Is the CISO responsible for purchasing physical security systems/devices?

2.3k views2 Upvotes8 Comments

SVP, Chief Information Security Officer in Education, 5,001 - 10,000 employees
It depends on the size and structure of the organization in question. My experience is that larger orgs generally have a Chief Security Officer and physical security elements for under that role. For smaller shops that only have a CISO, those shops tend to throw anything "security" related under that CISO role. And so my experience is that the answer to your question is subjective based on the org.
CISO in Software, 10,001+ employees
I agree with Andres Andreu.  It depends on the company, its size and organization.  Fortune 100 companies may likely have different company and organizational responsibilities that are not all rolled up under a single CISO.
VP Global Cyber & Information Security in Energy and Utilities, 5,001 - 10,000 employees
No, this lies in the domain of the Chief Security Officer, not the Chief Information Security Officer 
CISO in Finance (non-banking), 10,001+ employees
It depends from case to case base and organization to organization. In many organizations CISOs are not directly responsible for physical security of the organization and data center and it is mostly controlled by Administration function. However CISOs inputs are taken when it comes to purchasing physical security devices by Admin team for organization and data centers including CCTV cameras, biometric devices, door access control systems, secure storage vaults, alarm systems etc. Risk assessment and their inputs are must to ensure organization have selected the right systems to prevent against various physical security threats. Many CISOs audit those devices are part of their Information Security audits including ISO 27001 and PCI-DSS. Also logs are reviewed by them on case to case basis.
CISO , Self-employed
I don’t think the CISO should be responsible for purchasing. Instead, he should advise his team on the correct security system selection. Before that, the CISO must do a thorough analysis of security systems/devices considering his organization requirement & ISMS polices.
Director of IT in Education, 5,001 - 10,000 employees
Like Andres said, it depends on the size and structure of the organization. When it involves IT systems, the CISO should be involve in selecting and purchasing to ensure the system’s IT monitoring software meets piece the organization needs, specifically for access controls and other monitoring capabilities for the buildings and data centers the organization is using.
Director of Enablement, 501 - 1,000 employees
The CISO should be in a position to understand physical security gaps, and identify solutions and tools to plug those holes - but they shouldn’t be on Amazon swiping their cards!
1 Reply
Director of IT in Education, 5,001 - 10,000 employees

I would say follow the business case (justification), and follow the proper purchasing process (purchasing policy).

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
42.5k views131 Upvotes319 Comments