Comparing the Roles of the CISO vs. the CSO

Guest Post by Dhvani Patel

As companies mature their security practices they often hire both a Chief Information Security Officer (CISO) and a Chief Security Officer.  This essay outlines the typical roles and responsibilities of each.

CISO

The CISO is the executive personnel responsible for an organization’s data and information security. Recently, the role of CISO is gaining popularity as a corporate position whose role is to protect against information security risks. The role was created to help organizations protect their digital assets including computer systems and networks from hackers and other cyber threats. The CISO works along with other c-level positions, business managers, the security team and information technology (IT) managers to effectively monitor and maintain the security of the company’s computers, networks, applications, and databases.

The CISO’s primary responsibility is to have an understanding of security operations and challenges in current and future states of the organization’s business operations. In order to make effective business decisions, the CISO will need to have an in-depth knowledge of the organization’s operations, functions, and  business disciplines like human resources (HR), compliance, and finance. The CISO is responsible for overseeing the security operations and duties includes evaluating the IT threat landscape, developing cyber security policy and controls to reduce the risk, auditing and compliance initiatives. He or she performs real-time analysis of immediate threats and triages threats when something goes wrong.

The CISO is also responsible for disaster recovery. Duties include developing cyber resiliency programs so the organization can rapidly recovery from natural disasters such as flooding, earthquake, hurricane, hacking, or security incidents. He or she determines what went wrong if there is a breach, and deals with those who are responsible (if they are internal). He or she develops the plan for avoiding a repeat of incident/crisis. The CISO is responsible for developing and maintaining various security policy domains that are associated with information security, compliance, governance, risk management, incident management, HR management and many more. The CISO is responsible for ensuring that the organization is adjusting to changing/growing compliance regulations.

CISOs are required to have at least a bachelor’s degree in security, IT, computer science or a related field with seven to twelve years of related experience and at least five years of experience in a management role. The CISO should have technical skills and should be familiar with various industry standards and frameworks like SOX, HIPAA, PCI, NIST etc. In addition to the bachelor’s degree, a CISO is typically required to maintain certification like CISSP, CISM, or CISA.  The CISO should have skills like management, communication, leadership and many more. The median annual salary for CISO is $164,000 with the lowest 10% and $229,000 with highest 10%.

CSO

The CSO is the executive in charge of the security of personnel, physical assets, and information and data in both and physical and digital form. The CSO is a member of an organization’s upper management team and works with both security, and the IT team. According to the article on Investopedia.com, the CSO is responsible for developing and overseeing policies and programs used in the mitigation and/or reduction of compliance, operational, strategic, and financial security risk strategies relating to the personnel/staff, any assets, and other property. The CSO is responsible for leading risk management activities and overseeing strategies to assess and mitigate risk, thereby safeguarding the organization and its assets. The CSO is responsible for developing, implementing, and maintaining security policies and processes, identifying and reducing security risks, and limiting liability. He or she oversees network security architectures, network access and monitoring policies, security education, training, and awareness programs. CSOs are responsible for making sure that the organization is in compliance with local, national, and global regulations. They are responsible for conducting independent security audits, especially in areas such as privacy, health, and safety.  A CSO is responsible for conducting research and implementing security management solutions to help keep the organization and its assets and information safe. A CSO is responsible for overseeing incident response planning and investigating any security incidents and breaches and assisting with disciplinary and legal actions.

CSOs are required to have bachelor’s degree in cyber security, IT, computer science or a related field as well as maintain cyber security certifications. In addition to the bachelor’s degree and certifications, they should have also have at least seven years of experience. CSOs should have a technical background and a proven track record in both technical and functional areas  in security.  They should have some experience with tools and systems like identity access management and threat intelligence, security information and event management (SEIM) endpoint protection, audit logging and monitoring. They should have a high level understanding of compliance and risks. CSO should have knowledge of contracts management for overseeing the quality of security vendors.  Therefore,  good communication skills are a must. They should have management and leadership skills as well. The average salary of CSO is $148,00.

References:

  1. Fruhlinger, “What is a CISO? Responsibilities and requirements for this vital role,” CSO Online, 01-Apr-2021. [Online]. Available: https://www.csoonline.com/article/3332026/what-is-a-ciso-responsibilities-and-requirements-for-this-vital-leadership-role.html. [Accessed: 26-Apr-2021].
  2. Kenton, “Chief Security Officer (CSO),” Investopedia, 17-Feb-2021. [Online]. Available: https://www.investopedia.com/terms/c/cso.asp#:~:text=The%20CSO%20is%20responsible%20for%20executing%20and%20overseeing%2C%20among%20others,and%20its%20assets%2C%20crisis%20management. [Accessed: 26-Apr-2021].
  3. Western Governors University, “CISO Job Description And Outlook,” Western Governors University, 11-Dec-2020. [Online]. Available: https://www.wgu.edu/blog/ciso-job-description-outlook2012.html#close. [Accessed: 26-Apr-2021].
  4. “What is a Chief Security Officer (CSO)?,” University of San Diego, 08-Nov-2018. [Online]. Available: https://onlinedegrees.sandiego.edu/what-is-a-chief-security-officer-high-demand-skyrocketing-pay-for-csos/#:~:text=Chief%20Security%20Officer%3A%20Job%20Duties%20and%20Responsibilities&text=Manage%20the%20development%20and%20implementation,education%20and%20awareness%2C%20and%20more. [Accessed: 26-Apr-2021].