Any chief security officer can tell you there's a fine line between managing risk and fostering innovation. And the CSO's relationship with the company's CIO largely determines where that line is drawn.
"The chief security officer, by definition of their job, would like things to be more stringent than a CIO would practically allow," says Marc Hoit, interim CIO and professor of civil and coastal engineering at the University of Florida.
Some argue a CSO should not report directly to a CIO, as happens at the University of Florida and many other organizations. Just as you wouldn't want a financial controller reporting to an auditor, a company's chain of command should give the CSO somewhere to turn when the CIO takes on too much risk, argues Andreas M. Antonopoulos, senior vice president and founding partner of Nemertes Research.
"The job of the CIO is to maximize return on investment, which by definition requires taking risk," Antonopoulos says. "The job of the CSO is to maximize the amount of risk a company can take safely without going over the company's [preferred level of] risk tolerance."
When CSOs see too much risk being taken, "they can't report to the person who's creating risk," he says. "The thing is, it's the job of the CIO to create risk. That's what innovation is."
Even CIOs and CSOs who report having amicable relationships with their security or technology counterpart acknowledge there is a fundamental conflict between the roles.
"The goal of the CIO is to get the application deployed today," says Joseph Granneman, chief technology and security officer for the Rockford Memorial Hospital in Illinois. "When you add security analysis to the front end of a project, sometimes it can delay it. Or if you do find security risks, that's not good news for the CIO."
Granneman, who reports to his CIO, says they have developed a strong working relationship over the past decade. CSOs must accept that businesses are in the business of accepting risk, Granneman says. Compromise is essential: "There's always a way to get them what they need to make the business run," he says. "That's what you're really there for. You're not there to say 'no.' You're there to say 'no, but'."
At the Caregroup Healthcare System in Boston, CIO John Halamka says the CSO -- who reports to him -- would prefer to have very few Web sites available on the public Internet. Before making data available on the Web, Halamka says he and the CSO evaluate the potential risk and classify into one of four categories, which range from no risk at all to a risk that could compromise many patient records.
"We do a risk assessment of each Web site . . . and then engineer a security solution that is appropriate for the level of protection needed. The balance between ease of use and the need for security is ensured using this objective approach," Halamka writes in an e-mail.
The University of Florida's Hoit acknowledges that having the security officer report to the CIO makes life simpler -- for the CIO. "It makes it a little easier," he says.
Ruling with an iron fist, however, isn't the right approach, Hoit says, and it wouldn't work at the university. Big decisions involve a governance committee consisting of IT staff from each school -- and then they must be considered by a faculty committee, deans, administrators and a faculty senate.
The university is trying to find a proper way to ensure the security of student data, as federal law requires, while giving professors easy access to files they need for grading. "Open, transparent conversation" involving input from multiple parties is the key to finding a good compromise, Hoit says.
Beyond securing applications and the personal information of customers and employees, businesses must comply with regulatory standards, such as Sarbanes-Oxley, the Payment Card Industry data security standard and the [U.S.] Health Insurance Portability and Accountability Act.