A CSO is a departmental leader responsible for information security, corporate security or both. That's the simplest answer to the question "What is a CSO?", and one that our founding editor Derek Slater offered up to readers way back in 2005 — heck, if there's one website you ought to be able to trust to tell you what a CSO is, it's CSOonline. But of course, no one-sentence answer can encapsulate the complexity of a job like this, and not everyone with the CSO title has the same set of responsibilities.
The title Chief Security Officer (CSO) was first used principally inside the information technology function to designate the person responsible for IT security. At many companies, the term CSO is still used in this way. Chief Information Security Officer (CISO) is perhaps a more accurate description of this position, and today the CISO title is becoming more prevalent for leaders with an exclusive information security focus.
The CSO title is also used at some companies to describe the leader of the "corporate security" function, which includes the physical security and safety of employees, facilities and assets. More commonly, this person holds a title such as Vice President or Director of Corporate Security. Historically, corporate security and information security have been handled by separate (and sometimes feuding) departments.
Increasingly, CSO means what it sounds like: The CSO is the executive responsible for the organization's entire security posture, both physical and digital. CSOs also frequently own or participate closely in related areas such as business continuity planning, loss prevention and fraud prevention, and privacy. Of course, there are many smart folks in the real world with the official CSO title who don't shoulder the burden for both areas. However, if the CEO has a question about finance—any question—then he expects the "Chief Financial Officer" to be able to answer, or find the answer quickly. When the "Chief Security Officer" answers security questions with "Oh, that's not my problem; that's those other guys over there," the message to the CEO is that there's really no "chief" who has the big picture view of the company's operational risk.
Let's take a dive into just what goes into this position, talking along the way to some people who've actually worked in that job, and someone who's helped hire them. (But, apologies in advance: we're not going to explain what a Chief Strategy Officer is, despite the fact that it shares the CSO initials; check out the Harvard Business Review for the details on that role.)
Relativity CSO Amanda Fennell gives a high-level view of what being a CSO entails. "The modern CSO is a pathfinder and problem-solver for the organization," she says, "working closely with a diverse set of IT and engineering teams to envision, strategize, and execute on a multi-faceted program within a rapidly changing scope of compliance and governance."
That's interesting, but maybe a little abstract. What, in practice, are a chief security officer’s job responsibilities? Or, to put it more succinctly: what does the CSO do? "I’m primarily accountable for establishing the enterprise vision, strategy, and programs to protect people, information assets, and technologies," says Shawn Burke, CSO at Sungard AS. "Ultimately, I’m responsible for ensuring the security function provides organizational value."
What they're both getting at is that a CSO, above all, needs to create a way for the company to think about security as a strategic asset and part of its mission, not just as an afterthought or part of a damage control scenario. Paul Wallenberg, team lead of technology recruiting at LaSalle Network, has helped hire CSOs, working with companies that have never had anyone in that role before, and has seen from corporate management's perspective what the purpose of a chief security officer is. "There's enough of a sample size of attacks and breaches to know that companies need to be taking security seriously now," he says. "A more proactive approach is for companies to think about what data they own and how the compromise of that data could represent a material threat to their customers and to their business. What would happen if it was compromised without a plan in place? Looking at security through this lens at the board or executive level will drive the decision to hire a CSO."
How to become a chief security officer
LaSalle Network's Wallenberg outlines the practical chief security officer qualifications his client companies look for when they hire. "The first thing companies should look for is a proven track record with a broad reach across both technical and functional competencies within security," he says. "CSOs can come from technical backgrounds with prior work experience as an engineer or architect working with tools and systems that cover modern security disciplines like SIEM, identity management, and threat intelligence, or from functional backgrounds where they managed security professionals responsible for those disciplines and personally were more involved in governance, risk, and compliance. Alternatively, there is an appetite in certain industries for CSOs who have a white hat or ethical hacking mindset." Of course, C-suite execs need a lot of experience under their belt; Wallenberg says you need to show that "you've climbed the ranks of a security department, or within larger organizations, being involved in security programs and initiatives that impact applications, infrastructure, and external threats." Another plus: "industry contacts at vendors, and ties to the intelligence community and academia."
But CSOs need to demonstrate qualifications that go beyond specific technical competencies and work trajectories. "CSOs must have an understanding of how complex tactical objectives can contribute to the strategic execution of holistically securing an organization, while respecting the privacy and trust of internal stakeholders," says Relativity’s Fennell. "While a technical background can be a tremendous aid in making informed decisions, passion for solving emerging puzzles that accompany information security is essential."
"Recently, we’ve seen a shift away from security leaders focusing solely on technical details and towards becoming more business-oriented," adds Sungard AS's Burke. "While a CSO should always be technically competent, they also need to be able to clearly explain aspects of their work, such as their risk management methodology, to stakeholders. Essentially, the CSO needs to be a trusted advisor to senior leadership. This is only possible when the CSO possesses good interpersonal and leadership skills."
Many companies still don't have CSOs, and that can create a path to the executive level for employees. "In IT environments where security is a competency within the department and not its own department, the type of person who would assume the CSO role would essentially be whoever has the deepest understanding of security at the organization," says Wallenberg. "In terms of external candidates, typically you see people who are at the level of a security architect, or at the Director or VP level over a security program and infrastructure."
