What is a Chief Security Officer?

By Derek Slater, www.CSOonline.com

Increasingly, Chief Security Officer means what it sounds like: The CSO is the executive responsible for the organization's entire security posture, both physical and digital.

The title Chief Security Officer (CSO) was first used principally inside the information technology function to designate the person responsible for IT security. At many companies, the term CSO is still used in this way. CISO, for Chief Information Security Officer, is perhaps a more accurate description of this position, and today the CISO title is becoming more prevalent for leaders with an exclusive infosecurity focus.

The CSO title is also used at some companies to describe the leader of the "corporate security" function, which includes the physical security and safety of employees, facilities and assets. More commonly, this person holds a title such as Vice President or Director of Corporate Security. Historically, corporate security and information security have been handled by separate (and sometimes feuding) departments.

Increasingly, Chief Security Officer means what it sounds like: The CSO is the executive responsible for the organization's entire security posture, both physical and digital. CSOs also frequently own or participate closely in related areas such as business continuity planning, loss prevention and fraud prevention, and privacy.

The merging all forms of security under a single organizational umbrella has been a controversial approach at times. At a tactical level, technology is being infused into physical security tools, which are increasingly database-driven and network-delivered. At a practical level, CSOs say a holistically managed security function can deliver better security at lower cost. On the other hand, CSOs without a broad skill base can find it challenging to overcome organizational inertia and politics to deliver on that vision.

At a strategic level, CEOs and corporate boards, motivated in part by regulations such as the Sarbanes-Oxley Act, desire an enterprise-wide view of operational risk. So another current approach to security leadership is to weave it together with other groups in under the heading Enterprise Risk Management. ERM may be handled by a holistic department or by a looser confederation—see the articles Risk's rewards and ERM: Get started in 6 steps for more details on how to approach ERM.

Regardless of structures, the ultimate task for CSOs and security is to add business value and create competitive advantage for their companies. See What is a CSO Part 2 and Next stop for security: Business services and business intelligence.

Sample CSO job description

This is the top security executive in the company. He or she will report directly to a senior functional executive (CEO, COO, CFO, chief administration officer, head of legal counsel). The CSO will oversee and coordinate security efforts across the company, including information technology, human resources, communications, legal, facilities management and other groups, and will identify security initiatives and standards. The candidate's direct reports will include the chief information security officer and the director of corporate security and safety.

Responsibilities: