Ask the Expert

Should a single security officer control both physical security and information security operations?

Should a single security director control both traditional security (physical, personnel, COMSEC, OPSEC, etc.) and information security?

    Requires Free Membership to View

It would be good for one entity to be accountable for all aspects of an organization's security. This role is usually not a director, but someone like a chief security officer (CSO). Many organizations also have a chief information security officer (CIO) that focuses more on technology rather than physical and personnel security. Your management options will ultimately depend upon your company's size and organizational structure.

The CSO position is much more of a business role, and he/she interfaces with executives. A CSO is responsible for more than a CIO and will need to have proper communication channels with all others who are responsible for the different areas of security. It's important that he/she properly understands the organization's current risk level and how to properly manage that risk and demonstrate it to executive management.

If organizations are too large for a CSO position, then a security steering committee can be implemented. This committee should include individuals who are responsible for their distinct areas of security (platform, telecommunications, personnel, physical, operations, etc.). They can then communicate and work together to develop ways to approach an enterprise's particular risks. But creating a steering committee depends upon the size of the organization. If your company is made up of ten people, or even three hundred, it is still easier for one person to be in charge, compared to the leadership in a multi-branch organization with 10,000 or more employees.

So, to answer the initial question -- should an individual at a director level be responsible for all of these aspects of security – I would say no. Each area can have a director (or manager) report up to an individual, like a CSO or CIO, who then has the responsibility of viewing all of these pieces, mapping the business needs and managing risk.

If this director already has other full-time responsibilities, then he/she should not take ownership of these other security sections also.

More information:

  • Find out whether an organization should centralize its information security division?
  • Learn how CSOs fit into a total security plan.

  • This was first published in December 2006

    There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: