All Over the Map: Security Org Charts

Where does security fit into the organizational chart? CSOs offer plenty of opinions, but consensus is hard to come by.

A new twist on an old joke: Put two CSOs together in a room and you'll get three organizational charts.

How the corporate security function should be organized is subject to much debate. Here's an example. Ed Casey, Procter & Gamble's director of worldwide corporate security, reports into the human resources department. "HR is all about people, and our foremost task is protecting our people globally," he says. But John Pomeroy, CSO of Siemens in Canada, rejects that arrangement out-of-hand. "Culturally it just doesn't work. Human resources typically doesn't have the understanding of what's required for a total security package; they're more huggy-feely," says Pomeroy.

[For an update, see 2011's Risk's rewards: organizational models for Enterprise Risk Management]

Other chief security officers variously advocate security reporting into facilities, operations, legal and even information technology.

Security touches every department of an organization. CSOs have to forge meaningful relationships with other Chiefs (Executive, Financial, Operations, Information, Risk) and deliver the best service possible at a minimum expense. Particularly vexing now is the question of how information security and physical security groups can most effectively work together. But each company needs to find a solution that best matches its business priorities, reduces security exposure and draws the necessary amount of executive support for the security function.

Variations on a Theme

Unfortunately, the industry is a long way from establishing best practices in organizing security; in fact, it's hard to discern even common practices. Of more than a dozen companies interviewed for this article, no two described the same organizational structure, responsibilities and reporting relationships for their security leaders.

Procter & Gamble's Casey handles physical security, but he also deals with general employee training for information security and with investigations of physical and information security breaches. Casey develops information security programs with P&G's CIO, whose group implements security technology but does not have the resources for training or investigation.

Casey says his team's placement within HR is a key reason why he does have those resources. Every Procter & Gamble unit and region has HR personnel who can coordinate and handle training. HR also serves as the point of security contact for all personnel. However, P&G relies on security champions: director-level business managers who are accountable for security lapses within their groups, be they product development leaks or cyberintrusions. Each group usually has multiple security contacts—people who have volunteered to take on security development and coordination for their units and who work with Casey's staff.

But where Casey says human resources gives him the ability to get things done that he couldn't do otherwise, others such as Pomeroy say it's the worst possible place to put a chief security officer. Likewise, Pomeroy says facilities is the wrong function to handle security (which is a more prevalent approach) because facilities management is naturally focused on keeping costs down, which may not create the best security environment.

Pomeroy was Siemens Canada's CISO until 2001, when he proposed that the company put all security—information and physical—under one person. Siemens gave both responsibilities to Pomeroy and also created a separate risk assessment position. Pomeroy now reports to the company's CFO, as does the CIO. The company's chief risk officer also reports to the CFO (at Siemens Canada, the CFO runs everything except sales and strategic management, which report to the CEO). Prior to Pomeroy's appointment as CSO, physical security was handled by various units and had no central management. Pomeroy now coordinates those efforts and in addition works with the CIO on information security. The CIO's group picks technology and implements it, but not until Pomeroy signs off on the product. Meanwhile, the chief risk officer handles risk mitigation and works side by side with Pomeroy. He says one key advantage of having a true CSO is that everyone in Siemens Canada knows where to go when they have a question about security.

Other companies describe different structures based on different business needs. As director of corporate security at Crown American Properties, Donald Story runs all aspects of security policy for the company's shopping malls but has little to do with information security. Crown has relatively uncomplicated IT operations—and has, in fact, outsourced information security. Story reports to the senior vice president of asset management, who in turn reports to the company's CEO. Physical security personnel report to each mall's general manager, which is the norm in the mall business. Story says he thinks that arrangement keeps physical security responsibility where it should be—at ground level.

For many companies, today's structure may not work tomorrow; they are still tinkering around with security governance, searching for the most effective combination. One Fortune 1000 medical supply distributor, whose security leader declined to be identified, splits information security and physical security. A vice president of enterprise security, who focuses on information systems security, initially reported to the company's chief privacy officer. Evolving HIPAA requirements (the Health Insurance Portability and Accountability Act) led the company to eventually move the CPO into a compliance group, while the vice president and his infosecurity group were shifted into the CIO's organization. He coordinates with counterparts on the physical side of security where appropriate (but has no official connection on the org chart) and works closely with another important organizational ally for security: the audit function. The vice president's group has worked hand in hand with audit personnel in the process of developing infosecurity policies. "Audit has been a powerful tool for enforcing security procedures," he says. The distribution company generally operates in a decentralized manner, but audit's baseline procedures must be adhered to by all parts of the business. Getting audit buy-in thus gives information security added clout.

Sticking Point: Infosec

What to do with information security is, in fact, the biggest point of controversy.

