A CSO is a departmental leader responsible for information security, corporate security or both. That’s the simplest answer to the question “What is a CSO?”, and one that our founding editor Derek Slater offered up to readers way back in 2005—heck, if there’s one website you ought to be able to trust to tell you what a CSO is, it’s CSOonline. But of course, no one-sentence answer can encapsulate the complexity of a job like this, and not everyone with the CSO title has the same set of responsibilities.
The title chief security officer (CSO) was first used principally inside the information technology function to designate the person responsible for IT security. At many companies, the term CSO is still used in this way. Chief information security officer (CISO) is perhaps a more accurate description of this position, and today the CISO title is becoming more prevalent for leaders with an exclusive information security focus. But the distinction is not necessarily clean cut, as we’ll see in a moment.
The CSO title is also used at some companies to describe the leader of the “corporate security” function, which includes the physical security and safety of employees, facilities, and assets. More commonly, this person holds a title such as vice president or director of corporate security. Historically, corporate security and information security have been handled by separate (and sometimes feuding) departments.
Increasingly, CSO means what it sounds like: The CSO is the executive responsible for the organization’s entire security posture, both physical and digital. CSOs also frequently own or participate closely in related areas such as business continuity planning, loss prevention and fraud prevention, and privacy. Of course, there are many smart folks in the real world with the official CSO title who don’t shoulder the burden for both areas. However, if the CEO has a question about finance—any question—then he expects the “Chief Financial Officer” to be able to answer, or find the answer quickly. When the “Chief Security Officer” answers security questions with “Oh, that’s not my problem; that’s those other guys over there,” the message to the CEO is that there’s really no “chief” who has the big picture view of the company’s operational risk.
Let’s take a dive into just what goes into this position, talking along the way to some people who’ve actually worked in that job, and someone who’s helped hire them. (But, apologies in advance: we’re not going to explain what a Chief Strategy Officer is, despite the fact that it shares the CSO initials; check out the Harvard Business Review for the details on that role.)
What does a CSO do?
Relativity CSO Amanda Fennell gives a high-level view of what being a CSO entails. “The modern CSO is a pathfinder and problem-solver for the organization,” she says, “working closely with a diverse set of IT and engineering teams to envision, strategize, and execute on a multifaceted program within a rapidly changing scope of compliance and governance.”
That’s interesting, but maybe a little abstract. What, in practice, are a chief security officer’s job responsibilities? Or, to put it more succinctly: what does the CSO do? “I’m primarily accountable for establishing the enterprise vision, strategy, and programs to protect people, information assets, and technologies,” says Shawn Burke, CSO at Sungard AS. “Ultimately, I’m responsible for ensuring the security function provides organizational value.”
What they’re both getting at is that a CSO, above all, needs to create a way for the company to think about security as a strategic asset and part of its mission, not just as an afterthought or part of a damage control scenario. One way to achieve that is by applying risk management techniques, according to Andy Ellis, Operating Partner at YL Ventures and former CSO at Akamai. He explains: “When looking at risks across the business, a CSO has to balance two important inputs: how costly, in time and money, a fix might be, and how much benefit that fix might bring—usually in risk reduction, but potentially in ancillary business benefits.” He breaks down risks into four quadrants:
Low-cost, low-benefit change requests: A c-level exec shouldn’t be dealing with these directly but should instead be creating robust processes that can resolve problems in these areas as a matter of course.
Low-cost, high-benefit incidents: Any high-risk hazard that has a low-cost fix should be dealt with quickly, and a CSO might need to help clear the path and invoke a disruptive incident process as necessary, then subsequently improve processes to prevent similar disruptions.
High-cost, low-benefit environmental hazards: These represent the cost of doing business, and a CSO needs to assess when a fix isn’t worth the cost and get management on board with that assessment.
