Bridging the CISO-CSO Communications Gap

Threats have converged, even though the defenses against them still operate separately.


There was a time when the corporate security team was responsible for setting the policies for overall security within an organization including digital. Today, those responsibilities are likely to be separated between a Chief Security Officer (CSO) and a Chief Information Security Officer (CISO).  This brings into play the views, opinions, needs and requirements of both the CSO and the CISO and the potential conflict that may ensue.

While the technologies for securing “physical assets” have evolved immensely over the years, the problems they are tasked with solving have remained relatively unchanged. As an example, if a bad actor successfully breaks into one of your warehouses and steals millions of dollars’ worth of goods, there is nothing good about that scenario, but you will probably have the insurance to cover the losses and perhaps another warehouse to continue to serve your customers in an uninterrupted manner.

However, when you look at the digital side, even the theft of one customer record could be devastating both from a financial perspective and from a pure brand reputation perspective. In my previous role with a major Fortune 500 company, we called this a “company extinction event,” because the major commodity a company offered its customers was trust to protect the data that they willingly choose to share and the loss of trust isn’t something covered in an insurance policy, nor can you pull more out from another warehouse.

To continue reading this article, please to Security Magazine