Skip to main content
close search
site logo

CSO vs. CISO: What’s the difference and does it matter?

The person in charge of physical security used to monitor keys and supervise guards. Now, the physical and digital are colliding.

Published March 13, 2023
By Sue Poremba
An executive leads a company meeting inside a boardroom
Jacob Lund via Getty Images

Today, chief security officers and chief information security officers are seen as largely interchangeable titles, but the demarcation of “information” in the title matters. Both roles are tasked with ensuring the security of an organization and protecting its assets, but the two titles can mean very different things.

Longtime CISO Steve Katz is credited with pioneering the role after Citicorp suffered a cyberattack in the mid-1990s. In an effort to guard against future attacks, the company created the CISO role so there was an executive to take charge of protecting the organization’s digital assets, a history SecurityWeek documented in a 2021 interview with Katz.

However, long before computers and digital information, companies needed to protect their physical property. Although it is unclear when the term CSO originated, there was someone who was in that role, whether they had an actual title or not.

While the CISO is primarily focused on securing an organization's information systems and data, the CSO's role encompasses all aspects of security, including physical security and information security, as well as human safety.

“As more things moved to computers and the digital world increased in value and importance, the CISO role emerged to take care of and protect the digital infrastructure started in the 2000s,” said Frank Huerta, CEO with Curtail. 

In its earliest days, the CISO role may have been under the CSO’s domain, but eventually the CISO reported directly to the CIO, while the CSO may report to the CFO or COO. 

“The CSO and CISO roles may be independent of each other now — physical and digital — but as the physical and digital worlds converge, these roles tend to overlap and complement each other,” said Huerta.

Within security, that world is colliding. In the not-so-distant past, the person in charge of physical security monitored keys to the building and supervised the security guards. Now key access is electronic and security systems are IoT devices.

For the CSO, physical security has gone digital. 

Recognizing the differences

The clear differentiation between a CISO and a CSO promotes accountability and clarifies responsibilities, reducing confusion and improving decision-making during security incidents or breaches, according to Amit Pawar, VP of consulting and services at Xage Security. And they may often work in tandem. 

“The CISO may lead the response to an information security incident, while the CSO may coordinate the overall response, including physical security and crisis management,” said Pawar. 

This distinction ensures that all aspects of the security incident are addressed and that there is clear accountability.

The CISO has taken on more prominence for sure, but the physical and the digital world go hand in hand. There is a big picture focus on the roles the CISO and CSO now have within business operations. 

“Is security only an after-the-fact process to respond to breaches and break-ins both physical and logical, or is there a process to help make sure the applications are as bug free to prevent vulnerabilities from proliferating from bad code that hackers can exploit,” said Huerta.

The organizational structure of the company will help define the roles of each role.

The evolution of security leadership

Rather than focus on the differences, Mauricio Pegoraro, CISO at Azion, believes it is more important to define the roles and responsibilities if both executives are needed, and both should respond to the board or CEO. 

“With the constant evolution of the digital world and more threats emerging, the more security leadership needs to evolve and specialize,” said Pegoraro. 

A few years ago, the organizational tree of a CISO hierarchy had very few levels. Today we see many levels and many leadership types that will continue evolving and changing. 

“In a few years from now, the CISO role will expand and become what was a CSO role and, in some cases, even a CIO role since many aspects of information technology and IT systems are now determined by the security requirements and processes around them,” said Pegoraro.

CSO or CISO?

Because the roles overlap so much today, is there a need to have both a CSO and CISO, or can one person handle both the physical and digital security? 

“Larger enterprises with ample physical and digital assets tend to have both a CISO and CSO,” said Tim Chase, global field CISO at Lacework.

But in smaller companies, the role is more likely to be combined, and in some cases even adding in the role of the CIO. The need for security built into code and platforms is more vital than ever, so the CIO may find themselves shifting more into a CISO-type role. 

The CSO and the CISO are finding their roles expanding and redefined as both security and threats evolve. 

Filed Under: Leadership & Careers

Editors' picks

  • Photo illustration of a VF Corp. SEC filing.
    Image attribution tooltip

    Photo illustration: Industry Dive; US Securities and Exchange Commission

    Image attribution tooltip

    How companies describe cyber incidents in SEC filings

    The words businesses use in cybersecurity disclosures matter. They can channel confidence in the recovery process, potential impacts and legal liabilities.

    By Matt Kapko • March 19, 2024
  • Abstract black and white monochrome art with surreal funnel.
    Image attribution tooltip
    Philipp Tur/Getty Images Plus via Getty Images
    Image attribution tooltip

    What is success in cybersecurity? Failing less.

    Defenders aren’t measured by pure wins or losses. Intrusions will happen, and their job is to keep a bad situation from getting worse.

    By Matt Kapko • April 26, 2024

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
  • Photo illustration of a VF Corp. SEC filing.
    Image attribution tooltip

    Photo illustration: Industry Dive; US Securities and Exchange Commission

    Image attribution tooltip

    How companies describe cyber incidents in SEC filings

    The words businesses use in cybersecurity disclosures matter. They can channel confidence in the recovery process, potential impacts and legal liabilities.

    By Matt Kapko • March 19, 2024
  • Abstract black and white monochrome art with surreal funnel.
    Image attribution tooltip
    Philipp Tur/Getty Images Plus via Getty Images
    Image attribution tooltip

    What is success in cybersecurity? Failing less.

    Defenders aren’t measured by pure wins or losses. Intrusions will happen, and their job is to keep a bad situation from getting worse.

    By Matt Kapko • April 26, 2024
Latest in Leadership & Careers
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell