Achieving a Balance Between CIO, CISOSegregating CIO, CISO Duties to Avoid Conflicts of Interest
In many organizations, especially in government, the chief information security officer reports to the chief information officer.
But South Carolina Inspector General Patrick Maley, in proposing that the state create its first CISO post following a massive breach of its tax system that exposed the Social Security numbers of nearly 4 million taxpayers, says the CISO should be independent of the CIO. From his report on the incident [see South Carolina Inspector General: Centralize Security ], Maley writes:
If risk-based and cost-effective security is to be achieved ... would it not make better sense to empower and resource the CISO separate from the confines of the CIO's competing priorities?
"The rationale behind placing the CISO outside of the CIO office is a basic organizational segregation of duties practice; the individual implementing security (CIO) can't be the same as the person responsible for testing security, conducting audit and reporting on security weaknesses."
Maley's recommendation is made, in part, because of circumstances that are unique to South Carolina (though they could exist elsewhere). The state CIO heads the Division of State Information Technology and, Maley says agencies' CIOs have a long history of friction and trust issues with DSIT.
High Level of Objectivity, Independence
The IG says making the CISO independent of the CIO provides a higher level of objectivity and independence that should prove beneficial. "Regardless of the CISO's location in the organizational chart, the CISO will need relationships with statewide governance executives to fully incorporate infosec governance into the fabric of statewide governance," Maley says.
In some sectors outside of government, the CISO does not report to the CIO. And, some IT security and information risk experts think that isn't be a bad idea.
Carnegie Mellon CyLab, in defining an enterprise security program, defines the roles of the CISO - or chief security officer, as the post is referred to in its report - as complementary to those of the CIO. In fact, the team - which also includes chief privacy officer, chief financial officer, general counsel, business line executives and vice presidents of human resources and public relations - its guidance recommends is chaired by the CISO.
"Careful consideration must be given to the segregation of duties for the purpose of preserving independence, providing checkpoints, implementing safeguards against abuse, and enabling trusted change management," CyLab Distinguished Fellow Jody Westby writes in an article posted on the CyLab website.
Creating Healthy Tension between IT and Infosec
Many states pattern their approach to IT security after the federal government, in which the Federal Information Security Act of 2002 gives the CIO responsibility for agencies' cybersecurity. Most agencies in the federal government have the CISO reporting to the CIO. But Bruce Brody, a former CISO at the departments of Energy and Veterans Affairs, thinks that's not a great idea, as he wrote in a blog we posted as Congress began drafting legislation to update FISMA [see Unshackling the CISO from the CIO]:
"By subordinating the CISO to the CIO, Congress may have missed the opportunity to create a healthy tension between information technology and information security. If risk-based and cost-effective security is to be achieved across the federal enterprise, would it not make better sense to empower and resource the CISO separate from the confines of the CIO's competing priorities?"
As organizations in and out of government realize that securing their information systems is critical to their ability to function, the role of the CISO is more crucial than ever. Whether South Carolina, in establishing a CISO post, has that executive report to the CIO, that Inspector General Maley is giving deep thought about how that job should be positioned is very encouraging for the future security of the state's IT networks, systems and data.