The CSO typically represents physical security. The CISO typically represents non-physical security.
Which is subordinate to the other?
Many organizations defer the question. They see the two as separate regardless of the evidence. Perhaps it's because of the easily understood physical versus the harder to grasp non-physical.
My opinion for most organizations is that the CSO is subordinate to the CISO. The ratio used to go the other way. Physical security is important. It can't be diminished. Yet Information Security & CyberSecurity ascends. Appreciating and dealing with physical security is a part of Information/Cyber Security.
Also on: