Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, April 22, 2005

The Defining Moment

Gently prod a convergence conscientious objector, and what you often discover is a misconception about what the term means.  Convergence does not mean ripping the IT security group out from under the CIO and stapling it to the hindquarters of the corporate security group, where a 70-year-old ex-cop security manager can proceed to ignore it.  Neither does it mean piling contract guard management on the already overloaded plate of a horn-rimmed, twentysomething firewall jockey who thinks “shredding” is strictly a snowboarding reference.

Those aren’t convergence; they are merely dumb ideas.  And like a lot of dumb ideas—-rooted in an insufficient respect for reality—-they provoke objections that miss the point, such as: “IT security is too complicated and important to entrust to those ‘guns and holsters’ guys.”  Or “How can a technogeek possibly manage an executive protection strategy?”  (For a list of five common convergence objections just begging to be overruled, go to

It may be more revealing to think in terms of integrated or holistic security management.  In fact, while physical and information security are the cornerstones of holistic security, they aren’t the whole ball of wax.  Depending on which industry they serve, CSOs need visibility into fraud and loss-prevention efforts, investigations, process-control systems, business continuity, pieces of regulatory compliance, some aspects of the human resources function and audit. 

But reworking the organizational chart isn’t really the end goal, according to Timothy Williams; it’s just one possible means of establishing the necessary accountability and processes that make security effective.  Williams is the CSO at Nortel Networks, where he has been leading a centralized, multifaceted security program since 1990.  “If you don’t trust the person you’re giving the group to, forget it; it will never work.  It’s about how we manage risk and the processes between the domains,” he says.

A case of intellectual property theft doesn’t fit neatly into any of the domains of IT, corporate security or legal; it crosses all of these functions.  To Williams, convergence is about “what we are doing to make sure we’re not creating or missing an interdependency between the various areas.”  In some cases, the CSO (by whatever title he or she goes) has direct oversight of two or three branches of security, plus dotted-line reports to well-placed employees in other branches.  Which lines are dotted and which are solid can depend on the circumstances and priorities of each company, and on the expertise of the CSO.

Steve Hunt, a CPP-toting former Forrester Research analyst, goes so far as to say the leadership role is best handled by a committee, an idea he says is gaining traction particularly in Europe.  Hunt says he has seen it work, though it’s worth noting that leadership by committee generally has a checkered history in the corporate world.

Having noted that convergence isn’t accomplished by remaking reporting relationships, Williams circles back to reemphasize that convergence is not the same as “having lunch once in a while.  Constellation Energy Group CIO Beth Perlman, who handed the reins of information security to ex-Marine John Petruzzi, sums it up: “If you don’t trust the person you’re giving the group to, forget it; it will never work.”

Another key leadership requirement, Williams adds, is the ability to articulate security and risk issues in the context of business activities and in the language of the corporate boardroom. 

Today’s corporate security department is an evolution of what used to be referred to as physical security; over time, forward-thinking practitioners demonstrated the value of putting surveillance, fraud investigations, executive protection, and an assortment of other activities (each requiring different knowledge and skills) under a single umbrella.

Posted on 04/22