"In the beginning, when I reported to the CFO, the top brass wanted me close by because they were dealing with a crisis situation," he said, referring to the uncomfortable distinction Providence Health & Services had in being the first organization penalized for violating the privacy section of the federal Health Insurance Portability and Accountability Act (HIPAA). The organization, which operates a health plan and several hospitals, agreed in 2008 to fork over $100,000 and make good on a systems improvement plan as part of a deal with the U.S. Department of Health & Human Services (HHS) to settle allegations it lost laptops and electronic backup programs with individually identifiable health information in 2005 and 2006. Cowperthwaite was hired to help the organization turn its security program around.
But, he said, there's a downside to reporting to people that high up the chain of command: Their time for you is more limited.
"A CFO or CEO is going to have about 15 minutes a month for you, and you need more time than that," he said. "You need a mid-level person like a CIO in your court to champion your cause to upper management."
With that in mind, he said reporting to the CIO was a positive, productive arrangement.
Josh Corman, a senior security analyst with the Boston-based 451 group, has a more middle-of-the-road position on how the relationship should work.
"You need checks and balances, but you can't really compare and contrast the role of a CSO and CISO without mentioning where the CIO fits in," he said.
Regardless of the reporting structure, others -- even those who see the logic in an adversarial relationship between CSOs and CIOs -- said there is simply no excuse for a CIO to be completely divorced from security. Eric Baer, CISO for a government organization based in the Midwest, wrote this in the comments section of that earlier column:
"While I agree with the idea of not having the CISO report to the CIO, that still doesn't excuse the CIO from 'doing security.' Simply keeping things running for the sake of keeping things running is a 1990s paradigm that needs to go away. In reality, secure operations (especially in heavily regulated industries) should be baked in."
He continued, "Why shouldn't the CIO have a security group? The CSO-CISO could be a compliance shop. Better yet, have IT governance report to the risk officer, COO, CFO whomever, and then security operations can be part of the technology group."
He concluded: "We can gnash teeth and stomp feet all we want to about security being ignored or discounted, but if it isn't included at the operational level then where should it be?"