High-cost, high benefit: severe risks: The area a CSO needs to spend most of their energy is in addressing the high impact risks that don’t have easy solutions. “It can be easy for an executive team to fool themselves into believing that risks are significantly mitigated when only a small piece of a risk has been addressed,” says Ellis, “and it’s the CSO’s job to ensure that focus remains on mitigating those risks, even if it may take multiple years to do so.”
CSO vs. CISO: What’s in a name?
We’re going to take a moment here to discuss the difference between a CSO and a chief information security officer, or CISO. It would be great if there were a hard and fast set of rules that say a CSO does this and a CISO does that. But that’s often not the case. As Vanessa Pegueros, formerly CISO at DocuSign and now chief trust and security officer at OneLogin says, “I think there is a high level of variability in the responsibilities, and you really need to ask the individual in order to understand. There just isn’t a strict definition anymore.” As we’ve noted, traditionally the CISO role has focused primarily on IT security while CSOs have more expansive remits, but Chris Morales, CISO and head of security strategy at Netenrich, says: “There is some convergence as everything becomes connected to the internet—so even the CISO is starting to think about physical.”
Perhaps the best way to understand what specific role a CSO or CISO has in an organization is to see what other similar positions also exist within the same organization, says YL Ventures’ Ellis. “If there are no other C-level security roles, look for where various directors and vice-presidents sit in security roles in the organization,” he says. “Oftentimes, there might be an IT CISO under the CIO, and a director of corporate security in a Facilities organization; that might indicate a CSO elsewhere has more of a governance and oversight function across the business, but isn’t driving operational work in IT or Facilities.”
The main thing to keep in mind: while we’ll be using the term CSO generically here, a lot of what we have to say applies to positions with
How to become a CSO
Paul Wallenberg, team lead of technology recruiting at LaSalle Network, has helped hire CSOs, and he outlined for us the practical chief security officer qualifications his client companies look for when they hire. “The first thing companies should look for is a proven track record with a broad reach across both technical and functional competencies within security,” he says. “CSOs can come from technical backgrounds with prior work experience as an engineer or architect working with tools and systems that cover modern security disciplines like SIEM, identity management, and threat intelligence, or from functional backgrounds where they managed security professionals responsible for those disciplines and personally were more involved in governance, risk, and compliance. Alternatively, there is an appetite in certain industries for CSOs who have a white hat or ethical hacking mindset.”
Of course, C-suite execs need a lot of experience under their belt; Wallenberg says you need to show that “you’ve climbed the ranks of a security department, or, within larger organizations, been involved in security programs and initiatives that impact applications, infrastructure, and external threats.” Another plus: “industry contacts at vendors, and ties to the intelligence community and academia.”
But CSOs need to demonstrate qualifications that go beyond specific technical competencies and work trajectories. “CSOs must have an understanding of how complex tactical objectives can contribute to the strategic execution of holistically securing an organization, while respecting the privacy and trust of internal stakeholders,” says Relativity’s Fennell. “While a technical background can be a tremendous aid in making informed decisions, passion for solving emerging puzzles that accompany information security is essential.”
“Recently, we’ve seen a shift away from security leaders focusing solely on technical details and towards becoming more business-oriented,” adds Sungard AS’s Burke. “While a CSO should always be technically competent, they also need to be able to clearly explain aspects of their work, such as their risk management methodology, to stakeholders. Essentially, the CSO needs to be a trusted advisor to senior leadership. This is only possible when the CSO possesses good interpersonal and leadership skills.”
Many companies still don’t have CSOs, and that can create a path to the executive level for employees. “In IT environments where security is a competency within the department and not its own department, the type of person who would assume the CSO role would essentially be whoever has the deepest understanding of security at the organization,” says Wallenberg. “In terms of external candidates, typically you see people who are at the level of a security architect, or at the director or VP level over a security program and infrastructure.”
Who does the CSO report to?
