Today, chief security officers and chief information security officers are seen as largely interchangeable titles, but the demarcation of “information” in the title matters. Both roles are tasked with ensuring the security of an organization and protecting its assets, but the two titles can mean very different things.
Longtime CISO Steve Katz is credited with pioneering the role after Citicorp suffered a cyberattack in the mid-1990s. In an effort to guard against future attacks, the company created the CISO role so there was an executive to take charge of protecting the organization’s digital assets, a history SecurityWeek documented in a 2021 interview with Katz.
However, long before computers and digital information, companies needed to protect their physical property. Although it is unclear when the term CSO originated, there was someone who was in that role, whether they had an actual title or not.
While the CISO is primarily focused on securing an organization's information systems and data, the CSO's role encompasses all aspects of security, including physical security and information security, as well as human safety.
“As more things moved to computers and the digital world increased in value and importance, the CISO role emerged to take care of and protect the digital infrastructure started in the 2000s,” said Frank Huerta, CEO with Curtail.
In its earliest days, the CISO role may have been under the CSO’s domain, but eventually the CISO reported directly to the CIO, while the CSO may report to the CFO or COO.
“The CSO and CISO roles may be independent of each other now — physical and digital — but as the physical and digital worlds converge, these roles tend to overlap and complement each other,” said Huerta.
Within security, that world is colliding. In the not-so-distant past, the person in charge of physical security monitored keys to the building and supervised the security guards. Now key access is electronic and security systems are IoT devices.
For the CSO, physical security has gone digital.
Recognizing the differences
The clear differentiation between a CISO and a CSO promotes accountability and clarifies responsibilities, reducing confusion and improving decision-making during security incidents or breaches, according to Amit Pawar, VP of consulting and services at Xage Security. And they may often work in tandem.
“The CISO may lead the response to an information security incident, while the CSO may coordinate the overall response, including physical security and crisis management,” said Pawar.
This distinction ensures that all aspects of the security incident are addressed and that there is clear accountability.
The CISO has taken on more prominence for sure, but the physical and the digital world go hand in hand. There is a big picture focus on the roles the CISO and CSO now have within business operations.
“Is security only an after-the-fact process to respond to breaches and break-ins both physical and logical, or is there a process to help make sure the applications are as bug free to prevent vulnerabilities from proliferating from bad code that hackers can exploit,” said Huerta.
The organizational structure of the company will help define the roles of each role.
The evolution of security leadership
Rather than focus on the differences, Mauricio Pegoraro, CISO at Azion, believes it is more important to define the roles and responsibilities if both executives are needed, and both should respond to the board or CEO.
“With the constant evolution of the digital world and more threats emerging, the more security leadership needs to evolve and specialize,” said Pegoraro.
A few years ago, the organizational tree of a CISO hierarchy had very few levels. Today we see many levels and many leadership types that will continue evolving and changing.
“In a few years from now, the CISO role will expand and become what was a CSO role and, in some cases, even a CIO role since many aspects of information technology and IT systems are now determined by the security requirements and processes around them,” said Pegoraro.
CSO or CISO?
Because the roles overlap so much today, is there a need to have both a CSO and CISO, or can one person handle both the physical and digital security?
“Larger enterprises with ample physical and digital assets tend to have both a CISO and CSO,” said Tim Chase, global field CISO at Lacework.
But in smaller companies, the role is more likely to be combined, and in some cases even adding in the role of the CIO. The need for security built into code and platforms is more vital than ever, so the CIO may find themselves shifting more into a CISO-type role.
The CSO and the CISO are finding their roles expanding and redefined as both security and threats evolve.