How many of you have been at a security conference, training session or another event and you hear the word/acronym “CESO” flowing out of the mouths of well-seasoned security professionals and moderators? Can someone please tell me what in the world is a “CESO”? After all, as a CISO I may want this additional title (or is it a certification?) on my resume. Let’s explore some title confusion and figure out what this “CESO” job role is.
I recall a number of years ago, ten to be accurate, where I was being “promoted” from Director of Technology to a “C-level” position in charge of technology. I was asked by well-meaning people should you be a CTO or CIO? You have to understand where this is coming from to fully appreciate the question – a legitimate one too. They were not technology people. They were academics in an academic institution that taught religion. So words and definitions of words mattered greatly to their everyday job. They had also seen across the spectrum, not just within the academic industry, that some titles were Chief Technology Officer (CTO) and others Chief Information Officer (CIO) and they did not know the difference. I explained to them the difference between the two. The CTO creates and manages technologies for external use. The CIO creates and manages technologies for internal use. When an organization is outward facing and the internal constituent is smaller (or in my case, much smaller) than your external contingent, then it is my opinion the external focus is where it should be. Plus, the internal people by and large used the same software as the external constituents. Thus CTO was my title. (I bet over 50% of my readers already learned something today.)
There are two similar titles in the security field that confuse people, Chief Information Security Officer (CISO) and Chief Security Officer (CSO). The CSO position predates, by some degree, the CISO position. The CSO has long been responsible for the physical security of an organization and back in the day when it was established, that was all of security. This title is synonymous with a BSO (Bank Security Officer) and a few others of similar style within specific industries. Many times the CSO was in charge of guard forces and others that manned desks at entry points checking badges, managing visitors and other similar style functions. The CISO position was created to deal with the every changing and challenging role of electronic/system and IT security, and depending upon how far back the role went within an organization, possibly the security of paper based data that was a result of the electronic systems output. As responsibilities of the CISO and CSO have matured over the last twenty years the lines of confusion have only grown. Arguably these two roles have blurred with more traditional CISO’s taking on physical and personnel security roles that anoint them as true, all encompassing CSO’s. Like the CIO and CTO roles, it largely depends on what the primary business of your organization is that determines if you have one combined role or distinct roles. In larger corporations that require protective details for executives and large real estate holdings, the CSO and CISO have remained distinct roles. The same could be said when the physical security function is paramount to the business (a casino for example) or the physical security function carries weapons, as these are specialized roles that largely fall to former law enforcement officers (LEO’s).
Where does this mysterious ‘CESO’ fit in to all of this? I set about to take a journey in the big Google machine to find out. “CESO” has a number of explanations tied to it. There is the Civil Engineer Support Officer and Communications-Electronics Staff Officer all part of the U.S. military lingo. According to Acronym Finder (https://www.acronymfinder.com/Information-Technology/CESO.html) “CESO” could stand for Certified Expert Security Executive. Alright, maybe we are getting to some legitimate form of what this is if we changed that to Certified Expert Security Officer. But then I found this was made up by a company that has created their own “school of cyber-security” (actually, they look pretty legit. But I still think CESE was made up marketing). I also doubt any of us well meaning security professionals that are trying hard to stay away from saying “no” to the business would survive well under a title that has an acronym of CESE (pronounce this cease). Since many of our regulations and compliance requirements come from across the globe, I turned to this being a part of a foreign language. The only language that seems to have such a word is Spanish. Turns out Ceso’ in Spanish means “First person singular present indicative form of Cesar.” Hey, now we are getting somewhere, a security executive would be a very good ruler of an empire… until I learned that the verb cesar means to cease, or stop. We have already covered why that is not a good thing for an person in security and business.
So what is a “CESO”? If you haven’t figured it out yet, I am on a rant. There is no such thing as a “CEeeeeSO”. It is how way too many people mispronounce CIiiiiSO, a very legitimate title that many of us hold. There is no “E” in Information folks! I’s never sound like E’s when you pronounce them correctly. You don’t pronounce the word information enformation do you? So why with this acronym do so many people call the title of CISO a CESO? I don’t know. I can’t even trace back to when it started. There is nothing legitimate that says hey, that is how you do it in another language or in another country. There is a lot that I can’t figure out about this “CESO” mystery. But I do know I am now on a campaign to correct this annoying little problem, much like our friends across social media that clearly display the various forms of their, they’re or there and correct us when we are wrong.
Join me in my “Say it Right” campaign – CISO.