Security Watercooler articles are designed to get you thinking -- and talking -- about issues facing information security professionals. Please Sound Off with your opinions.
Some say the two titles, often seen as the pinnacle of security management, are morphing into new descriptions more aligned to enterprise functions. "I see two tracks emerging," said Howard Schmidt,
Standardization of top security posts might clear some of the current confusion over just what the title CSO or CISO entail.
"Titles and job functions are really all over the map when you get out into the real world," said Ron Baklarz, CISO of The American Red Cross in Falls Church, Va. "CEO is pretty well defined, but when you look at CSO and CISO, that's no longer the case."
Some CSOs are responsible only for physical security; others manage both physical and IT security. Still others, like Oracle Corp. CSO Mary Ann Davidson, are responsible for product security. One of the few things most agree upon is that physical security usually falls within a CSO's purview, while a CISO almost always is limited to IT security.
"Traditionally, the CSO isn't as visible as a CISO because it's been around longer and is taken for granted," Schmidt said. "And compensation for physical security has to be higher; they're often not recognized for the tremendous job they do."
Figures vary greatly depending on geographic location, size of company and industry, said Joyce Brocaglia, CEO of security staffing firm Alta Associates Inc. in Flemington, N.J. She said a ballpark base range for a CISO is $140,000 to $250,000. But, she added, a CISO for a top financial service in New York could earn well more, hitting close to seven figures. Salary.com says the media salary nationwide is $117,128 for a CSO and $129,446 for CISO.
CSOs often have a military or law enforcement background while CISOs tend to have one rooted in
"The title isn't as important as overall responsibility," said Rich Baich, CISO of ChoicePoint Inc. in Alpharetta, Ga. "CSO is more all encompassing than CISO because, by description, CISO is only about information security. If a physical and IT security convergence [operational security] does occur it will go to the CSO title because it's not limited.
"I firmly believe that getting security out of the title would be culturally beneficial because risk is a more favorably understood term than security within executive ranks," Baich, who is publishing a book on the topic next month, added. "Risk is based on facts and judgment. Security has negative connotations and is reactive, not proactive."
Oracle's Davidson believes there are two critical attributes necessary for someone in these positions: a deep understanding of the company's core business to assess risk and a willingness to learn constantly changing technology, threats and mitigation.
"You can't be the security party pooper and say, 'We can't do that, it's insecure,'" said Davidson.
And when it comes to which role offers more value, it's up to each organization to decide what it needs most.
"I don't believe one fulfills a more important role than the other," Baklarz said. "The value proposition has to be made by the organization in terms of its own risks."
Brocaglia doesn't believe a company must choose one over the other. "Most organizations need both," she said. "There are very few people capable of doing both jobs effectively. Many companies that have CSOs, also have a director or vice president of information security."
Ultimately, Brocaglia said, we may see the demise of the CISO and the creation of a chief risk officer. "We're seeing a cultural shift in organizations moving from information security toward information risk, and it's having an effect on whoever is in charge taking a broader view, one where security is only one slice of the pie."
Whatever the title, security executives agree that a blending of security functions can only benefit organizations. "I'm a proponent for unified management of security risk. They are both flavors of operational risk and should be combined," said Michael Assante, CSO of American Electric Power in Columbus, Ohio. He came on board as a CISO, but then took responsibility for physical security and his title changed.
Offered Robert Garigue, CSO of the Bank of Montreal Financial Group, "When you evaluate your risks, you decide which -- CSO or CISO -- is more appropriate. You do it from a problem-driven perspective. The real focus should be on the risks and determining which role is more important for the organization."