Problem solve Get help with specific problems with your technologies, process and projects.

Should a single security officer control both physical security and information security operations?

Learn if your organization is due for a CSO or CISO. In this security management Q&A, Shon Harris demonstrates when a security officer should lead the physical and information security teams.

Should a single security director control both traditional security (physical, personnel, COMSEC, OPSEC, etc.) and information security?
It would be good for one entity to be accountable for all aspects of an organization's security. This role is usually not a director, but someone like a chief security officer ( CSO). Many organizations also have a chief information security officer (CIO) that focuses more on technology rather than physical and personnel security. Your management options will ultimately depend upon your company's size and organizational structure.

The CSO position is much more of a business role, and he/she interfaces with executives. A CSO is responsible for more than a CIO and will need to have proper communication channels with all others who are responsible for the different areas of security. It's important that he/she properly understands the organization's current risk level and how to properly manage that risk and demonstrate it to executive management.

If organizations are too large for a CSO position, then a security steering committee can be implemented. This committee should include individuals who are responsible for their distinct areas of security (platform, telecommunications, personnel, physical, operations, etc.). They can then communicate and work together to develop ways to approach an enterprise's particular risks. But creating a steering committee depends upon the size of the organization. If your company is made up of ten people, or even three hundred, it is still easier for one person to be in charge, compared to the leadership in a multi-branch organization with 10,000 or more employees.

So, to answer the initial question -- should an individual at a director level be responsible for all of these aspects of security – I would say no. Each area can have a director (or manager) report up to an individual, like a CSO or CIO, who then has the responsibility of viewing all of these pieces, mapping the business needs and managing risk.

If this director already has other full-time responsibilities, then he/she should not take ownership of these other security sections also.

More information:

  • Find out whether an organization should centralize its information security division?
  • Learn how CSOs fit into a total security plan.

  • This was last published in December 2006

    Dig Deeper on Information security policies, procedures and guidelines

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.