By Sarah Hunt
The chief security officer (CSO) may turn out to be the corporate hero we didn’t know we would need just a few years ago.
These C-suite executives are charged with an increasingly challenging and crucial task: protecting the often billions of dollars worth of digital and physical assets being held by enterprises all over the globe.
What does a typical CSO do all day? What does it take to become one? This guide will get you up to speed faster than you can say “another brute-force ransomware attack cost a major company millions of dollars today.”
What is a chief security officer (CSO)?
The simple answer is that a CSO is a managerial leader who oversees information security and/or corporate-wide security, typically for large enterprises. However, this role can represent a broad range of duties, depending on the business focus at hand and the organizational hierarchy in play.
Increasingly, CSO roles are viewed as being on par with other C-suite positions, such as the chief financial officer (CFO) and chief executive officer (CEO). The CPA Journal, for example, asserts that the CSO role has evolved to represent a similar and equally important role to the CFO, where the assets being protected are wide-ranging digital/physical assets versus strictly financial assets.
CSO v. CISO
Since the term chief security officer was coined around 2005, this role has become more nuanced and complex. Today, many organizations have retired the CSO role in favor of the chief information security officer (CISO) role when the duties are exclusively or primarily focused on information security.
Some firms use the terms interchangeably. While there is often some overlap between these roles, the prevailing modern wisdom seems to be leaning toward a clear distinction, where CSOs exclusively handle topics such as physical employee safety, while CISOs rarely handle such areas.
Some companies use the CSO to describe the top-level manager of corporate security functions, including physical, facility and asset security as well as general employee safety. These roles often fall under more operational titles, such as vice president or director of corporate security. Historically, corporate security has been handled separately from information security. In fact, these two areas are sometimes competitive within organizations.
Typical CSO responsibilities
CSOs are charged with overseeing and enhancing security at an organization, which increasingly includes IT security. These executives identify and analyze a big-picture view of organizational strategy through the lens of how to foster growth, while protecting the organization’s assets.
CSOs work with other executives to prioritize security needs within a given set of parameters, including financial constraints and outside demands such as industry regulatory compliance. Often, CSOs oversee a large network of directors, mid- and high-level managers and staff.
These professionals also work with local, state, federal and sometimes international law enforcement and other security agencies, providing assistance to these agencies or reporting to them about internal security issues as needed.
CSOs manage on the following core aspects of security, according to a sample job listing for a chief security officer position by the American Health Information Management Association (AHIMA):
1. Daily operations of the IT security program
2. Oversight of the annual and ongoing risk assessment process
3. Development, implementation and maintenance of policies and procedures
4. Ensuring the confidentiality, integrity and access of electronic protected health information and of monitoring program compliance
5. Investigation and tracking of incidents and breaches as well as compliance with federal and state laws.
Each of these categories includes many disparate sub-duties, some of which are frequently delegated to other organizational roles. Taken as a whole, all of the tasks performed or directed by the CSO are aimed at protecting the organization from a security standpoint.
Typical CSO qualifications
Ten areas of experience are common to chief security officers based on an analysis of CSO resumes, according to the career guide Zippia.
• Information security
• Physical security
• Regulatory agency experience
• Information technology
• Risk management
• Incident response
• Previous CSO experience
• National Institute of Standards and Technology (NIST) guidelines knowledge
AHIMA lists the following qualifications in its sample health care CSO job description:
• Bachelor’s degree in information systems or a related health care field
• Knowledge and experience in state and federal information security laws, including but not limited to HIPAA, NIST PCI and all other applicable regulations
• Demonstrated organization, facilitation, presentation, written and oral communication skills
• Recommended security certifications such as Certified in Healthcare Privacy and Security (CHPS) and/or other industry-related security credentials
While the list skews toward CSO positions within health organizations, these qualifications are in line with many other listings on online job posting sites such as Indeed.
Generally, CSOs need at least a four-year degree and extensive knowledge and experience with security topics, including digital security involving data and networking. That said, positions that require executive-level management typically require more advanced degrees and extensive professional managerial and leadership experience.
Organizations are seeking CSOs more frequently, a trend that likely reflects a growing corporate awareness around an overall increase in cybersecurity threats.
Board members and C-suite executives who are sensitive to the potentially crippling enterprise-wide effects of cyber breaches are in the bottom-line positions to push for a CSO role.
They have the best assessment of risk in the organization and the inter-departmental need for prevention.
CSO job growth
The information security market is expected to grow at a much higher than average rate over the next several years, with hundreds of thousands of positions opening up, according to the Bureau of Labor Statistics’ Occupational Outlook Handbook.
CSO salary ranges
The chief security office role is among the most lucrative, with positions often topping $225,000 annually, according to the Cyberstudies Consortium. An average CSO base salary is $147,802, and the salary range is from $73,000 to $171,000 over a typical career, Payscale.com reports.
These figures are in line with the findings of the 2018 Robert Half Technology Salary Survey, which found that average salaries range from $143,250 to $241,000.
CSOs come from a variety of educational backgrounds. Common college majors include computer science, information technology, data privacy and legal compliance specialties and other related technical fields.
CSOs often hold business degrees as well, including an MBA, which can provide a helpful background for CSOs working in the corporate world.
The University of San Diego, which offers two advanced degree options geared toward chief security officer and similar careers, notes that many CSOs earn various cybersecurity certificates during their careers. Here are five of the most common certifications attained by CSOs:
• Certified Information Systems Security Professional (CISSP)
• Certified Information Security Manager (CISM)
• Certified Information Systems Auditor (CISA)
• Certified Ethical Hacker (C|EH) (Practical)
• Certified in Risk and Information Systems Control (CRISC)
Notable recent CSO and CISO hires
Richard Amburgey: first CSO of the Bureau of Labor Statistics (BLS) (March, 2020)
Amurgey previously worked for the Federal Emergency Management Agency (FEMA), as the chief of regional security operations in Chicago. BLS reports that Amurgey provided “comprehensive security services in coordination with the Interagency Security Committee (ISC) and the Department of Homeland Security (DHS) standards,” working to protect FEMA employees, facilities and assets.
Mike Hanley: first CISO of GitHub
Hanley came to GitHub from Cisco, where he served as CISO for less than 12 months. Prior to that role, he was with Duo Security, which was acquired by Cisco in 2018. GitHub cited its role within supply chain security as a reason it decided to bring on the CSO role and mentioned the major breach of SolarWinds when asked about the new hire by SecurityWeek.
Cisco promoted Anthony Grieco to the CISO position following Hanley’s departure.
Allison Miller: CISO and VP of trust for Reddit
Miller joined Reddit following her work with Bank of America, where she served as SVP of technology strategy and design, overseeing tech design and engineering delivery. She has also worked in various technology and leadership roles at Visa, Paypal/eBay, Google and Electronic Arts (EA). Miller will work to expand trust and safety operations and data security as well as redesigning Reddit’s trust frameworks and transparency efforts, Reddit says in a blog post.
In the coming years, it is clear that the CSO/CISO role will become a more standard C-suite position for enterprises.
Proactive companies are adding these roles partly in response to the increase of cyber crimes targeting corporate, governmental and other networked organizations.
From a job-seeking perspective, the CSO career track is promising. These roles are lucrative and the number of open positions shows no sign of slowing.
• Fallout from SolarWinds Orion breach to reverberate across channel
• Why it’s not easy to become an MSSP
• Webopedia: 10 interesting facts about cybersecurity