Like anything, time and circumstance have changed those scenarios. Now CIOs are found alongside the CEO or COO providing valuable input into business operations. Once accustomed to running what was seen as a non-negotiable cost center for the company, CIOs are being asked to show the value IT brings to the business and, in some cases, demonstrate payback. They are turning to methods that demonstrate IT value, such as balanced scorecards.
The same holds true for the CSO. The CSO and other security positions gained wider recognition beyond physical security duties when the world became connected through corporate networks and then the internet. In the wake of the first denial-of-service attacks and later the white collar crimes that have led to the multiple regulations guiding businesses today, the CSO role has added many responsibilities that directly affect business operations.
With IT being a true business enabler, and in some cases the heart of the business, companies can't afford a security breach. It's a given – with or without regulations – that security must be built in at every level of IT to ensure business success. This need forever connects the security professional and the IT professional.
With such a tight relation between IT and security, it may seem natural that the reporting structure would be for security professionals to report to the CIO. However, in many organizational structures, that is not the case. A recent global survey commissioned by CA showed that an average of 75 percent of businesses in Europe and Asia Pacific have security departments reporting to the CFO or CEO, while 47 percent of security organizations in North, Central and South America report at that level.
Regardless of the reporting structure, CIO and CSO duties are intrinsically linked. Both charged with ensuring business success, they have a common goal. This requires collaboration or at minimum a detente between two factions that often have different agendas and methods of how to succeed – the CIO wants to innovate and take risk and the CSO seeks the best way to manage and reduce risk.
Dave Hansen is senior vice president and general manager of CA's Security Management business. As CA's former CIO, he understands the dependencies the CSO and CIO have on each other as they execute their duties for the success of the business. Dave will discuss more on this topic on Thursday, April 10 at 2:35 p.m. during his RSA Conference keynote entitled: “Strategic Security: The Evolving Role of the Security Professional.” He also will be available for questions following his keynote in the Crypto Commons area.