When the Camera Becomes Enterprise Data: Who Owns Surveillance Policy in the CSO–CISO Era

 I spend a lot of time in the space where the camera meets the network. Not the boardroom version of it. The real version: ceiling tiles, IDF closets, door controllers, VMS permissions, bandwidth limits, old floor plans, new cloud dashboards, and the uncomfortable question that usually comes after the system is already working: who is allowed to see this?

That question is why the CSO/CISO conversation matters. Most organizations do not get into trouble because the camera failed. They got into trouble because the camera succeeded. The image is clear. The access event is tied to the right door. The remote user can pull it up from a phone. The clip can be exported in seconds. Then someone asks whether HR can use it, whether legal has approved the retention period, whether the vendor account should still exist, or whether IT knew the system was reachable from outside the building.

At that point, policy is no longer paperwork. It is the difference between a useful security system and an avoidable fight.

The Camera System is Now Enterprise Data

For years, video surveillance was treated as a physical security tool. Cameras deterred bad behavior, recorded incidents, and helped the security team review what happened. That was still sensitive, but the governance model was usually simple: security owned the cameras.

That model is not enough anymore. Modern commercial video surveillance systems may combine cloud storage, mobile access, AI search, alarm verification, license plate recognition, badge integrations, visitor management, remote guarding, and APIs that connect video to other business systems. A camera is now an endpoint, a data source, a record-keeping system, a potential repository for evidence, and sometimes a machine-learning input.

So, the better question is not, "Does the CSO or CISO own cameras?" The better question is, "Who owns each risk created by video?"

The CSO is responsible for security purposes: why cameras are in place, which threats they are meant to mitigate, what footage must show after an incident, and how video supports response, investigations, guard operations, workplace safety, and coordination with law enforcement.

The CISO owns the control environment. How is the system segmented? Who authenticates into it? Are accounts tied to individual users? Is MFA required? What is the patching plan? Are logs retained? How is vendor access approved and removed? What happens if a camera, server, cloud portal, or mobile credential becomes part of an incident?

Neither role can do the whole job alone. A CISO may understand the identity model but not why a delayed camera feed at a dock door creates real operational risk. A CSO may know exactly why a camera is needed in a lobby, but may not see the cyber exposure created by a shared admin login or unmanaged remote access. Good policy forces those two views into the same room before the first incident.

What I See in the Field

The issue becomes obvious when you look at real facilities rather than diagrams.

In a school, a camera can support student safety, address parent complaints, fulfill law-enforcement requests, facilitate staff investigations, resolve visitor disputes, and meet public-records obligations. The same clip may be emotionally charged, legally sensitive, and operationally urgent. If the district has not already decided who can review footage, who can export it, how student privacy is protected, and when counsel gets involved, the system will create pressure at the worst possible time.

In a manufacturing facility, video may protect loading docks, finished goods, tools, employees, contractors, and production flow. It may also capture injury events, quality issues, union-sensitive work areas, or vendor activity. A plant manager may want broad visibility for operational reasons. HR may worry about employee monitoring. IT may be concerned about unmanaged cameras on the network. All three concerns can be legitimate. Policy is what keeps one legitimate concern from overriding the others.

In a multi-tenant commercial building, the property team may need video for lobby incidents, parking disputes, after-hours access, elevator landings, and tenant complaints. But tenants may expect boundaries. A camera that helps resolve one incident can also raise questions about who is watching shared spaces, how long footage is kept, and whether one tenant's issue gives them access to another tenant's activity.

These are not theoretical problems. They are the typical friction points that arise when security technology intersects with privacy, employment, operations, IT, insurance, and legal exposure.

Do Not Let the System Menu Become the Policy

One of the biggest mistakes I see is letting product features decide governance. A VMS may allow facial recognition. A cloud platform may make sharing easy. A remote monitoring provider may offer after-hours access. An analytics engine may let someone search for people, vehicles, motion, direction of travel, or clothing color. None of those means the organization has decided those uses are appropriate.

Technology gives you the capability. Policy gives you permission.

