Understand the Changing Role of the Chief Security Officer

Historically, security officers were primarily concerned with the physical—that is, safeguarding employees, overseeing security guards and protecting physical (and some digital) assets. Today’s chief security officers (CSOs) balance an expanded area of responsibility to keep up with the current unpredictable and fast-paced business operating environment.

Here we take stock of the current state of physical security, including how our hyperconnected global world is transforming the CSO role into one that is more digital,  increasingly linked to the chief information security officer (CISO), and more visible to senior management and the board.

What’s driving the current state of physical security?

Economic instability, geopolitical disruption, lingering effects from the COVID-19 pandemic, emerging technologies, a talent shortage and the convergence of physical and digital security are just a few of the factors driving the current state of physical security. All of them have created a larger attack surface and thus new challenges for CSOs who are feeling the pressure to do more with less.

Post-pandemic hybrid work

What’s clear post-pandemic is that protecting a dispersed workforce is now the status quo for CSOs and their teams. According to Gallup, 50% of full-time U.S. employees have remote-capable jobs. Further, 60% of employees prefer a hybrid work arrangement, about one-third prefer fully remote work, and fewer than 10% prefer to work on-site.

This leaves CSOs responsible for securing devices and ensuring compliance across a wide range of work environments—many of which they have limited control over. A UK study found 85% of organizations said remote/hybrid working has contributed to an increase in network security threats. The physical risks were highlighted by the Volt Typhoon hackers who created a botnet of hundreds of U.S.-based small office/home office routers for nefarious purposes. 

Employees also expect a level of flexibility and are often working across multiple platforms. According to a recent Cisco report, 91% of employees across organizations are using multiple networks to connect to work with one in three moving between at least six networks weekly. Organizations cite remote logins as a heightened threat vector, alongside unsecured Wi-Fi networks, the inability to monitor threats across multiple networks, and the use of unmanaged devices. 

CSO recommendation
Ensure you can answer the following questions to protect a dispersed workforce:

• Do I know where my data is and how it’s being accessed? What controls do I have in place?
• Do I have enough resources and readiness to discover risks, so that appropriate remediation can occur quickly and effectively?
• When a potential threat or crisis arises, do I have the tools and processes in place to quickly identify and notify affected employees and confirm their safety—whether they are working from home, in the office or at a remote location?

More frequent and severe weather 

Climate change is leading to more extreme and severe weather around the world, creating a  “new normal” for weather events, according to the World Meteorological Organization. In 2023, the U.S. alone experienced 28 weather and climate disasters with losses exceeding $1 billion and combined damages exceeding $92.9 billion. Worldwide, the Emergency Events Database recorded 399 disasters related to natural hazards with economic losses of $202.7 billion. 

This puts more pressure on—and makes it more difficult for—CSOs to prepare for such weather extremes. They must continuously work to stay ahead of severe weather and determine how a typhoon, forest fire or flood, might impact employees, customers and business operations. 
Around half the organizations in the International SOS Risk Outlook 2024 report had already seen their operations affected by events attributed to climate change. As such, CSOs are increasingly focused on crisis management, business continuity and overall business resilience.

CSO recommendation
Make sure you understand what your organization’s weather exposure is and that you’re taking into consideration key questions such as:

• What is the criticality of operations at sites that are vulnerable?
• Are the elevation levels of our buildings above flood risk zones?
• Do we have established relationships with the right external partners, such as emergency services and disaster relief organizations?
• Do we have the real-time information needed to stay ahead of and respond to the risks and impacts of extreme weather?

Read More: 5 Extreme Weather Risks With Major Impacts on Global Enterprises

Geopolitical risks

The global state of the world and the interdependence with which today’s organizations operate means geopolitical risks carry more impact than ever before. High political tensions, territory disputes, increasingly complex compliance, brittle supply chains, state-sanctioned cyber attacks and global hacktivists, can have ramifications for organizations regardless of geography. 

Accordingly, geopolitical tensions are ranked as the second highest security concern for 2024, with three out of four respondents saying their organizations would be “significantly impacted,” according to International SOS. 

The 2024 U.S. presidential race, in particular, is a closely watched election around the world. Not just because it is one of many elections in a so-called “super election year” but because, regardless of who wins, the results will have far-reaching effects on the global economy and stability. Around the world, more than 2 billion voters will vote (or have voted) in markets accounting for about 54% of the global population and nearly 60% of global GDP. 

The global tensions surrounding such events have forced CSOs to continuously assess potential impacts to business operations and continuity, as well as ensuring the safety of employees and facilities. 