The idea of folding information security in with the corporate security function—as illustrated by Pomeroy's new responsibilities at Siemens Canada—is new for many companies, but that structure has been around for a long time. Eduard Telders, security manager at Pemco Financial Services, runs everything to do with the company's security—physical, information, all safety programs and contingency planning—and has for more than 14 years. In the eight years before that, he did the same kind of job at a different company. Educated as a marine biologist, he wound up in information systems and also as a certified protection professional, or CPP. "Our job is risk management. The only difference between physical and information security is the toolkit," he says. Pemco cross-trains its security staff to deal with both information and physical security issues. Telders is matter-of-fact about the combination of labor, unlike many who say the two skill sets are a challenge to combine.

Note that this organizational structure swipes IT security from the CIO. The justification for doing this is the fox-in-the-henhouse problem. That is, organizations are not good at self-policing. At Pemco, Telders reports to the CEO; the company's chief information officer (who does not have information security in his budget) reports to the chief operations officer.

Some skeptics, to be sure, argue emphatically that IT and physical security personnel go together like cats and dogs. Gartner Vice President of Security Research John Pescatore calls the trend toward combining them a fad. Setting aside the oft-noted cultural differences between the two groups (see Smackdown!) the common refrain is that managing these different types of security requires two very distinct skill sets. "In 90 percent of cases, it doesn't make sense to try to combine physical and information security," Pescatore says. The exceptions, he says, are companies that are responsible for other companies' data, such as Web-hosting services, or are in an industry where IT needs are simple, such as the construction or retail sectors.

Some other companies have regulatory motivation for keeping the two functions separate. Many financial services organizations face regulatory requirements regarding security and confidentiality of sensitive data. Banking functions and stock trading must be managed separately, both from an IT and a physical security perspective. "You can't have somebody fixing a system on the banking side and then walking over to fix a system on the trading side," notes a management-level security professional at a Wall Street firm, who asked not to be identified. While adhering to such separation does create inefficiencies, particularly over who responds to issues involving hacking, it eliminates some risks inherent in sharing resources, which can lead to breaches of integrity that could put a company out of business. "The biggest thing is confidentiality," says the Wall Street manager.

However, a rapidly growing number of practitioners and industry watchers say the trend is logical and inevitable. Within five years, "most organizations will have a risk management function that is not within IT," predicts Chris Byrnes, vice president and security analyst at Meta Group. Byrnes says that function will include a number of things currently on CIOs' plates, such as disaster recovery, an enterprise program management office, architecture issues and non-IT risk functions like fraud and physical security.

"The truly sophisticated companies are starting to look at a coordinated approach to physical security, information security and risk management," says Lance Wright, principal at the Boyden Global Executive Search company. Wright thinks that security functions will become strategic to organizations, much as what happened with HR departments years ago. "Companies viewed HR departments as just overhead, until they realized that management of your human resources was as critical a business process as any. The same thing will happen with the management of security," he says.

Rising to the Top

Wright's point cuts to perhaps the most important objective in security governance: Until top-tier management recognizes security as a critical function with strategic impact, security of all sorts will continue to get shuffled around and fail to obtain adequate resources to get the job done. One CSO laughingly puts it this way: "After all, the CEO's going to want to fire someone important." Jokes aside, a single, business-minded leader—a CSO—managing all of security has the best chance of getting that level of executive buy-in. To build a security-minded corporate culture, the security function needs to establish a beachhead in the boardroom.

For this reason more than any other, many recruiters say dual-domain CSOs like Pemco's Telders will become the rule for organizations as security rises in importance. Don Cornell, principal at Security Recruiters, expects to see the CSO job title evolve much as the CIO title did. "In the old days, people didn't understand what a chief information officer was, so it couldn't possibly be a C-level job. That changed over time; I think that will happen in the security field as well," he says. At the same time, Cornell notes that his clients rarely ask him to fill Telders-type jobs, preferring either specific candidates for physical security tasks or information ones. He thinks this will change as companies continue to suffer security incidents.

John P. Walsh has a situation that most security personnel only dream of: He reports to the CEO. Walsh, vice president and director of corporate security at Stephens Group (a holding company in Little Rock, Ark., that operates one of America's largest investment banks), says that reporting into the top level "speaks volumes to the rest of the organization in terms of the worth and relative merit of the security department. Based on the reporting relationship I have with the president and CEO, I can cut across any type of logistical issues," Walsh says.

Siemens' Pomeroy echoes that sentiment. "Security should have one individual giving direction, and that person has to have the blessing of the CEO and the CFO." Whatever the org chart says, wherever the CSO may report, top-level executive support is the grease that makes the security machine ultimately effective.

Without it, Pomeroy says, enforcing security mandates "is like pushing an elephant up a hill."

Copyright © 2003 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)