Among the organizations surveyed in IDG’s 2020 Security Priorities Study, almost half of security chiefs had a direct connection to the top. In 34% of cases, the top security executive reported to the CEO, and in another 12% they reported to the board of directors. Meanwhile, 33% of the time, the top security exec reported into a corporate or divisional CIO. The rest were scattered under different silos, reporting to officers like the chief risk officer or general counsel. Perhaps unsurprisingly, smaller companies tended to have flatter organizational arrangements: the study found that 59% of top security execs at SMBs reported to the CEO, whereas that was true at only 22% of large enterprises. Niall Browne, CISO of Domo, sees pluses and minuses for both arrangements. “Putting the CSO under the CIO helps ensure strong alignment with the technical delivery model,” he says. “But there can be a segmentation of duties issue.”
If the CSO reports directly to the CEO, Browne says, “the primary benefit is that the CSO has a higher degree of influence to drive change. On the flip side, the CSO may also have very limited time with the CEO, due to the CEO’s wide range of responsibilities.”
In fact, increasingly CSOs are dealing with an even higher power, the organizational board of directors—either reporting directly to the board or getting regular facetime with them due to their presence in the C-suite. “It is time for security leaders to step up and become active participants and members of the senior leadership team,” says OneLogin’s Pegueros. “The issues facing companies related to security can no longer wait to be heard once a month or once a quarter—they demand to be heard every day at the senior leadership level.”
Another interesting, if unsurprising, correlation: security execs who have the ear of top management are more likely to win a larger portion of the IT budget for security purposes. That’s clear from the 2019 State of the CIO survey, conducted by our sister site CIO.com. Companies that spent less than 5% of their IT budget on security were equally likely to have their CSOs report to CIOs or CEOs; but at companies that spent 10% or more on security, the CSO was almost twice as likely to report to the CEO. The effect was even more pronounced at companies where the top security title holder was CISO: only 3% of CISOs at companies that spent less than 5% of their IT budget reported to the CEO, but 26% of CISOs at companies that spent more than 10% did.
No matter who the CSO will ultimately report to, to be effective they need to speak the language of upper corporate echelons. “The CSO must frame conversations and opportunities in a manner that expresses both the probability and impact of decisions that the board and the C-suite make in business terms they understand—impact to revenue, loss of clients, reputational harm, regulatory impact, and so on,” says Abnormal Security CISO Mike Britton.
And, to ensure a good fit, LaSalle Network’s Wallenberg says that the executive team should all be involved in the hiring process. “The people who are going to interact most with this person are your COO and CIO, so they should be intimately involved in interviewing and selection.”
Sample CSO job description
The CSO will oversee and coordinate security efforts across the company, including information technology, human resources, communications, legal, facilities management and other groups, and will identify security initiatives and standards. The candidate’s direct reports will include the chief information security officer and the director of corporate security and safety.
-Lead operational risk management activities to enhance the value of the company and brand.
-Oversee a network of security directors and vendors who safeguard the company’s assets, intellectual property and computer systems, as well as the physical safety of employees and visitors.
-Identify protection goals, objectives and metrics consistent with corporate strategic plan.
-Manage the development and implementation of global security policy, standards, guidelines, and procedures to ensure ongoing maintenance of security. Physical protection responsibilities will include asset protection, workplace violence prevention, access control systems, video surveillance, and more. Information protection responsibilities will include network security architecture, network access and monitoring policies, employee education and awareness, and more.
-Work with other executives to prioritize security initiatives and spending based on appropriate risk management and/or financial methodology.
-Maintain relationships with local, state, and federal law enforcement and other related government agencies.
Oversee incident response planning as well as the investigation of security breaches, and assist with disciplinary and legal matters associated with such breaches as necessary.
-Work with outside consultants as appropriate for independent security audits.
-Must be an intelligent, articulate, and persuasive leader who can serve as an effective member of the senior management team and who is able to communicate security-related concepts to a broad range of technical and non-technical staff.
-Should have experience with business continuity planning, auditing, and risk management, as well as contract and vendor negotiation.
-Must have strong working knowledge of pertinent law and the law enforcement community.
-Must have a solid understanding of information technology and information security.