Chief Security Officer: No Magic Bullet - ' CSOs Rise Despite Conflicts '

CSOs Rise Despite Conflicts

Giga Information Group, a Cambridge, Mass., consulting firm, estimates that fewer than 10% of large companies had adopted the role of a chief security officer prior to Sept. 11. Penetration was strongest in the financial services and software sectors, but practically nonexistent in most other sectors. While Giga agrees that internal conflicts will hamper the adoption of corporate CSOs, it still believes that by the end of the decade close to 50% of companies will have such designated executives. Financial services, utilities and software will again lead the way.

Chief areas of conflict center around which side of the business the chief security officer comes from—the physical security side of the business, or the information technology side of the business—and to whom he or she reports. Should the chief security officer report directly to the CEO, the chief financial officer, chief operating officer or chief information officer?

Not surprisingly, the answer depends on the expert you talk to, that person's background in security, and the business the person's now in.

"Physical security and information security are separate practices; I don't believe they should be the responsibility of one executive," says Robert Justus, vice president of systems and contingency planning for Union Bank of California.

Following Sept. 11, executives with the San Francisco-based bank re-evaluated security policies and procedures, and management structure. Union Bank has one executive in charge of physical security and Justus heads up the electronic side. In the end, the bank decided not to appoint a chief security officer.

"The skill sets involved in the hiring and placing of security guards are very different than those in protecting a computer network," says Justus. "That being said, we do meet regularly and have to coordinate our efforts on the investigations end."