How To

What is a Chief Security Officer?

Increasingly, Chief Security Officer means what it sounds like: The CSO is the executive responsible for the organization's entire security posture, both physical and digital.

The title Chief Security Officer (CSO) was first used principally inside the information technology function to designate the person responsible for IT security. At many companies, the term CSO is still used in this way. CISO, for Chief Information Security Officer, is perhaps a more accurate description of this position, and today the CISO title is becoming more prevalent for leaders with an exclusive infosecurity focus.

The CSO title is also used at some companies to describe the leader of the "corporate security" function, which includes the physical security and safety of employees, facilities and assets. More commonly, this person holds a title such as Vice President or Director of Corporate Security. Historically, corporate security and information security have been handled by separate (and sometimes feuding) departments.

Increasingly, Chief Security Officer means what it sounds like: The CSO is the executive responsible for the organization's entire security posture, both physical and digital. CSOs also frequently own or participate closely in related areas such as business continuity planning, loss prevention and fraud prevention, and privacy.

Several forces are driving this trend to combine all forms of security under a single organizational umbrella. At a tactical level, technology is being infused into physical security tools, which are increasingly database-driven and network-delivered. At a strategic level, CEOs and corporate boards, motivated in part by regulations such as the Sarbanes-Oxley Act, desire an enterprise-wide view of operational risk. And at a practical level, CSOs say a holistically managed security function can deliver better security at lower cost.

[CSO Magazine and CSOonline.com cover security of all sorts as well as related operational risk disciplines.]

Sample CSO job description

This is the top security executive in the company. He or she will report directly to a senior functional executive (CEO, COO, CFO, chief administration officer, head of legal counsel). The CSO will oversee and coordinate security efforts across the company, including information technology, human resources, communications, legal, facilities management and other groups, and will identify security initiatives and standards. The candidate's direct reports will include the chief information security officer and the director of corporate security and safety.

Responsibilities:

Oversee a network of security directors and vendors who safeguard the company's assets, intellectual property and computer systems, as well as the physical safety of employees and visitors.
Identify protection goals, objectives and metrics consistent with corporate strategic plan.
Manage the development and implementation of global security policy, standards, guidelines and procedures to ensure ongoing maintenance of security. Physical protection responsibilities will include asset protection, workplace violence prevention, access control systems, video surveillance, and more. Information protection responsibilities will include network security architecture, network access and monitoring policies, employee education and awareness, and more.
Work with other executives to prioritize security initiatives and spending based on appropriate risk management and/or financial methodology.
Maintain relationships with local, state and federal law enforcement and other related government agencies.
Oversee incident response planning as well as the investigation of security breaches, and assist with disciplinary and legal matters associated with such breaches as necessary.
Work with outside consultants as appropriate for independent security audits.