David Lacey has a good post on his ComputerWeekly blog, questioning whether it makes sense to combine responsibility for both physical and information security. He highlights the potential benefits, but rightly points out that virtually nobody has all the skills required. It seems strange how many companies seem to be talking about appointing a Chief Security Officer when so few qualified candidates exist.
As I have said previously, this idea is good in principle, but is fashionable before its time. What are needed are some new training options to enable people to develop the necessary expertise. In the meantime, companies should put this bright idea back on the shelf and bring it down again in about five years, by which time supply may hopefully match demand.
