Home » Security Leadership » Strategic Planning

In Depth

All Over the Map

Where does security fit into the organizational chart? CSOs offer plenty of opinions, but consensus is hard to come by.

By CSO Contributor

June 01, 2003 — CSO — A new twist on an old joke: Put two CSOs together in a room and you'll get three organizational charts.

How the corporate security function should be organized is subject to much debate. Here's an example. Ed Casey, Procter & Gamble's director of worldwide corporate security, reports into the human resources department. "HR is all about people, and our foremost task is protecting our people globally," he says. But John Pomeroy, CSO of Siemens in Canada, rejects that arrangement out-of-hand. "Culturally it just doesn't work. Human resources typically doesn't have the understanding of what's required for a total security package; they're more huggy-feely," says Pomeroy.

Other chief security officers variously advocate security reporting into facilities, operations, legal and even information technology.

Security touches every department of an organization. CSOs have to forge meaningful relationships with other Chiefs (Executive, Financial, Operations, Information, Risk) and deliver the best service possible at a minimum expense. Particularly vexing now is the question of how information security and physical security groups can most effectively work together. But each company needs to find a solution that best matches its business priorities, reduces security exposure and draws the necessary amount of executive support for the security function.Variations on a ThemeUnfortunately, the industry is a long way from establishing best practices in organizing security; in fact, it's hard to discern even common practices. Of more than a dozen companies interviewed for this article, no two described the same organizational structure, responsibilities and reporting relationships for their security leaders.

Procter & Gamble's Casey handles physical security, but he also deals with general employee training for information security and with investigations of physical and information security breaches. Casey develops information security programs with P&G's CIO, whose group implements security technology but does not have the resources for training or investigation.

Casey says his team's placement within HR is a key reason why he does have those resources. Every Procter & Gamble unit and region has HR personnel who can coordinate and handle training. HR also serves as the point of security contact for all personnel. However, P&G relies on security champions: director-level business managers who are accountable for security lapses within their groups, be they product development leaks or cyberintrusions. Each group usually has multiple security contactspeople who have volunteered to take on security development and coordination for their units and who work with Casey's staff.

But where Casey says human resources gives him the ability to get things done that he couldn't do otherwise, others such as Pomeroy say it's the worst possible place to put a chief security officer. Likewise, Pomeroy says facilities is the wrong function to handle security (which is a more prevalent approach) because facilities management is naturally focused on keeping costs down, which may not create the best security environment.