In general, the security officer's main job is to develop and run the security program. A lot of the blocking and tackling is increasingly being integrated into the operational groups (networks, data center, desktop, applications) and it's the job of the CSO to evangelize the entirety of the program and persuade each of the operational managers to work together and deploy a layered security environment.
Now if you work for the compliance officer, then you are basically in charge of implementing the security program, and that's fine. But you should have a hand in developing the program as well because it's really hard to implement something you don't help build.
To be clear, I do not recommend delegating the development of the program. It's a bit wacky to think someone other than the security officer's team is better positioned to understand what needs to be protected and how it should be taken care of, and then to define program success and manage milestones.
For more information:
This was first published in November 2007