Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Whose Job Is Security, Anyway?

What to do when no one seems to be accountable.

By

March 01, 2004CSO — Has someone been reading my mail?

I found myself wondering that as I surfed my bookmarked security sites the other day. I landed on the ASIS International homepage. Posted within the site was the organization's proposed "Chief Security Officer Guideline" (www.asisonline.org/guidelines/guidelines.htm). I couldn't wait to check out what others thought I should be doing in this job.

I was caught short by a summary of the CSO position that described almost exactly my own situation. "Traditionally, what has previously been lacking is a single position at the senior governance level having the responsibility for crafting, influencing and directing an organizationwide protection strategy. In many organizations, accountability is dispersed, possibly among several managers in different departments, with potentially conflicting objectives."

I guess I should find some solace in the fact that ASIS sees my situation as "traditional." But it shouldn't offer any comfort to my company's managers. When it comes to dispersed accountability, I'd bet my company holds some sort of a patent.

All this got me thinking. Who exactly are the stakeholders in the security mission at my company? Legal counsel has investigations and, along with internal audit, is getting in the mix as a result of Sarbanes-Oxley. HR owns background investigations (how's that for a conflict of interest?), but the purchasing department does due diligence examinations. The treasurer has several insurance programs that affect security capabilities. Facilities runs property protection, employing a contract guard force and outsourcing physical security systems to a hardware vendor. As the director of security here, I work for the CIO, who covers information security, business resumption planning and security monitoring functions. Recently, our ethics office established the position of compliance officer with some as-yet-undefined business integrity responsibilities.

But what about someone who is accountable for an organizationwide protection strategy? Nope. Nada. Nein. I guess someone at the top figures that having all that under one chiefdom would require a license to kill.

This balkanized approach to security is likely to remain the traditional model of the typical org chart for a while. While "ownership" is not essential, strategic accountability and effective influence are. What's missing in most companies is the concept of an organizational vision and voice for the protection mission.

The issues of risk and accountability clearly are interrelated. I depend on my facilities contacts to make sure we have a set of defensible physical perimeters around our critical business processes. But I will also tell you that I have damn little confidence that the contract security guardwho seems to change every few weekswill know what to do if he's the first to respond to something that goes bump in the night. The last one I spoke to barely speaks English. This is a qualified first responder? In addition, we have major elements of our technical infrastructure outsourced and offsite, and I haven't a clue what sort of due diligence was done on those companies.

RESOURCE CENTER