I can always tell how comfortable a person is with the concept of information security when I interview them. Someone who really has a passion for it and knows their stuff will keep me on the phone for hours and take me deep into the weeds of their procedures. Someone who is uncomfortable will simply clam up.
As I did the reporting for the Eighth Annual Global Information Security Survey, which CSO conducts each year along with sister publication CIO and PricewaterhouseCoopers, I noticed a few things. Of the 12,847 respondents, only 6.5 percent described themselves as a chief information officer. Meanwhile, CSOs and CISOs were asked who they report to. Most said the company CEO or board of directors. Less than a quarter of respondents said they report to the CIO.
After more than six years of writing about various security surveys, I've learned you should never take the numbers as Gospel. Survey numbers are ALWAYS open to interpretation. There are a lot of hidden variables that go into a final number. So while those numbers stuck out for me, I didn't make any conclusions.
Instead, it was time to get on the phone with some CSOs and CIOs to see how the numbers reflected their own realities.
The CSOs and CISOs lined up to be interviewed quickly. Ken Pfeil, CSO for a large mutual fund company in the Boston area, was brutally honest with me about the security problems found in business partnerships and cloud computing, for example.
Then I started reaching out to CIOs.
I had a long list of names and contact information given to me by my friends at CIO magazine. I sent out some 30 emails and lost count of the phone calls I made. In the end, I found three CIOs who were willing to talk. One of them, James Pu, does double duty as his organization's security officer.
The rest either didn't respond or sent me back nice, apologetic notes on how they simply weren't able to discuss security issues.
It's no big deal. Being told "no" is one of those things you deal with a lot as a journalist. I also got the sense that some of them would have been happy to talk but were pressured by corporate communications people to beg off.
I mentioned the trouble I was having with CIOs to one of my security associates, who shall remain nameless because his response was: "That's because when it comes to security, a lot of CIOs don't know what they're talking about."
That was a rather harsh assessment, I thought to myself. Then I looked at those numbers again.
Not a lot of CIOs among the survey respondents. Not a lot of CSOs and CISOs reporting to the CIO.
It became harder for me not to draw conclusions.
Could it be that CIOs are not as clued in to the company security needs as I initially believed? Could it be that CIOs and CSOs live parallel existences, not really interacting with each other on a daily basis?
I sure hope not. But the silence of the CIOs I reached out to and those numbers sure do give me pause.
If that disconnect does exist, it's very troubling. Maybe I have an over-simplified way of looking at information security, but I always believed that in the corporate chain of command, a CIO sits somewhere above the security guys and that everything the security guys know, the CIO is supposed to know.
If you agree, I want to hear from you. There's a story to be written about this.
If you DISAGREE, I badly want to hear from you.