Home » Security Leadership » Strategic Planning

In Depth

All Over the Map

Where does security fit into the organizational chart? CSOs offer plenty of opinions, but consensus is hard to come by.

By CSO Contributor

Page 2

Pomeroy was Siemens Canada's CISO until 2001, when he proposed that the company put all securityinformation and physicalunder one person. Siemens gave both responsibilities to Pomeroy and also created a separate risk assessment position. Pomeroy now reports to the company's CFO, as does the CIO. The company's chief risk officer also reports to the CFO (at Siemens Canada, the CFO runs everything except sales and strategic management, which report to the CEO). Prior to Pomeroy's appointment as CSO, physical security was handled by various units and had no central management. Pomeroy now coordinates those efforts and in addition works with the CIO on information security. The CIO's group picks technology and implements it, but not until Pomeroy signs off on the product. Meanwhile, the chief risk officer handles risk mitigation and works side by side with Pomeroy. He says one key advantage of having a true CSO is that everyone in Siemens Canada knows where to go when they have a question about security.

Other companies describe different structures based on different business needs. As director of corporate security at Crown American Properties, Donald Story runs all aspects of security policy for the company's shopping malls but has little to do with information security. Crown has relatively uncomplicated IT operationsand has, in fact, outsourced information security. Story reports to the senior vice president of asset management, who in turn reports to the company's CEO. Physical security personnel report to each mall's general manager, which is the norm in the mall business. Story says he thinks that arrangement keeps physical security responsibility where it should beat ground level.

For many companies, today's structure may not work tomorrow; they are still tinkering around with security governance, searching for the most effective combination. One Fortune 1000 medical supply distributor, whose security leader declined to be identified, splits information security and physical security. A vice president of enterprise security, who focuses on information systems security, initially reported to the company's chief privacy officer. Evolving HIPAA requirements (the Health Insurance Portability and Accountability Act) led the company to eventually move the CPO into a compliance group, while the vice president and his infosecurity group were shifted into the CIO's organization. He coordinates with counterparts on the physical side of security where appropriate (but has no official connection on the org chart) and works closely with another important organizational ally for security: the audit function. The vice president's group has worked hand in hand with audit personnel in the process of developing infosecurity policies. "Audit has been a powerful tool for enforcing security procedures," he says. The distribution company generally operates in a decentralized manner, but audit's baseline procedures must be adhered to by all parts of the business. Getting audit buy-in thus gives information security added clout. Sticking Point: InfosecWhat to do with information security is, in fact, the biggest point of controversy.