* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [CIO/CISO](https://www.paloaltonetworks.com/blog/category/ciociso/)
* How the Role of the CSO i...

# How the Role of the CSO is Fundamentally Changing, Part 2

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2014%2F07%2Frole-cso-fundamentally-changing-part-2%2F)  
[](https://twitter.com/share?text=How+the+Role+of+the+CSO+is+Fundamentally+Changing%2C+Part+2&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2014%2F07%2Frole-cso-fundamentally-changing-part-2%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2014%2F07%2Frole-cso-fundamentally-changing-part-2%2F&title=How+the+Role+of+the+CSO+is+Fundamentally+Changing%2C+Part+2&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2014/07/role-cso-fundamentally-changing-part-2/&ts=markdown)  
\[\](mailto:?subject=How the Role of the CSO is Fundamentally Changing, Part 2)  
Link copied  
By [Rick Howard](https://www.paloaltonetworks.com/blog/author/rick/?ts=markdown "Posts by Rick Howard")  
Jul 02, 2014  
5 minutes  
[CIO/CISO](https://www.paloaltonetworks.com/blog/category/ciociso/?ts=markdown)  
[CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)  
[CSO](https://www.paloaltonetworks.com/blog/tag/cso/?ts=markdown)

In [Part 1](http://bit.ly/1rTUaNn) of this series I talked about the evolution of the CSO role and how security shouldn't be subservient to all other operations in all cases. Let's dig a little deeper into why this is so.

### Should Physical and Digital Security Merge or Be Kept Separate?

I understand why organizations have these two separate security groups. Before the Internet days, the CISO function didn't really exist, and the physical security function was usually relegated to the bottom of the leadership chain. You needed guards and fences and things like that, but those kinds of operations were more like commodity items, like power to the building, trash pickup or other maintenance roles. You needed them but once you established them, they did not materially affect the business even if they failed for a day or two (in most cases). Because of this, Physical Security tended to fall under the Facilities Management groups.

We've talked about the Internet of Things, though, and boy, does that change the situation. Everything is interconnected. Just like every other organization in the business, the physical security groups have a lot of IT security components, from badges to IP-enabled surveillance cameras. These groups and their electronic tools could still operate by themselves, but it makes sense that business leadership tasks somebody in the company to make sure that these tools are compatible with the approved security architecture plan. In my mind, that is the CSO organization.

Just like the idea that there is no such thing as cyber risk to the business, only risk to the business, I don't think there is a need for separate cyber security and physical security teams. In this day and age, it is all security. Just for ease of management, it makes sense to keep it all under one umbrella. My perfect organization would have a CSO in charge of all security of the company, with the CISO under that person with a dotted line to the CIO. The Physical Security Director would also work for the CSO but by design would have a close working relationship with the CISO.

### CSO and IT: A Healthy Tension

There has always been a healthy tension between the IT people in an organization and the security people in an organization. The IT folks are concerned about security for sure, but they are often more concerned with keeping the systems running and squeezing as much cost out of any particular project that they can. And that is what they should be doing. Meanwhile, the security people are more focused on business risk, not just for IT projects but for every aspect of the business: HR, Legal, Operations, Finance, Strategy, Marketing, and Sales. Most of these other business functions have an IT-Security component, but cyber risk is not the only risk that leaders have to monitor.

Sometime in the mid-2000s, it became convenient to tuck the security function for an organization under the IT function of the organization. In other words, the CISO works for the CIO. This is not a bad idea, per se, and is an arrangement that works in many organizations. The IT folks generally handle the day-to-day automation functions while the security teams perform more of an oversight role in terms of security architecture, policy, risk assessment and SOC Operations. But to me, that kind of organization shows that company leadership does not fully understand the larger problem. We are not talking about only Cyber Risk to the business. We are talking about risk to the business.

Forbes' Howard Baldwin [back in March complained](http://www.forbes.com/sites/howardbaldwin/2014/03/25/pointcounterpoint-who-should-the-cso-report-to/) that he did not like recent changes he was seeing within organizations that have broken out the security function to be a peer to the CIO. He says that these CIOs are highly paid executives that can handle competing priorities. But that is not the point -- something that was really [underscored in the investigation following the Target breach](http://www.nytimes.com/2014/02/17/technology/reporting-from-the-webs-underbelly.html?_r=0).

[In an interview by Jack Rosenberger](http://www.cioinsight.com/security/the-complicated-relationship-between-cios-and-csos.html/), Eric Cole, founder and Chief Scientist at Secure Anchor Consulting, speculated on one of the reasons that may have contributed to the Target breach:

"It is almost a guarantee that Target had an amazing security team, and they were screaming and yelling about all of the security issues, but there was no advocate who was listening to them and fighting for their cause with the executives."

Cole is pointing out that in all of the priorities that the Target CIO had to juggle, security lost out. And as Brian Krebs [reported in the Guardian in May](http://www.theguardian.com/commentisfree/2014/may/06/target-credit-card-data-hackers-retail-industry),

"Virtually all aspects of retail operations are connected to the Internet these days: when the security breaks down, the technology breaks down -- and if the technology breaks down, the business grinds to a halt."

Before the breach, the pressure to keep the IT infrastructure up and running must have been immense for both the former CIO and CEO. Krebs suggests that in hindsight, because of the devastating impact to the business, the Target CISO should not have worked for the CIO -- that it should have been the other way around.

Check back for Part 3 of this series, where we'll talk about the role of the CSO in relation to the rest of the C-suite.

*** ** * ** ***

## Related Blogs

### [CIO/CISO](https://www.paloaltonetworks.com/blog/category/ciociso/?ts=markdown), [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Information Security Governance](https://www.paloaltonetworks.com/blog/cloud-security/information-security-governance/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)

[#### Deterrence in Cyberspace: A Greater Role for Industry (Part One of a Three Part Essay Series)](https://www.paloaltonetworks.com/blog/2017/05/cso-deterrence-cyberspace-greater-role-industry-part-one-three-part-essay-series/)

### [CIO/CISO](https://www.paloaltonetworks.com/blog/category/ciociso/?ts=markdown), [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)

[#### How Japanese Businesses Are Cultivating Cybersecurity Professionals](https://www.paloaltonetworks.com/blog/2016/10/cso-japanese-businesses-cultivating-cybersecurity-professionals/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [CIO/CISO](https://www.paloaltonetworks.com/blog/category/ciociso/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### A CIO's First Principles Reference Guide for Securing AI by Design](https://www.paloaltonetworks.com/blog/2025/11/cios-first-principles-reference-guide-securing-ai-design/)

### [CIO/CISO](https://www.paloaltonetworks.com/blog/category/ciociso/?ts=markdown), [Incident Response](https://www.paloaltonetworks.com/blog/category/incident-response/?ts=markdown), [Unit 42](https://unit42.paloaltonetworks.com)

[#### Salesforce-Connected Third-Party Drift Application Incident Response](https://www.paloaltonetworks.com/blog/2025/09/salesforce-third-party-application-incident-response/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Predictions](https://www.paloaltonetworks.com/blog/category/predictions/?ts=markdown), [Unit 42](https://unit42.paloaltonetworks.com)

[#### Securing the AI Before Times](https://www.paloaltonetworks.com/blog/2025/08/securing-ai-before-times/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language