A CSO is a departmental leader responsible for information security, corporate security or both. That’s the simplest answer to the question “What is a CSO?”, and one that our founding editor Derek Slater offered up to readers way back in 2005—heck, if there’s one website you ought to be able to trust to tell you what a CSO is, it’s CSOonline. But of course, no one-sentence answer can encapsulate the complexity of a job like this, and not everyone with the CSO title has the same set of responsibilities.
The title chief security officer (CSO) was first used principally inside the information technology function to designate the person responsible for IT security. At many companies, the term CSO is still used in this way. Chief information security officer (CISO) is perhaps a more accurate description of this position, and today the CISO title is becoming more prevalent for leaders with an exclusive information security focus. But the distinction is not necessarily clean cut, as we’ll see in a moment.
The CSO title is also used at some companies to describe the leader of the “corporate security” function, which includes the physical security and safety of employees, facilities, and assets. More commonly, this person holds a title such as vice president or director of corporate security. Historically, corporate security and information security have been handled by separate (and sometimes feuding) departments.
Increasingly, CSO means what it sounds like: The CSO is the executive responsible for the organization’s entire security posture, both physical and digital. CSOs also frequently own or participate closely in related areas such as business continuity planning, loss prevention and fraud prevention, and privacy. Of course, there are many smart folks in the real world with the official CSO title who don’t shoulder the burden for both areas. However, if the CEO has a question about finance—any question—then he expects the “Chief Financial Officer” to be able to answer, or find the answer quickly. When the “Chief Security Officer” answers security questions with “Oh, that’s not my problem; that’s those other guys over there,” the message to the CEO is that there’s really no “chief” who has the big picture view of the company’s operational risk.
Let’s take a dive into just what goes into this position, talking along the way to some people who’ve actually worked in that job, and someone who’s helped hire them. (But, apologies in advance: we’re not going to explain what a Chief Strategy Officer is, despite the fact that it shares the CSO initials; check out the Harvard Business Review for the details on that role.)
What does a CSO do?
Relativity CSO Amanda Fennell gives a high-level view of what being a CSO entails. “The modern CSO is a pathfinder and problem-solver for the organization,” she says, “working closely with a diverse set of IT and engineering teams to envision, strategize, and execute on a multifaceted program within a rapidly changing scope of compliance and governance.”
That’s interesting, but maybe a little abstract. What, in practice, are a chief security officer’s job responsibilities? Or, to put it more succinctly: what does the CSO do? “I’m primarily accountable for establishing the enterprise vision, strategy, and programs to protect people, information assets, and technologies,” says Shawn Burke, CSO at Sungard AS. “Ultimately, I’m responsible for ensuring the security function provides organizational value.”
What they’re both getting at is that a CSO, above all, needs to create a way for the company to think about security as a strategic asset and part of its mission, not just as an afterthought or part of a damage control scenario. One way to achieve that is by applying risk management techniques, according to Andy Ellis, Operating Partner at YL Ventures and former CSO at Akamai. He explains: “When looking at risks across the business, a CSO has to balance two important inputs: how costly, in time and money, a fix might be, and how much benefit that fix might bring—usually in risk reduction, but potentially in ancillary business benefits.” He breaks down risks into four quadrants:
- Low-cost, low-benefit change requests: A c-level exec shouldn’t be dealing with these directly but should instead be creating robust processes that can resolve problems in these areas as a matter of course.
- Low-cost, high-benefit incidents: Any high-risk hazard that has a low-cost fix should be dealt with quickly, and a CSO might need to help clear the path and invoke a disruptive incident process as necessary, then subsequently improve processes to prevent similar disruptions.
- High-cost, low-benefit environmental hazards: These represent the cost of doing business, and a CSO needs to assess when a fix isn’t worth the cost and get management on board with that assessment.
- High-cost, high benefit: severe risks: The area a CSO needs to spend most of their energy is in addressing the high impact risks that don’t have easy solutions. “It can be easy for an executive team to fool themselves into believing that risks are significantly mitigated when only a small piece of a risk has been addressed,” says Ellis, “and it’s the CSO’s job to ensure that focus remains on mitigating those risks, even if it may take multiple years to do so.”