Most big organizations around the world still manage security and fraud separately, even though fraud is steadily becoming a predominately computer-borne threat. This Information Week article by Doug Henschen breaks down this reality. It's a good read - unfortunately it's on 12 pages and the website forces you to click separately to each page - annoying! Security (which includes both information and physical security) and fraud should all be managed in the same organization, reporting into a Chief Risk or Chief Security Officer (it doesn't matter what they're called ... what matters is that (a) they are commonly managed, and (b) every affected part of the organization (which is really every part of the organization, or nearly is -- operations, HR, and product development are just a few examples), has some formalized responsibility for risk management. Otherwise, as this piece points out, prevention, detection and response are all stymied by siloism, which attackers simply go around and through. Attackers aren't bound by your org chart or your budget. It's unrealistic to suggest that you shouldn't be, but their agility compared to yours is one of the reasons that they're ahead of the game in 2014. So the more you can break down those hierarchical organizational barriers to fight fraud and other threats, the more effective you'll be at doing just that.