The title Chief Security Officer (CSO) was first used principally inside the information technology function to designate the person responsible for IT security. At many companies, the term CSO is still used in this way. CISO, for Chief Information Security Officer, is perhaps a more accurate description of this position, and today the CISO title is becoming more prevalent for leaders with an exclusive infosecurity focus.
The CSO title is also used at some companies to describe the leader of the "corporate security" function, which includes the physical security and safety of employees, facilities and assets. More commonly, this person holds a title such as Vice President or Director of Corporate Security. Historically, corporate security and information security have been handled by separate (and sometimes feuding) departments.
Increasingly, Chief Security Officer means what it sounds like: The CSO is the executive responsible for the organization's entire security posture, both physical and digital. CSOs also frequently own or participate closely in related areas such as business continuity planning, loss prevention and fraud prevention, and privacy.
The merging all forms of security under a single organizational umbrella has been a controversial approach at times. At a tactical level, technology is being infused into physical security tools, which are increasingly database-driven and network-delivered. At a practical level, CSOs say a holistically managed security function can deliver better security at lower cost. On the other hand, CSOs without a broad skill base can find it challenging to overcome organizational inertia and politics to deliver on that vision.
[Download 68 great ideas for running a security department, CSO's exclusive 14-page PDF]
At a strategic level, CEOs and corporate boards, motivated in part by regulations such as the Sarbanes-Oxley Act, desire an enterprise-wide view of operational risk. So another current approach to security leadership is to weave it together with other groups in under the heading Enterprise Risk Management. ERM may be handled by a holistic department or by a looser confederation—see the articles Risk's rewards and ERM: Get started in 6 steps for more details on how to approach ERM.
Regardless of structures, the ultimate task for CSOs and security is to add business value and create competitive advantage for their companies. See What is a CSO Part 2 and Next stop for security: Business services and business intelligence.
Sample CSO job description
This is the top security executive in the company. He or she will report directly to a senior functional executive (CEO, COO, CFO, chief administration officer, head of legal counsel). The CSO will oversee and coordinate security efforts across the company, including information technology, human resources, communications, legal, facilities management and other groups, and will identify security initiatives and standards. The candidate's direct reports will include the chief information security officer and the director of corporate security and safety.
- Lead operational risk management activities to enhance the value of the company and brand.
- Oversee a network of security directors and vendors who safeguard the company's assets, intellectual property and computer systems, as well as the physical safety of employees and visitors.
- Identify protection goals, objectives and metrics consistent with corporate strategic plan.
- Manage the development and implementation of global security policy, standards, guidelines and procedures to ensure ongoing maintenance of security. Physical protection responsibilities will include asset protection, workplace violence prevention, access control systems, video surveillance, and more. Information protection responsibilities will include network security architecture, network access and monitoring policies, employee education and awareness, and more.
- Work with other executives to prioritize security initiatives and spending based on appropriate risk management and/or financial methodology.
- Maintain relationships with local, state and federal law enforcement and other related government agencies.
- Oversee incident response planning as well as the investigation of security breaches, and assist with disciplinary and legal matters associated with such breaches as necessary.
- Work with outside consultants as appropriate for independent security audits.
- Must be an intelligent, articulate and persuasive leader who can serve as an effective member of the senior management team and who is able to communicate security-related concepts to a broad range of technical and non-technical staff.
- Should have experience with business continuity planning, auditing, and risk management, as well as contract and vendor negotiation.
- Must have strong working knowledge of pertinent law and the law enforcement community.
- Must have a solid understanding of information technology and information security.
Last update November 2011