A CSO reporting to a CIO implies an organization where the IRM focus is primarily on IT security. This approach might make sense for organizations working on mission critical initiatives with a heavy IT component. In most cases, however, the CSO reporting into the IT organization can be linked to the cultural and political factors. We expect that this reporting relationship will change with more CSOs reporting outside the IT organization.
Both the CSO and the CIO roles are heavily dependent on each other. However, the CSO should regard the CIO as first amongst equals, a role to lean on for advice and fortitude. Regardless of the reporting relationships, both the CSO and CIO roles must collaborate to manage information and associated risks.
CSOs realize that perfect security is unachievable and therefore need to drive the decisions about identifying risks, its treatment and residual risks. To make such decisions, the CSO operates in conjunction with a cross-functional team which consists of the CIO, other C-level leadership, various business unit heads, and the general counsel.
Key responsibilities of a CSO include asset management, security assessments, development of a security strategy and risk management plan, certification and audit. In a nutshell, the CSO manages risks for the organization and advises senior management about risks to the business and recommends a treatment for the risk.
Businesses inherently take risks. Activities such as mergers, acquisitions and business outsourcing all provide opportunities for growth and cost savings while introducing such risks. As a result, board members and CEOs are now more aware than ever before about the need for IRM.
Combined with the inexact nature of risk management, this awareness has elevated the role of CSO. The CSO is needed to marshal strong involvement from a cross functional team who bring together their best collective experiences to manage the business risks. We expect the trend to continue resulting in the hiring of more CSOs and their placement outside the IT organization.
Nalneesh Gaur is a principal with Diamond Management and Technology Consultants.