All Over the Map: Security Org Charts

. What's this?

By

June 01, 2003CSO — A new twist on an old joke: Put two CSOs together in a room and you'll get three organizational charts.

How the corporate security function should be organized is subject to much debate. Here's an example. Ed Casey, Procter & Gamble's director of worldwide corporate security, reports into the human resources department. "HR is all about people, and our foremost task is protecting our people globally," he says. But John Pomeroy, CSO of Siemens in Canada, rejects that arrangement out-of-hand. "Culturally it just doesn't work. Human resources typically doesn't have the understanding of what's required for a total security package; they're more huggy-feely," says Pomeroy.


[For an update, see 2011's Risk's rewards: organizational models for Enterprise Risk Management]


Other chief security officers variously advocate security reporting into facilities, operations, legal and even information technology.

Security touches every department of an organization. CSOs have to forge meaningful relationships with other Chiefs (Executive, Financial, Operations, Information, Risk) and deliver the best service possible at a minimum expense. Particularly vexing now is the question of how information security and physical security groups can most effectively work together. But each company needs to find a solution that best matches its business priorities, reduces security exposure and draws the necessary amount of executive support for the security function.


Variations on a Theme

Unfortunately, the industry is a long way from establishing best practices in organizing security; in fact, it's hard to discern even common practices. Of more than a dozen companies interviewed for this article, no two described the same organizational structure, responsibilities and reporting relationships for their security leaders.

Procter & Gamble's Casey handles physical security, but he also deals with general employee training for information security and with investigations of physical and information security breaches. Casey develops information security programs with P&G's CIO, whose group implements security technology but does not have the resources for training or investigation.

Casey says his team's placement within HR is a key reason why he does have those resources. Every Procter & Gamble unit and region has HR personnel who can coordinate and handle training. HR also serves as the point of security contact for all personnel. However, P&G relies on security champions: director-level business managers who are accountable for security lapses within their groups, be they product development leaks or cyberintrusions. Each group usually has multiple security contacts—people who have volunteered to take on security development and coordination for their units and who work with Casey's staff.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER