Should a single security officer control both physical security and information security operations?

The CSO position is much more of a business role, and he/she interfaces with executives. A CSO is responsible for more than a CIO and will need to have proper communication channels with all others who are responsible for the different areas of security. It's important that he/she properly understands the organization's current risk level and how to properly manage that risk and demonstrate it to executive management.

If organizations are too large for a CSO position, then a security steering committee can be implemented. This committee should include individuals who are responsible for their distinct areas of security (platform, telecommunications, personnel, physical, operations, etc.). They can then communicate and work together to develop ways to approach an enterprise's particular risks. But creating a steering committee depends upon the size of the organization. If your company is made up of ten people, or even three hundred, it is still easier for one person to be in charge, compared to the leadership in a multi-branch organization with 10,000 or more employees.

So, to answer the initial question -- should an individual at a director level be responsible for all of these aspects of security – I would say no. Each area can have a director (or manager) report up to an individual, like a CSO or CIO, who then has the responsibility of viewing all of these pieces, mapping the business needs and managing risk.

If this director already has other full-time responsibilities, then he/she should not take ownership of these other security sections also.

More information: