The CSO role today: Responsibilities and requirements for the top security job

The CSO is the executive responsible for the organization's entire security posture, both physical and cyber, and has the big picture view of the company's operational risk.

1 2 Page 2
Page 2 of 2

CSO vs. CISO: What's in a name?

We're going to take a moment here to discuss the difference between a CSO and a chief information security officer, or CISO. It would be great if there were a hard and fast set of rules that say a CSO does this and a CISO does that. But that's often not the case. As Vanessa Pegueros, formerly CISO at DocuSign and now chief trust and security officer at OneLogin says, "I think there is a high level of variability in the responsibilities, and you really need to ask the individual in order to understand. There just isn't a strict definition anymore." As we've noted, traditionally the CISO role has focused primarily on IT security while CSOs have more expansive remits, but Chris Morales, CISO and head of security strategy at Netenrich, says: "There is some convergence as everything becomes connected to the internet—so even the CISO is starting to think about physical."

Perhaps the best way to understand what specific role a CSO or CISO has in an organization is to see what other similar positions also exist within the same organization, says YL Ventures' Ellis. "If there are no other C-level security roles, look for where various directors and vice-presidents sit in security roles in the organization," he says. "Oftentimes, there might be an IT CISO under the CIO, and a director of corporate security in a Facilities organization; that might indicate a CSO elsewhere has more of a governance and oversight function across the business, but isn’t driving operational work in IT or Facilities."

The main thing to keep in mind: while we'll be using the term CSO generically here, a lot of what we have to say applies to positions with

How to become a CSO

Paul Wallenberg, team lead of technology recruiting at LaSalle Network, has helped hire CSOs, and he outlined for us the practical chief security officer qualifications his client companies look for when they hire. "The first thing companies should look for is a proven track record with a broad reach across both technical and functional competencies within security," he says. "CSOs can come from technical backgrounds with prior work experience as an engineer or architect working with tools and systems that cover modern security disciplines like SIEMidentity management, and threat intelligence, or from functional backgrounds where they managed security professionals responsible for those disciplines and personally were more involved in governance, risk, and compliance. Alternatively, there is an appetite in certain industries for CSOs who have a white hat or ethical hacking mindset." Of course, C-suite execs need a lot of experience under their belt; Wallenberg says you need to show that "you've climbed the ranks of a security department, or, within larger organizations, been involved in security programs and initiatives that impact applications, infrastructure, and external threats." Another plus: "industry contacts at vendors, and ties to the intelligence community and academia."

But CSOs need to demonstrate qualifications that go beyond specific technical competencies and work trajectories. "CSOs must have an understanding of how complex tactical objectives can contribute to the strategic execution of holistically securing an organization, while respecting the privacy and trust of internal stakeholders," says Relativity’s Fennell. "While a technical background can be a tremendous aid in making informed decisions, passion for solving emerging puzzles that accompany information security is essential."

"Recently, we’ve seen a shift away from security leaders focusing solely on technical details and towards becoming more business-oriented," adds Sungard AS's Burke. "While a CSO should always be technically competent, they also need to be able to clearly explain aspects of their work, such as their risk management methodology, to stakeholders. Essentially, the CSO needs to be a trusted advisor to senior leadership. This is only possible when the CSO possesses good interpersonal and leadership skills."

Many companies still don't have CSOs, and that can create a path to the executive level for employees. "In IT environments where security is a competency within the department and not its own department, the type of person who would assume the CSO role would essentially be whoever has the deepest understanding of security at the organization," says Wallenberg. "In terms of external candidates, typically you see people who are at the level of a security architect, or at the director or VP level over a security program and infrastructure."

Who does the CSO report to?

Among the organizations surveyed in IDG's 2020 Security Priorities Study, almost half of security chiefs had a direct connection to the top. In 34% of cases, the top security executive reported to the CEO, and in another 12% they reported to the board of directors. Meanwhile, 33% of the time, the top security exec reported into a corporate or divisional CIO. The rest were scattered under different silos, reporting to officers like the chief risk officer or general counsel. Perhaps unsurprisingly, smaller companies tended to have flatter organizational arrangements: the study found that 59% of top security execs at SMBs reported to the CEO, whereas that was true at only 22% of large enterprises. Niall Browne, CISO of Domo, sees pluses and minuses for both arrangements. "Putting the CSO under the CIO helps ensure strong alignment with the technical delivery model," he says. "But there can be a segmentation of duties issue."