Global conflicts have also created heightened risks for CSOs. The Russian-Ukraine war approaches its third year and the Israel-Gaza conflict continues to dominate headlines. Both have resulted in sustained cyber campaigns and hacktivist events that target infrastructure, critical industries, governments and media outlets. 

This is especially true for CSOs responsible for security in Europe, the Middle East and their surrounding regions. Additional political instability in geographical areas known for coveted natural resources (i.e. Mali, Burkina Faso) have also created logistical and physical security concerns.

CSO recommendation
The uptick in geopolitical events and conflict means CSOs end up operating in a constant state of permacrisis. International SOS recommends CSOs learn to move beyond that and instead focus on being more resilient. 

Business resilience as a way to mitigate geopolitical risks is now a C-suite concern, which means CSOs need to prioritize: 

• Supply chain resilience: Avoid being too reliant on one geography, diversify sourcing locations and embrace new technology to secure the supply chain 
• ESG programs: An environmental, social and governance (ESG) program can integrate sustainable practices into the business 
• Early warning systems: Being able to detect risks and critical events as soon as they occur. This lets CSOs and their organizations respond to and mitigate geopolitical events more quickly and effectively 

Expanded CSO purview: Cybersecurity and emerging tech

Cybersecurity has emerged as a significant driver of change for CSOs. This is because the digital and physical worlds are now more connected than ever. Take for example, industrial control systems (ICS), assets that solidly fell into CSOs’ purview. Originally designed to be offline and deployed in isolated networks, millions of ICS have gone digital and are now high-value cyber targets.

CSOs and their teams must also take additional measures to incorporate digital security tools and strategies into their security operations, which means CSOs and their teams can no longer operate in their physical security silo. They must now ensure they are closely connected to and collaborating with their digital counterparts: Chief information security officers (CISOs) and their teams responsible for overseeing cybersecurity.

According to Gartner this includes “optimizing cybersecurity to levels that business leaders define, balancing the resources required with usability/manageability and the amount of risk offset.”

The convergence of cyber-physical risks

One of the primary reasons cybersecurity is spilling over into the CSO purview is because of  the recent increase in cyber-physical security convergence—where an attack in either the cyber or physical domain creates a threat in the other. For example, if a wildfire cripples mission-critical equipment or a cyber attack on a factory’s operations technology stops production.

Traditional organizational hierarchies have spurred silos between the CSO and CISO, which means their teams may not be set up to readily and efficiently share information in the event of a cyber-physical attack. It’s incumbent upon today’s CSOs to create an intentional partnership between their team and their cyber counterparts as they both have the same goal: Protecting their company’s employees, assets and brand.

CSO recommendation

• Break down team silos, for example, by building a shared culture, and close critical skill gaps 
• Understand each other’s responsibilities and challenges
• Work together to plan for future cyber-physical threats
• Employ real-time data to ensure you can stay ahead of cyber-physical attacks

Learn More: Dataminr Cyber-physical Security Risk Readiness Assessment

Emerging tech

CSOs will also need to embrace emerging technologies in order to better secure the company. At the top of the list for many security experts is artificial intelligence (AI) with 44% of security experts citing AI as a top 3 initiative. Though the hype of AI often outpaces the benefits, CSOs will see an increased use of the technology especially in AI-powered real-time analytics and other advanced security solutions. Alongside AI, autonomous robots and biometric technologies will become more commonplace offering more comprehensive security solutions. 

But, CSOs should be wary about unleashing some of these technologies in the company. As much as these technologies can offer security solutions, they come with risks. The increasing popularity of generative AI (GenAI) will require CSOs to strike a perfect balance of security policies that protect the company but don’t limit innovation.

The future state of CSOs

While no one can know exactly how the CSO role will continue to evolve, the new challenges and expanded responsibilities of CSOs mean that it’s vital for CSOs to position themselves as strategic security leaders critical to the safety and operations of the business.

On a strategic level, CSOs will need to be able to effectively communicate with senior management and the board as well as key business partners such as heads of HR, communications and operations. For example, when communicating with the C-suite they should, via a high-level summary, articulate the business outcomes and risks associated with security. 

The challenges CSOs face today—from geopolitical tensions and increasingly dangerous and unpredictable weather to staffing issues and more sophisticated attacks—are expected to continue in the near future. As they prepare to tackle them, CSO’s number one objective will remain the same: To keep pace with new and emerging risks to keep their people and organizations safe—and ensure the business is resilient enough to withstand unforeseen risks.

This insight article has been updated from the original, published on August 2, 2023, to reflect new events, conditions and/or research.