That distinction matters most with AI. AI video analytics can be useful. They can also create new problems if the organization treats them as a setting to turn on rather than a use case to approve. Before enabling facial recognition, license plate recognition, weapons detection, behavioral analytics, occupancy analysis, or appearance search, leaders should ask basic questions in plain language.

What problem are we solving? How accurate is the tool in our environment? What happens when it is wrong? Who is allowed to run searches? Are employees, visitors, students, patients, or tenants being notified? Are we creating biometric or other regulated data? How long do outputs stay in the system? Who can challenge a result?

If those answers feel uncomfortable, that is a signal. The answer may still be yes, but it should not be a silent yes.

A Practical Ownership Model

The cleanest model I have seen is shared ownership with named decision rights. The CSO should not have to become a network security engineer. The CISO should not have to become a physical security director. But both should have veto power inside their risk lanes.

For operational purposes, camera placement, monitoring priorities, and incident response, the CSO should lead. For identity, network architecture, remote access, logging, vulnerability management, encryption, and incident containment, the CISO should lead. Legal should own retention, legal hold, subpoenas, public records requests, data use limits, and external releases. HR should own employee-facing monitoring rules, discipline boundaries, and notice.

Procurement should ensure contracts align with the risk profile, including data ownership, breach notice, subcontractor obligations, audit rights, service access, and exit terms. Executive leadership should own exceptions, because an exception is not a technical decision. It is a risk acceptance decision.

This does not require a standing committee that turns every camera into a month-long process. It requires a short written governance standard and a repeatable review process for higher-risk uses. Normal camera replacements should not need executive debate. New AI analytics, public-facing sharing, biometric capabilities, remote guarding, or cross-system integrations should.

The Policy Should be Written Before Procurement

Surveillance policy is often written after purchase because leaders think they need to know the platform first. The policy should shape the purchase.

Before signing, the organization should require answers on data flow, storage location, encryption, MFA, user roles, audit logs, retention controls, export controls, API access, vulnerability disclosure, patching practices, mobile access, subcontractors, vendor remote support, and how data is returned or deleted at the end of the relationship. If the platform cannot support the policy, the organization should know that before the contract is signed.

This is where security system integration becomes a governance issue rather than just a technical feature. The moment video connects access control, alarms, intercoms, visitor management, environmental sensors, or cloud dashboards, the system becomes more useful and more consequential. Integration can reduce response time and improve the quality of evidence. It can also connect records that were previously separate. That is powerful. It deserves control.

The Permissions are the Policy in Action

A mature video program carefully separates permissions. Live view is not the same as playback. Playback is not the same as export. Export is not the same as delete. System administration is not the same as investigation. Vendor support is not the same as permanent access.

Shared logins should be eliminated. Former employees should be removed immediately. Vendor accounts should be time-limited. Exports should be logged. Clips should be watermarked or otherwise controlled when possible. Retention should vary by use case. Routine footage, incident clips, legal holds, license plate data, biometric templates, visitor footage, and HR investigation material should not all be treated as the same record.

That level of discipline may sound tedious until the first serious incident. Then it becomes the thing everyone wishes had already been done.

Trust is the Real Asset

Surveillance can make people safer. It can help prove what happened. It can protect employees from false claims, protect organizations from loss, and give first responders better information. But it can also damage trust if people feel the rules are hidden, improvised, or unfair.

The best video policies are not built solely on fear of liability. They are built on honesty. Tell people why cameras exist. Limit use to legitimate purposes. Control access. Review AI carefully. Keep records only as long as there is a reason. Audit the program. Remove vendor and employee access when it is no longer needed. Do not let convenience become standard.

The CSO/CISO question should not become a turf battle. The CSO brings field judgment. CISO brings control and discipline. Legal, HR, procurement, facilities, operations, and executive leadership each see risks the others may miss. When those views are put together early, video surveillance becomes a stronger security tool and a more defensible business system.

Modern cameras do not just record what happened. They reveal how an organization makes decisions. That is why policy must come before the incident, the AI feature, the export request, and, ideally, the purchase order.

If the organization can explain why video is collected, prove who touched it, defend how long it is kept, and show that the right people approved the rules, it is on solid ground. If not, technology may still work, but the governance has already failed.