Whats The Difference Between A CSO and CISO?

Like Arnold Schwarzenegger to Danny DeVito in the movie Twins, the Chief Security Officer (CSO) role is the big brother to the Chief Information Security Officer (CISO) role. What is the difference between these two roles and what skills does a CISO need to focus on if they aspire to become a CSO? In this post I’ll explore the role of the Chief Security Officer (CSO) and what additional responsibilities the role covers when compared to the CISO role.

Big Brother

Lately, there has been a lot of focus on the Chief Information Security Officer (CISO) role following the new SEC guidelines, recent ransomware attacks and supply chain security vulnerabilities (XZ). There can be a lot of different titles for the top security executive at a public company, but the two most common titles for a public company are Chief Information Security Officer (CISO) and Chief Security Officer (CSO). The Twins movie is a good analogy to describe the relationship between the CSO and CISO because in the movie Arnold protects Danny DeVito by helping him avoid trouble, while Danny is super scrappy and shows Arnold how the real world works. They complement each other, protect each other and help each other. One is the overall leader and one has a great hustle.

What the Twins analogy highlights is the main difference between a CSO and CISO is scope. A CSO typically has a bigger scope than a CISO. A CISO will have responsibility for all of the information and technology assets of a company, but a CSO will have this responsibility and additional responsibilities for physical security, executive protection, corporate investigations and other non-information technology based security domains. In fact, for public companies that have an established CSO role, it is typical for the CISO role and function to report to the CSO as one overall security function. Let’s dig into some of the additional functions of a CSO.

Like Arnold Schwarzenegger to Danny DeVito in the movie Twins, the Chief Security Officer (CSO) role is the big brother to the Chief Information Security Officer (CISO) role.

Physical Security

One of the biggest responsibilities for a CSO is physical security. Physical security includes site security for offices and the physical security of the personnel working at the facilities were the company operates. This can include things like cameras and video monitoring, badging systems, security and fire alarm systems, safes, locks, lighting, parking and loading docks, contractor access, mail and package security, bollards and traffic control, security guards and gates, fencing, fire suppression and other physical environment aspects. Depending on the nature of your business, this could also involve supply chain security of manufacturing facilities and components, or even critical infrastructure. It can also include tempest and RF control, including design and management of classified spaces.

One interesting aspect of physical security is to work with construction companies or physical security consulting firms to design and assess the security controls of your facilities. Books like Red Cell by Richard Marcinko offer an interesting historical perspective of how the military physically tests the security of their military installations and public companies should similarly consider an annual or periodic review of their physical security for weaknesses and risks.

If your company is involved in manufacturing, another interesting aspect of physical security is supply chain security and logistics. This is ensuring your products are manufactured securely and aren’t tampered with during the manufacturing process. It can also include assessing the security of component manufacturers, assembly plants and even shipping and logistics companies to make sure your products arrive to your customers and are functioning securely.

Lastly, another aspect of the CSO’s physical security responsibilities is interfacing with local and federal law enforcement for trends, threats and dealing with physical disruptions at your places of business like the recent examples of protests at Google offices.

Executive & Travel Protection

Another responsibility of the CSO, which is related to physical security, is executive and travel protection. Executive and travel protection covers how to physically protect your top executives from threats when they are in public, traveling, at their offices or at their homes. This can include arranging trusted transportation, route planning, on site security surveys, sending advanced teams ahead of the execs, kidnap and ransom insurance, medical support and even online reputation management. You may even arrange training for your execs such as mock kidnapping situations or how to deal with other emergency situations (like riots, terrorist attacks, wars or coups).

Executive and travel protection can include interfacing with local embassies, law enforcement or emergency services depending on the threat level of the country your senior execs are visiting. This is in addition to the existing CISO responsibilities of interfacing with law enforcement for security breaches, APTs, ransomware attacks, digital fraud, etc. Exec and travel protection can also include arranging for security companies to beef up the security of their home(s) and arranging to have their home security monitored by a private security company (if this is part of their perquisites).

Lastly, one very important aspect of executive and travel protection is digital device security. This responsibility may get delegated to the CISO, but the CSO still needs to understand and include digital security as comprehensive part of their executive protection strategy. Certain countries are known to be digitally hostile by attempting to siphon information from or compromise the devices of executives at top companies. This can be attempts at industrial espionage, theft of military and defense information, gaining business advantages, disrupting business, leveraging the exec as an attack vector into the broader company, trade advantages or potential blackmail. The CSO should consider these risks based on the destination country and provide appropriate controls to executive devices such as providing burner phones and laptops for specific country use that are sterile and won’t impact the company or personal reputation of the executive if compromised.

Executive and travel protection is important to ensure your top execs are safe and secure when traveling, but also, if your business is controversial or your top execs like to make controversial statements, this function can ensure they are safe and protected no matter what situation they are in.

Corporate Investigations

One final area of responsibility for the CSO is corporate security investigations beyond the normal technology investigations handled by the CISO. Corporate security investigations can include theft, financial crimes, waste, abuse, vandalism, misconduct, bribery and supply chain control (for ITAR or other export / import laws). You may work closely with law enforcement at the state or federal level depending on the nature and scope of the investigation and the CSO function is critical to coordinating the investigation and representing the business appropriately. Corporate investigations can also involve acting as an expert witness or providing testimony in court on behalf of your company.

One important aspect to remember is, CSOs need to have clear processes and policies defined for how and when to involve law enforcement. The decision to involve law enforcement may be based on legal requirements or may be based on other decisions, but involving law enforcement gives up control of the investigation, which could result in property being confiscated as evidence. If the evidence is a critical business asset like IT equipment, the CSO needs to ensure there are redundancies in place so the business is not disrupted or left without that capability while supporting the investigation.

Wrapping Up

The CSO role is an interesting top security executive role and offers a broader scope than the CISO role. CISOs looking to expand their remit should consider establishing credibility in the areas I’ve described above, but should also remember that most professional security certifications like the CISSP cover aspects of physical security as one of the knowledge based domains. If you don’t have a military or law enforcement background, two interesting certifications that can establish physical security credibility for CISOs are ISMA and ASIS. Lastly, CSOs will typically have responsibility for the CISO function (with the CISO reporting to them), but will also have additional remit in areas of physical security, executive protection, travel protection and corporate investigations. In my experience, the CSO role is more interesting because you get involved in all aspects of security for a company allowing you to channel your inner Arnold Schwarzenegger from Twins, while still retaining the option to flex your Danny DeVito (CISO) roots.

Unknown's avatar

Author: Lee Vorthman

I'm a U.S. Navy veteran and the Global Chief Security Officer (CSO) at a Fortune 100 cloud company where I've built a successful security program from the ground up and have partnered with the business to increase trust and reduce risk. I have over 25 years experience across a wide variety of industries such as technology, government & defense, education and oil & gas. I hold a number of professional certifications such as, EC-Council's Certified Chief Information Security Officer (C|CISO), Digital Director's Network (DDN) Board Certified Qualified Technology Expert (QTE) and ISC(2) Certified Information Systems Security Professional (CISSP). Previously I was the Chief Technology Officer (CTO) for Civilian Agencies and Cybersecurity Initiatives at NetApp U.S. Public Sector and the Chief Information Security Office for an Oil & Gas software company. I am available for consulting and speaking opportunities. Thoughts and opinions are my own and do not represent any employer past or present.

Leave a comment