Home » Security Leadership » Strategic Planning

In Depth

All Over the Map

Where does security fit into the organizational chart? CSOs offer plenty of opinions, but consensus is hard to come by.

By CSO Contributor

Page 3

The idea of folding information security in with the corporate security functionas illustrated by Pomeroy's new responsibilities at Siemens Canadais new for many companies, but that structure has been around for a long time. Eduard Telders, security manager at Pemco Financial Services, runs everything to do with the company's securityphysical, information, all safety programs and contingency planningand has for more than 14 years. In the eight years before that, he did the same kind of job at a different company. Educated as a marine biologist, he wound up in information systems and also as a certified protection professional, or CPP. "Our job is risk management. The only difference between physical and information security is the toolkit," he says. Pemco cross-trains its security staff to deal with both information and physical security issues. Telders is matter-of-fact about the combination of labor, unlike many who say the two skill sets are a challenge to combine.

Note that this organizational structure swipes IT security from the CIO. The justification for doing this is the fox-in-the-henhouse problem. That is, organizations are not good at self-policing. At Pemco, Telders reports to the CEO; the company's chief information officer (who does not have information security in his budget) reports to the chief operations officer.

Some skeptics, to be sure, argue emphatically that IT and physical security personnel go together like cats and dogs. Gartner Vice President of Security Research John Pescatore calls the trend toward combining them a fad. Setting aside the oft-noted cultural differences between the two groups (see "Smackdown!" at www.csoonline.com/printlinks), the common refrain is that managing these different types of security requires two very distinct skill sets. "In 90 percent of cases, it doesn't make sense to try to combine physical and information security," Pescatore says. The exceptions, he says, are companies that are responsible for other companies' data, such as Web-hosting services, or are in an industry where IT needs are simple, such as the construction or retail sectors.

Some other companies have regulatory motivation for keeping the two functions separate. Many financial services organizations face regulatory requirements regarding security and confidentiality of sensitive data. Banking functions and stock trading must be managed separately, both from an IT and a physical security perspective. "You can't have somebody fixing a system on the banking side and then walking over to fix a system on the trading side," notes a management-level security professional at a Wall Street firm, who asked not to be identified. While adhering to such separation does create inefficiencies, particularly over who responds to issues involving hacking, it eliminates some risks inherent in sharing resources, which can lead to breaches of integrity that could put a company out of business. "The biggest thing is confidentiality," says the Wall Street manager.