June 01, 2003 — CSO — A new twist on an old joke: Put two CSOs together in a room and you'll get three organizational charts.
How the corporate security function should be organized is subject to much debate. Here's an example. Ed Casey, Procter & Gamble's director of worldwide corporate security, reports into the human resources department. "HR is all about people, and our foremost task is protecting our people globally," he says. But John Pomeroy, CSO of Siemens in Canada, rejects that arrangement out-of-hand. "Culturally it just doesn't work. Human resources typically doesn't have the understanding of what's required for a total security package; they're more huggy-feely," says Pomeroy.
[For an update, see 2011's Risk's rewards: organizational models for Enterprise Risk Management]
Other chief security officers variously advocate security reporting into facilities, operations, legal and even information technology.
Security touches every department of an organization. CSOs have to forge meaningful relationships with other Chiefs (Executive, Financial, Operations, Information, Risk) and deliver the best service possible at a minimum expense. Particularly vexing now is the question of how information security and physical security groups can most effectively work together. But each company needs to find a solution that best matches its business priorities, reduces security exposure and draws the necessary amount of executive support for the security function.
Variations on a Theme
Unfortunately, the industry is a long way from establishing best practices in organizing security; in fact, it's hard to discern even common practices. Of more than a dozen companies interviewed for this article, no two described the same organizational structure, responsibilities and reporting relationships for their security leaders.Procter & Gamble's Casey handles physical security, but he also deals with general employee training for information security and with investigations of physical and information security breaches. Casey develops information security programs with P&G's CIO, whose group implements security technology but does not have the resources for training or investigation.
Casey says his team's placement within HR is a key reason why he does have those resources. Every Procter & Gamble unit and region has HR personnel who can coordinate and handle training. HR also serves as the point of security contact for all personnel. However, P&G relies on security champions: director-level business managers who are accountable for security lapses within their groups, be they product development leaks or cyberintrusions. Each group usually has multiple security contacts—people who have volunteered to take on security development and coordination for their units and who work with Casey's staff.
ESSENTIAL READING
The reactive, event-driven nature of security makes strategic planning more important, not less. Here are practical tips for creating a strategy that is aligned with your organization's business and enterprise risk management goals.
Risk's rewards: Organizing for ERM
Leading companies are coordinating risk management activity, finding efficiencies and better visibility in the process. Here's how they do it.
Beginning ERM in 6 simple steps
ERM look like too big a commitment? Choose one process to improve, create a working group, show progress, and build momentum.
5 steps to an effective strategic plan
Enterprise risk management basics
A simple model for thinking strategically about security services
- Balancing Increasing Security Requirements with Decreasing Budgets
- Gain Control of the New Threat Landscape
- Securing Your BYOD Strategy: Cisco Secure Mobility Solutions
- Securing Your BYOD Strategy: Cisco Secure Mobility Solutions
- Introduction to VMware vCenter Site Recovery Manager 5
- Reliable Disaster Protection with VMware vCenter Site Recovery Manager
- Planning For Failure: Incident Management Is A Top Priority
- Application Performance Management: The End User is King
- Overcome Top 7 Admin Challenges of Active Directory
- X-Ray of the PCI Process-4 Proactive Steps
- Beyond SFTP: Five Ways Secure Managed File Transfer Can Improve Your Business
- Secure Managed File Transfer: Bringing Coherence & Control to Compliance
- Patch Tuesday preview, February 2012
Microsoft published its Patch Tuesday Preview for February of 2012 a few minutes ago. IT admins can expect nine bulletins to address 21 security vulnerabilities.
It looks like four bulletins will be rated critical while the rest are designated as important.
Affected Microsoft products are:
- M86 report proves water is wet
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
More Salted Hash with Bill Brenner
