be better if CIOs had a firmer grasp of security, it would also be good if auto mechanics had a better grasp of economics, but they don't and it's not likely they will soon," he said. "CIOs have a lot to do, that's why the CISO is a separate role. As both professions continue to specialize, the gap between CIO and CISO will not go away."
The real trick is for corporate leadership to balance the messages from both the CISO and the CIO in order to appropriately judge what risks to accept and what risks to remediate when doing business, he concluded.
As part of our ongoing series on "The new CSO-CISO" we asked several security practitioners about this. Not surprisingly, some pushed back on the notion that CIOs and CISOs should exist in separate silos, including Eric Cowperthwaite, CSO of Seattle-based Providence Health & Services. In the four and a half years he has been with the organization, he has had three bosses: The chief financial officer, the CIO and now the chief risk officer. His experience with the CIO was anything but adversarial, and the two accomplished a lot together, he said.