In: Computer Science
The board of executives decides on creating a new position as chief security officer, however, they are not sure if the new position should be part of it department and report to the chief It officer or the new CSO should be the same level to CIO and directly report to the board. What would be your recommendation as a security consultant and why?
I prefer that CSO should directly report to board or CEO instead of putting it under the CIO. If we talk about real world then almost in 2/3 companies CSO directly reports CEO or to the board.
Putting the CSO under the CIO helps ensure strong alignment with the technical delivery model. But there can be a segmentation of duties issue.To illustrate the problem, where an application is about to be rolled out, but has a known security vulnerability. "The CIO’s bonus may be tied to on-time delivery of applications, while the CSO’s is tied to limited security vulnerabilities and no security breaches. In this scenario, it is questionable what decision would be made: to delay the application release date and patch, or accept the risk."
If the CSO reports directly to the board, Browne says, "the primary benefit is that the CSO has a higher degree of influence to drive change. On the flip side, the CSO may also have very limited time with the board, due to the Board’s wide range of responsibilities."