Home » Security Leadership » Strategic Planning

In Depth

All Over the Map

Where does security fit into the organizational chart? CSOs offer plenty of opinions, but consensus is hard to come by.

By CSO Contributor

Page 4

However, a rapidly growing number of practitioners and industry watchers say the trend is logical and inevitable. Within five years, "most organizations will have a risk management function that is not within IT," predicts Chris Byrnes, vice president and security analyst at Meta Group. Byrnes says that function will include a number of things currently on CIOs' plates, such as disaster recovery, an enterprise program management office, architecture issues and non-IT risk functions like fraud and physical security.

"The truly sophisticated companies are starting to look at a coordinated approach to physical security, information security and risk management," says Lance Wright, principal at the Boyden Global Executive Search company. Wright thinks that security functions will become strategic to organizations, much as what happened with HR departments years ago. "Companies viewed HR departments as just overhead, until they realized that management of your human resources was as critical a business process as any. The same thing will happen with the management of security," he says.Rising to the TopWright's point cuts to perhaps the most important objective in security governance: Until top-tier management recognizes security as a critical function with strategic impact, security of all sorts will continue to get shuffled around and fail to obtain adequate resources to get the job done. One CSO laughingly puts it this way: "After all, the CEO's going to want to fire someone important." Jokes aside, a single, business-minded leadera CSOmanaging all of security has the best chance of getting that level of executive buy-in. To build a security-minded corporate culture, the security function needs to establish a beachhead in the boardroom.

For this reason more than any other, many recruiters say dual-domain CSOs like Pemco's Telders will become the rule for organizations as security rises in importance. Don Cornell, principal at Security Recruiters, expects to see the CSO job title evolve much as the CIO title did. "In the old days, people didn't understand what a chief information officer was, so it couldn't possibly be a C-level job. That changed over time; I think that will happen in the security field as well," he says. At the same time, Cornell notes that his clients rarely ask him to fill Telders-type jobs, preferring either specific candidates for physical security tasks or information ones. He thinks this will change as companies continue to suffer security incidents.

John P. Walsh has a situation that most security personnel only dream of: He reports to the CEO. Walsh, vice president and director of corporate security at Stephens Group (a holding company in Little Rock, Ark., that operates one of America's largest investment banks), says that reporting into the top level "speaks volumes to the rest of the organization in terms of the worth and relative merit of the security department. Based on the reporting relationship I have with the president and CEO, I can cut across any type of logistical issues," Walsh says.