If the CSO reports directly to the CEO, Browne says, "the primary benefit is that the CSO has a higher degree of influence to drive change. On the flip side, the CSO may also have very limited time with the CEO, due to the CEO’s wide range of responsibilities."

In fact, increasingly CSOs are dealing with an even higher power, the organizational board of directors—either reporting directly to the board or getting regular facetime with them due to their presence in the C-suite. "It is time for security leaders to step up and become active participants and members of the senior leadership team," says OneLogin's Pegueros. "The issues facing companies related to security can no longer wait to be heard once a month or once a quarter—they demand to be heard every day at the senior leadership level."

Another interesting, if unsurprising, correlation: security execs who have the ear of top management are more likely to win a larger portion of the IT budget for security purposes. That's clear from the 2019 State of the CIO survey, conducted by our sister site Companies that spent less than 5% of their IT budget on security were equally likely to have their CSOs report to CIOs or CEOs; but at companies that spent 10% or more on security, the CSO was almost twice as likely to report to the CEO. The effect was even more pronounced at companies where the top security title holder was CISO: only 3% of CISOs at companies that spent less than 5% of their IT budget reported to the CEO, but 26% of CISOs at companies that spent more than 10% did.

No matter who the CSO will ultimately report to, to be effective they need to speak the language of upper corporate echelons. "The CSO must frame conversations and opportunities in a manner that expresses both the probability and impact of decisions that the board and the C-suite make in business terms they understand—impact to revenue, loss of clients, reputational harm, regulatory impact, and so on," says Abnormal Security CISO Mike Britton.

And, to ensure a good fit, LaSalle Network's Wallenberg says that the executive team should all be involved in the hiring process. "The people who are going to interact most with this person are your COO and CIO, so they should be intimately involved in interviewing and selection."

Sample CSO job description

The CSO will oversee and coordinate security efforts across the company, including information technology, human resources, communications, legal, facilities management and other groups, and will identify security initiatives and standards. The candidate's direct reports will include the chief information security officer and the director of corporate security and safety.


  • Lead operational risk management activities to enhance the value of the company and brand.
  • Oversee a network of security directors and vendors who safeguard the company's assets, intellectual property and computer systems, as well as the physical safety of employees and visitors.
  • Identify protection goals, objectives and metrics consistent with corporate strategic plan.
  • Manage the development and implementation of global security policy, standards, guidelines, and procedures to ensure ongoing maintenance of security. Physical protection responsibilities will include asset protection, workplace violence prevention, access control systems, video surveillance, and more. Information protection responsibilities will include  architecture, network access and monitoring policies, employee education and awareness, and more.
  • Work with other executives to prioritize security initiatives and spending based on appropriate risk management and/or financial methodology.
  • Maintain relationships with local, state, and federal law enforcement and other related government agencies.
  • Oversee incident response planning as well as the investigation of security breaches, and assist with disciplinary and legal matters associated with such breaches as necessary.
  • Work with outside consultants as appropriate for independent security audits.


  • Must be an intelligent, articulate, and persuasive leader who can serve as an effective member of the senior management team and who is able to communicate security-related concepts to a broad range of technical and non-technical staff.
  • Should have experience with business continuity planning, auditing, and risk management, as well as contract and vendor negotiation.
  • Must have strong working knowledge of pertinent law and the law enforcement community.
  • Must have a solid understanding of information technology and information security.

Chief security officer salary

Salaries for C-level executives can vary wildly depending on the industry, the company, and the experience and tenure of the candidate. But we can at least offer you a rough picture of what you can expect:

  • According to com, the median salary for a CSO is $147,802, with anything from $74,000 to $230,000 being not out of the ordinary. Bonuses and profit sharing often figure in too, and can add up to $100,000 in additional compensation.
  • According to com, the median salary for a CISO is $223,854, with a range usually between $169,621 and $290,114.

Of course, the salary will depend on the exact contours of the job. A broader scope of responsibilities means higher pay, says Abnormal Security's Britton. "Adding in physical security and business continuity helps."

Copyright © 2021 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)