Where The Chief Security Officer Belongs

Chief security officers usually report to top IT executives, even if their jobs include information and physical security. But should companies consider pulling the CSO out of IT altogether?

Meta Group analyst Christian Byrnes thinks so. Among the several hundred of the consulting firm's clients that have CSOs, only 3% have them report to executives outside of IT, such as the chief corporate counsel, chief auditor, or chief operating officer. But that 3% are ahead of the pack in recognizing a potential conflict of interest. "It's a basic audit principle that the people who do and the people who watch shouldn't report to a common manager," Byrnes says. If IT staffers unwittingly cause a security leak by reconfiguring the network so they can make system changes from their desktops at home, for instance, will that get reported as high in the organization as it should? "Typically, those breaches don't get reported as security incidents and are kept within IT," Byrnes says.

Marc Lewis, who heads the IT practice at Cleveland executive-recruitment firm Christian & Timbers, says a company should have its CSO report to the CEO or chief operating officer if the job includes information and physical security. Because security has grown into an organizationwide concern, encompassing everything from the safety of workers to the threat of cyberterrorism, it may not make sense to keep it within IT, Lewis says.

Yet some CSOs say security management should stay put. "You want your information security department to be the solution provider and facilitator of risk management for IT," says David Bauer, chief information security and privacy officer at Merrill Lynch & Co. in New York. "Otherwise, security will be just another audit department, and the IT guys will buy whatever security solutions they want." Bauer meets with the executive IT team on a regular basis to present his plans, which are directly communicated to the top executive management team; he reports to the head of global technology services.

Some observers point out that a chief IT executive plays an important role in championing information security initiatives and translating them into business terms for the executive team; taking the CSO out from under the top tech person's wing could undermine security strategy.

At the Port Authority of New York and New Jersey, the director of information security works on strategy with the chief technology officer, who communicates those plans to the executive team. Greg Burnham, CTO at the transportation organization, says that reporting structure makes the most sense. "General management struggles with understanding the role of the IT infrastructure in the first place," Burnham says. "And in most cases, that's where the security problems are."

Illustration by Gary Taxili

Close this window