Defining the CSO

What are the major differentiators between CSO positions? Lee Kushner, CEO of LJ Kushner and Associates, an information security recruiting company, makes significant distinctions between CSOs at the global, national and small enterprise levels.

Hiring a chief security officer for your company is no easy task. The position responsibilities vary from company to company; these are affected by a number of variables specific to an organisation. Therefore, the primary factor that should influence an organisation's search for a CSO is how well the senior security executive answers the specific calls of the organisation.

The sphere of influence and responsibility of a CSO should be determined by the value of the company's assets and the type of information that is being protected. Organisations that are custodians of confidential medical records face liability issues of great magnitude; companies that make proprietary information available online to employees run the risk of competitors stealing that information. Online retailers will be concerned with security concerns such as theft of credit card information, theft of consumer information or denial of service attacks that prevent consumers from completing their online purchases. In any case, it is a company's specific security concerns that will dictate whom the executive answers to and where he fits in the corporate chain.

Regardless of the size and type of the organisation, there are certain core competencies and responsibilities that all CSOs need to fulfil. First and foremost, the CSO is responsible for the creation, definition, and execution of the company's security strategy and vision. He also must effectively manage and allocate the company's security budget and hire a competent staff. Further, the CSO is charged with the development and subsequent enforcement of the company's security policies and procedures, security awareness program, business continuity and disaster recovery plans, and all industry and governmental compliance issues. However, that is where most of the similarities end. The main factor responsible for differences in CSO roles is the size of company: global, national/regional or small enterprise. Below are snapshots of what each type of company should look for when hiring a CSO.

Authority and Accountability

CSOs of larger global organisations are given a higher level of accountability and authority for their organisation's security. Often smaller businesses have different drivers for their security initiatives. In national or regional organisations, the CSO is held responsible for all security initiatives, however, he is not given full authority for security. In smaller organisations, the CSO is generally relegated to working in an advisory capacity to senior management on all security-related issues and is individually responsible for implementing the security initiatives.

Staffing

In global organisations with larger security budgets CSOs have the ability to surround themselves with more highly qualified domain experts to carry out their tasks. Those tasks include hiring a chief information security officer (CISO) and a chief physical security officer (CPSO). CSOs also have the ability to hire additional domain experts in different technical information security disciplines. The CSOs in smaller entities do not have the luxury enjoyed by their global organisation counterparts; they must build their teams more carefully by choosing versatile individuals with a broader range of security skills.

Executive Management Skills

The larger the organisation the more business and personnel management skills the CSO must possess. In global organisations where the budgets are larger and the organisation is more geographically dispersed, CSOs have to be more effective managers and communicators within and across departments. Running security in smaller organisations still requires management and communication skills but at a lesser level. However, although the staff directly under the leadership of the security executive is significantly smaller, the need to interact with other departments to cooperatively achieve goals may be greater. This means that CSOs of smaller companies have to enlist the support of people within the organisation, both technical and nontechnical, to assist the security organisation in accomplishing its goals.

Technical Competence

All CSOs are required to have a certain level of technical competence to lead their organisation's security initiatives. It is very difficult for leaders to be respected by their security organisation, regardless of size, without having a proper grasp of the technical security issues that affect the organisation. Further, it would be difficult to garner the respect of the other technical leaders within the organisation without that knowledge.

The level of technical competence that a CSO needs is dictated by the size of the organisation he is leading. In global organisations, CSOs need a general knowledge of how technical issues affect the business of the company. For specific technical details, these CSOs have the luxury of delegating to a team of experts. In smaller organisations, the CSO needs more "hands on" technical skills in order to fully execute their duties. The CSOs of smaller entities are often expected to provide broad-based internal "security consulting" services to the different areas of their company. However, because many do not have all of the technical expertise in-house, they often have to use outside vendors to provide expert-level support on specialised technical security initiatives.