Who does the CSO report to?
According to the 2018 Global State of Information Security survey, as many as 40 percent of CSOs and CISOs report to the company CEO, and 27 percent report directly to the board; only 24 percent are siloed under the CIO. Domo's Browne sees pluses and minuses for both arrangements. "Putting the CSO under the CIO helps ensure strong alignment with the technical delivery model," he says. "But there can be a segmentation of duties issue." To illustrate the problem, he outlines a scenario where an application is about to be rolled out, but has a known security vulnerability. "The CIO’s bonus may be tied to on-time delivery of applications, while the CSO’s is tied to limited security vulnerabilities and no security breaches. In this scenario, it is questionable what decision would be made: to delay the application release date and patch, or accept the risk, go live with the application with the vulnerability, and patch at a later date."
If the CSO reports directly to the CEO, Browne says, "the primary benefit is that the CSO has a higher degree of influence to drive change. On the flip side, the CSO may also have very limited time with the CEO, due to the CEO’s wide range of responsibilities."
"While there are differing opinions on this subject, and a wide array of variables that would directly contribute to the correct path," says Relativity’s Fennell, "I’ve personally had the most success working directly with the CEO, because that empowers a CSO to effectively remove barriers and align with the strategy of the entire company."
No matter who the CSO will ultimately report to, says LaSalle Network's Wallenberg, "the executive team should all be involved in the decision-making process. The people who are going to interact most with this person are your COO and CIO, so they should be intimately involved in interviewing and selection."
Sample CSO job description
The CSO will oversee and coordinate security efforts across the company, including information technology, human resources, communications, legal, facilities management and other groups, and will identify security initiatives and standards. The candidate's direct reports will include the chief information security officer and the director of corporate security and safety.
- Lead operational risk management activities to enhance the value of the company and brand.
- Oversee a network of security directors and vendors who safeguard the company's assets, intellectual property and computer systems, as well as the physical safety of employees and visitors.
- Identify protection goals, objectives and metrics consistent with corporate strategic plan.
- Manage the development and implementation of global security policy, standards, guidelines and procedures to ensure ongoing maintenance of security. Physical protection responsibilities will include asset protection, workplace violence prevention, access control systems, video surveillance, and more. Information protection responsibilities will include network security architecture, network access and monitoring policies, employee education and awareness, and more.
- Work with other executives to prioritize security initiatives and spending based on appropriate risk management and/or financial methodology.
- Maintain relationships with local, state and federal law enforcement and other related government agencies.
- Oversee incident response planning as well as the investigation of security breaches, and assist with disciplinary and legal matters associated with such breaches as necessary.
- Work with outside consultants as appropriate for independent security audits.
- Must be an intelligent, articulate and persuasive leader who can serve as an effective member of the senior management team and who is able to communicate security-related concepts to a broad range of technical and non-technical staff.
- Should have experience with business continuity planning, auditing, and risk management, as well as contract and vendor negotiation.
- Must have strong working knowledge of pertinent law and the law enforcement community.
- Must have a solid understanding of information technology and information security.
Chief security officer salary
Salaries for C-level executives can vary wildly depending on the industry, the company, and the experience and tenure of the candidate. But we can at least offer you a rough picture of what you can expect:
- According to Payscale.com, the median salary for a CSO is $131,314, with anything from $68,208 to $201,789 being not out of the ordinary. Bonuses and profit sharing often figure in too, and can add up to $80,000 in additional compensation.
- According to Salary.com, the median salary for a CISO is $215,739, with a range usually between $188,510 and $249,063.
CSO vs. CISO
We're going to take a moment here to discuss the difference between a CSO and a CISO, because that will help clarify the job description. It would be great if there were a hard and fast set of rules that say a CSO does this and a CISO does that. But that's often not the case, because in practice an executive's precise duties are tailored to their experience and to the company they work for.
Niall Browne is in a good position to discuss the distinction; he's the CISO of Domo, and has held the CSO job at other companies. "Traditionally, the CSO has been responsible for the physical security and the safety of employees, assets, and facilities and may have a law enforcement background," he says, "while the CISO has been responsible for the protection of data and may have an IT, systems, or engineering background."
Relativity's Fennell agrees: "The CSO role is a bit more inclusive, by definition, including the physical, network, and product security of a company, whereas a CISO traditionally focuses on roles specific to safeguarding valuable information to the company," she says. But she also acknowledges that those lines are often blurred. "In practice, these titles are often used interchangeably," she says, and which one a company uses "speaks more to the focus of that organization rather than a clearly defined set of role responsibilities."
"As threats have evolved, so too have security roles," says Domo's Browne. "It is now more typical for physical security to be managed by facilities and perhaps have the title of Director of Corporate Security, with the CISO/CSO titles designated for the individual responsible for cybersecurity. This evolution makes sense, as the skillsets to manage physical security and cybersecurity are largely different. Most CISO/CSOs in the industry have not felt comfortable managing physical security, or believe they can provide most benefit to the company by focusing solely on cybersecurity."