What is a Chief Security Officer? — High Demand, ‘Skyrocketing’ Pay for CSOs
In a world where rampant cyber crime is costing companies and organizations millions of dollars every day, the chief security officer is an essential guardian of digital assets, information systems, intellectual property and more.
Because of the high stakes and the unique set of skills required to excel in this immensely challenging role (advanced technical wizardry plus outstanding crisis management and communication skills), the CSO has been hailed as “the corporate rock-star of the future” by one security expert.
Now that digital technology has revolutionized the way the world does business, security breaches occur so frequently that only the biggest ones make headlines. In the past several years, Equifax, eBay, Yahoo, Target, Uber, the NSA, the IRS and countless others are just a few of the high-profile companies and agencies that have been hit by hackers.
This, of course, has created a demand for a whole new generation of security professionals — those focused on information security and cyber security. Career opportunities are numerous for those aspiring to advance in this exciting, fast-growing and well-paying field. And at the top of the totem pole, responsible for a company’s entire information security profile, is the CSO.
The work of the CSO is so vital that average salaries range from $143,250 to $241,000, according to the 2018 Robert Half Technology Salary Survey, with many earning far more at the largest corporations. But just what is a chief security officer? What does the CSO career landscape look like? And what skills and training does the job require?
Chief Security Officer (CSO) vs. Chief Information Security Officer (CISO)
The title of “chief security officer” can mean different things at different organizations. In its broadest definition, chief security officer may refer to the person chiefly responsible for an organization’s information security, as well as its so-called “corporate security” — that is, the physical security and safety of employees, facilities and assets.
However, for this discussion we’ll focus on the CSO as chief guardian of information technology, protector of data and defender against cyber criminals. At the same time, it’s important to point out that many organizations refer to this role as “chief information security officer,” or CISO.
While it’s true that CSO and CISO are sometimes used interchangeably, the terms are definitely not synonymous. For example:
- Some companies have a CSO who is responsible for information and corporate security.
- Some companies entrust overall corporate security to a CSO and rely on a specialized CISO to handle information security functions.
- Some companies put physical security in the hands of a Vice President or Director of Corporate Security and refer to their information security specialist as the CSO or CISO.
Cyber Security Job Landscape — High Demand, ‘Skyrocketing’ Pay
There is good news and bad news when it comes to the cyber security employment landscape.
The bad news: There is a critical shortage of skilled cyber security professionals. In fact, CSOonline.com forecasts that by 2019 there will be 6 million information security job openings but only 4.5 million qualified professionals to fill those roles.
The good news: This means that cyber security professionals with the right combination of skills and experience are in high demand. A general search for Chief Security Officer jobs on the employment website Indeed.com returns nearly 5,000 results. LinkedIn lists some 1,300 CSO and CISO jobs.
Salaries for CSOs and CISOs vary greatly based on many factors that include geography and size of the organization. But one thing is certain, pay for top cyber security professionals is high and getting higher. In fact, the word “skyrocketing” is used in many articles to describe the pace of growth for CSO and CISO salaries, particularly in metro markets.
- $380,000 — The upper end of the CISO salary spectrum in San Francisco (average: $240,000) [Forbes.com]
- $273,033 — The average salary for CISOs and CISO equivalents in the United States [SecurityCurrent.com]
- $217,768 — The median base salary for a Chief Information Security Officer in the U.S. [www.salary.com]
The shortage of skilled cyber security professionals also means that the average information security administrator will earn 9% more than traditional IT staff, and can expect to achieve a median salary of nearly $100,000 per year.
“The cyber security job market is on fire,” Veronica Mollica, founder and executive information security recruiter at Indigo Partners, told Forbes. “Our candidates are facing competing offers from multiple companies with salary increases averaging over 30%.”
Chief Security Officer: Job Duties and Responsibilities
Chief security officer roles and responsibilities will vary between public and private sector companies and organizations. However, according to CSOonline.com, the following duties generally fall under the jurisdiction of the CSO:
- Lead operational risk management activities to enhance the value of the company and brand
- Manage the development and implementation of security policy, standards, guidelines and procedures. Responsibilities include network security architecture, network access and monitoring policies, employee education and awareness, and more
- Oversee a network of security directors and vendors who safeguard the company’s assets, intellectual property and information systems
- Coordinate with outside consultants to conduct independent security audits.
- Work with other executives to prioritize security initiatives and spending based on appropriate risk management and/or financial methodology
- Maintain relationships with local, state and federal law enforcement and other related government agencies
- Oversee incident response planning as well as the investigation of security breaches, and assist with disciplinary and legal matters associated with such breaches as necessary
Chief Security Officer: Skills and Experience
“The modern CSO is a pathfinder and problem-solver for the organization,” Amanda Fennell, chief security officer for Relativity, told CSOonline. “CSOs must have an understanding of how complex tactical objectives can contribute to the strategic execution of holistically securing an organization, while respecting the privacy and trust of internal stakeholders, she said. “While a technical background can be a tremendous aid in making informed decisions, passion for solving emerging puzzles that accompany information security is essential.”
According to the same CSOonline report, helpful background includes:
- Proven track record in both technical and functional competencies in security
- Experience with tools and systems that address disciplines like identity management and threat intelligence
- Background in SIEM (security information and event management) software
- High-level understanding of corporate governance, risk and compliance
- Understanding of white hat or ethical hacking (to help assess risk and combat threats)
- Experience in security initiatives that impact applications, infrastructure and external threats
- Experience managing security professionals
- Ties to the intelligence community and/or academia
- Knowledge of and contacts with security vendors
- Outstanding interpersonal and leadership skills to communicate the mission to all stakeholders
- Background in information security, specifically in a business or corporate context
- Superior communications skills
In terms of education, many CSOs have earned cyber security certifications over the course of their career. In addition to broadening one’s skills and looking great on a resume, certifications can also significantly increase a cyber security professional’s salary potential.
Some colleges and universities have responded to the need to train the next generation of cyber security professionals by establishing master’s degree programs and curricula intended to position students for leadership positions in the field. For example, University of San Diego offers two advanced degree options — the innovative, 100% online Master of Science in Cyber Security Operations and Leadership and the on-campus Master of Science in Cyber Security Engineering.
According to Digital Guardian, 85% of chief information security officers possess a bachelor’s degree and 40% have earned a master’s degree. One of the reasons advanced education is so beneficial to aspiring chief security officers is that, in addition to their technical chops, companies are relying on them to be part crisis manager, part high-level communicator and part politician.
“Technical skill and curiosity are necessary, but they’re not enough,” cyber security expert Ted Schlein wrote in Forbes. “The CSO needs to be politically adept too. CSOs must be organizationally skilled — in carving out the security budget, in influencing other verticals within the company and in earning the trust of top executives.”
In addition to enjoying a financially rewarding career, cyber security leaders who embrace the challenge of becoming a chief security officer or chief information security officer can be proud of the work they do safeguarding people and organizations from the ever-expanding threat of high-tech crime in the digital age.