March 23, 2007

CSOs – Trend or Fad?

The notion of combining physical security and logical (information) security has been around for some time. Some industry thought leaders such as Steve Hunt, feel that convergence of the responsibilities for physical and information security is not only a best practice, but inevitable. Recently AT&T published a white paper with the results of a survey conducted for them by the Economist Intelligence Unit. The paper stated that “Typically, the CEO remains the primary decision-maker for electronic security decisions (although in Europe the CIO is more likely to hold this role). But the importance of the chief security officer (CSO) is rising—this figure is cited as the main decision-maker at 12% of companies.”

This made me wonder if the role of CSO makes sense or if it is simply wishful thinking. I pondered the history of the responsibility for information and physical security during my Army career. At battalion (a unit commanded by a Lieutenant Colonel) and above, there is a principal staff officer responsible for “Intelligence and Security”. At one point this officer (the S2 if working for a Lieutenant Colonel or Colonel and G2 if working for a General officer) was responsible for information security as well. Over time this proved untenable since intelligence officers were not IT professionals and it wasn’t practical to have them learn the technical details and nuances necessary to be effective. The responsibility was transferred to the “6” who was the lead for Communications and IT within the organization.

In the commercial sector physical security is the province of facilities while information security is typically within IT and usually reports to the CIO. Ultimately the CIO and the facilities lead may report to a common VP such as the CFO.

Given all the above, suppose you had the ability to re-orient security, what would the ideal structure be given the growing array of regulations, pressure for data privacy and looming e-discovery rules?

I’d argue that the CEO needs a focal point and perhaps the logical keystone is a single individual responsible for Security and Compliance (S&C). Of necessity this would cross the lines of other key direct reports to the CEO such as HR, CFO and of course legal. Staff elements within the Security and Compliance Office could be set up that would have dotted line supervision over their respective functional counterparts while S&C Officer would be the CEO’s representative in all matters related to security and compliance across the organization.

No comments: