CyberSecurity Institute

Those aren’t convergence; they are merely dumb ideas. And like a lot of dumb ideas—rooted in an insufficient respect for reality—they provoke objections that miss the point, such as: “IT security is too complicated and important to entrust to those ‘guns and holsters’ guys.” Or “How can a technogeek possibly manage an executive protection strategy?” (For a list of five common convergence objections just begging to be overruled, go to www.csoonline.com/printlinks.)

It may be more revealing to think in terms of integrated or holistic security management. In fact, while physical and information security are the cornerstones of holistic security, they aren’t the whole ball of wax. Depending on which industry they serve, CSOs need visibility into fraud and loss-prevention efforts, investigations, process-control systems, business continuity, pieces of regulatory compliance, some aspects of the human resources function and audit.

But reworking the organizational chart isn’t really the end goal, according to Timothy Williams; it’s just one possible means of establishing the necessary accountability and processes that make security effective. Williams is the CSO at Nortel Networks, where he has been leading a centralized, multifaceted security program since 1990. “If you don’t trust the person you’re giving the group to, forget it; it will never work. It’s about how we manage risk and the processes between the domains,” he says.

A case of intellectual property theft doesn’t fit neatly into any of the domains of IT, corporate security or legal; it crosses all of these functions. To Williams, convergence is about “what we are doing to make sure we’re not creating or missing an interdependency between the various areas.” In some cases, the CSO (by whatever title he or she goes) has direct oversight of two or three branches of security, plus dotted-line reports to well-placed employees in other branches. Which lines are dotted and which are solid can depend on the circumstances and priorities of each company, and on the expertise of the CSO.

Steve Hunt, a CPP-toting former Forrester Research analyst, goes so far as to say the leadership role is best handled by a committee, an idea he says is gaining traction particularly in Europe. Hunt says he has seen it work, though it’s worth noting that leadership by committee generally has a checkered history in the corporate world.

Having noted that convergence isn’t accomplished by remaking reporting relationships, Williams circles back to reemphasize that convergence is not the same as “having lunch once in a while. Constellation Energy Group CIO Beth Perlman, who handed the reins of information security to ex-Marine John Petruzzi, sums it up: “If you don’t trust the person you’re giving the group to, forget it; it will never work.”

Another key leadership requirement, Williams adds, is the ability to articulate security and risk issues in the context of business activities and in the language of the corporate boardroom.

Today’s corporate security department is an evolution of what used to be referred to as physical security; over time, forward-thinking practitioners demonstrated the value of putting surveillance, fraud investigations, executive protection, and an assortment of other activities (each requiring different knowledge and skills) under a single umbrella.

http://www.csoonline.com/read/041505/intro_moment_3536.html

IT managers should either integrate the new wireless piece into the overall company security policy, if one already exists, or take the opportunity to create a plan for the entire IT infrastructure, security experts urged Wednesday at the event, being held in Cambridge, Massachusetts.

Instead of considering wireless security in isolation, technology managers should think of defending their existing wired network against a new set of threats that emanate from the wireless world, said Craig Mathias, principal at advisory and systems integration company Farpoint Group, based in Ashland, Massachusetts.

It used to be the case that corporations weren’t embracing wireless technology because of security concerns. Now, however, the leading barrier to adoption is the perceived complexity of wireless security, according to Lisa Phifer, vice president of consulting firm Core Competence in Chester Springs, Pennsylvania. The situation is beginning to change, as vendors build more functionality into wireless LAN switches.

Mathias singled out Ann Arbor, Michigan-based Interlink Networks Inc.’s LucidLink, an enterprise-level wireless security application designed to be easily deployed by small business and home office users. Mathias stressed that wireless will likely form only a small piece of a company’s security policy, mostly in terms of specifying which mobile devices and intermediary networks for remote access meet desirable corporate security standards.

“We have a saying (here) that if you could just get rid of the end-users, you could have perfect security,” quipped Jim Burns, senior software developer at Portsmouth, New Hampshire-based network authentication software developer Meetinghouse.

http://www.infoworld.com/article/05/04/21/HNexpertsurge_1.html