A Chief Security Officer, or CSO, is primarily responsible for the information security of an organization, and ‘owns’ the organization’s security posture. He or she is a primary cyber security leader.
With any role, the job function depends on the specifics of the organization, and perhaps all the more so with the CSO role.
- In some organizations, the CSO is responsible for securing physical assets in addition to digital assets
- Identifies risks
- Develops strategy
- Outlines budgets
- Manages a team
- Communicates with the C-suite
What combination of education, skills and experience are necessary for this role?
Education: Many organizations prefer to hire someone with a Masters of Business Administration (MBA).
Skills that the CSO role requires include:
- Risk management know-how
- Superior problem solving skills
- Ability to budget
- Leadership skills and management experience
- Communication skills
Experience: Hiring managers want to see extensive related experience, and that a candidate has climbed the ladder through an organization. Past work with academics and/or the intelligence community can be viewed as an advantage.
Who does this person typically report to?
The CSO may report to the CEO or president of an organization.
What has the evolution of the CSO role looked like?
The role gained traction in the early 2000’s, with financial institutions leading the initiative to hire Chief Security Officers (CSOs). Much of the financial world’s interest emerged from new federal mandates related to security. As regulations for other sectors -like healthcare- emerged, and the utility of this role became clear, an increasing number of organizations moved to hire CSOs. Due to the surge in demand, and the limited pipeline, the CSO role is often challenging to fill.
What does the future of the CSO role look like?
The future is uncertain for any role, but the forecast is for more of the same.
Who typically reports to the CSO?
A network of security directors, vendors and consultants who help safeguard assets and offer perspectives on how to improve physical and cyber security.
What’s the difference between a CSO vs. CISO role?
This is dependent upon the organization doing the hiring, and is also dependent upon the incumbent’s strengths. Generally speaking, the CSO role is more all-encompassing than the CISO role, with the former including responsibility for physical safety and security. Often, CSOs have law enforcement backgrounds, while CISOs tend to have IT, systems or engineering backgrounds.
What challenges does the CSO typically face?
- Identifying the businesses’ main goals, and future directions
- Alignment with CEO and the board
- Recognition of what CSO success looks like in the eyes of stakeholders
The role of a CSO at a startup:
Startups often attempt to bake security measures into their systems and products, but may not have the need or resources for a full-time Chief Security Officer. The reality is that 5% of the world’s most profitable companies have CSOs, but 95% of top companies do not. It’s estimated that an even smaller percentage of startups employ CSOs.
Notable quotes about the CSO role:
“If the number one goal for a CMO is getting her company into the press and into headlines…the number one goal of the CSO is to keep her company out of them” –Cyber security evangelist, Grant A.
“Creating polices that combine a cyber security program that aligns with compliance, operational and strategic directions of the organization is extremely difficult. Very often, I hear that policy is inhibiting productivity. The balance between these two seemingly opposed pursuits is an important one to strike” –Cyber security evangelist, Mark O.
“The CSO should be the opportunist who drinks the water, while the pessimist, the optimist and the realist are arguing about how full the glass is!” -Cyber security evangelist, Edwin D.