Salary Ranges

  • Global CSO - base salary: $US150,000-$US350,000; bonus potential: $US100,000-$US300,000
  • National/Regional CSO - base salary: $US125,000-$US200,000; bonus potential: $US50,000-$US150,000
  • Small Organisation CSO - base salary: $US100,000-$US150,000; bonus potential: $US35,000-$US75,000
As the rapidly changing business environment causes the security field to gain stature and importance for both management and shareholders, more companies will legislate the hiring of the CSO resulting in a continual redefining of the position. The following checklists should provide standard guidelines for any organisation that is ready to embark on a search for its CSO.

List of Unique CSO Responsibilities by Company Size:

CSO of the Global Organisation

The CSO has ultimate authority and accountability for creating and maintaining a business environment enabling all employees, partners and customers of the company to have confidence that their business dealings and day-to-day activities can be conducted with an appropriate level of security, privacy and confidentiality.

Responsibilities:

  • Recruit, hire, retain, and develop professionals devoted to the execution of the global corporate security strategy and vision. That includes the recruitment of a chief information security officer and a chief physical security officer, as well as technical information security subject-matter experts.
  • Direct the development and enforcement of corporate global information security and privacy policies in compliance with federal and global regulations and standards.
  • Develop a global security awareness program for the company.
  • Develop the proper selection criteria and evaluation process for the approval of all vendor products, tools and services related to a secure technology infrastructure.
  • Oversee both the physical and the technical information security function of the company. Consisting of, but not limited to, security operations, network security management, application security, remote access, antivirus, identity management (PKI), access control and biometrics.
  • Develop security compliance and verification program consisting of vulnerability assessments and penetration testing.
  • Develop a corporate incident response plan, incident response team and investigation methodology. Interact and coordinate with law enforcement and computer crime investigators in the event of a computer security incident or computer-related fraud.
  • Incorporate information security into all merger-and-acquisition activities.
  • Support corporate sales and marketing efforts providing guidance to external clients.

CSO of the National/Regional Corporation

The CSO has primary responsibility for creating and maintaining a business environment enabling all employees, partners and customers of the company to have confidence that their business dealings and day-to-day activities can be conducted with an appropriate level of security, privacy and confidentiality.

Responsibilities:

  • Recruit, hire, retain, and develop a team of professionals devoted to the execution of the corporate security strategy and vision. The team should comprise individuals responsible for both information security and physical security.
  • Serve as the primary point of contact and advise members of the senior management team of the security and risk implications of all current and future business-related activities.
  • Direct the development and enforcement of corporate information security and privacy policies in compliance with federal regulations and standards.
  • Develop a security awareness program for the company.
  • Develop an internal information security committee, composed of members from all corporate functions and lines of business, to ensure that security is given consideration in all of the company's business processes and activities.
  • Provide information security consultative support to all lines of business.
  • Develop the proper selection criteria and evaluation process for the approval of all vendor products, tools and services related to technology infrastructure.
  • Oversee the technical information security function of the company. Consisting of, but not limited to, security operations, network security management, application security, remote access, antivirus and identity management (PKI).
  • Develop a corporate incident response plan, incident response team and investigation methodology. Interact and coordinate with law enforcement and computer crime investigators in the event of a computer security incident or computer-related fraud.

CSO of the Small Enterprise

The CSO works in conjunction with other members of the corporation's senior management team to assist in the creation and maintenance of a business environment enabling all employees, partners and customers of the company to have confidence that their business dealings and day-to-day activities can be conducted with an appropriate level of security, privacy and confidentiality.

Responsibilities:

  • Serve as the primary point of contact and advise members of the senior management team of the security and risk implications of all current and future business-related activities.
  • Recruit and manage a small team of information security generalists to carry out the execution of the company's information security policies and procedures.
  • Serve as the internal champion for security awareness throughout all levels of the organisation.
  • Develop an internal information security committee, composed of members from all corporate functions, to ensure that security is given consideration in all of the company's business processes and activities.
  • Keep the company in compliance with all federal regulations and industry standards as they apply to the company's business.
  • Serve as the technical subject-matter expert on the evaluation, selection and integration on all information security-related projects.
  • Provide information security consultative support to the company.
  • Evaluate, coordinate, and select outside consultancies and vendors that provide specific expertise on security-related corporate initiatives.

Join the newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lee Kushner

Latest Videos

More videos

Blog Posts