[ISN] Report: Corporate security undermined by lack of cooperation

From: InfoSec News (isn@private)
Date: Mon Oct 25 2004 - 02:59:48 PDT


http://www.computerworld.com/securitytopics/security/story/0,10801,96876,00.html

By Jaikumar Vijayan 
OCTOBER 22, 2004 
COMPUTERWORLD

A lack of information sharing and cooperation between IT security,
physical security and risk management functions is hindering efforts
to upgrade corporate security, according to a report released this
week by The Conference Board Inc.

The separate silos in which many businesses put those functions can
create a corporate culture that encourages the hoarding of vital
security information, said the report, which was based on interviews
with more than 200 senior executives at major companies.

Businesses need to bridge the gap and develop a "common frame of
reference," said Tom Cavanagh, a security expert at The Conference
Board, a New York-based research organization. "What you need to have
is a way for everybody to be on the same page and speaking the same
language" when it comes to implementing companywide security policies,
he said.

Cavanagh's advice echoed comments made at last month's ASIS
International 2004 conference in Dallas, where corporate managers and
analysts cited a growing need to unify the management of IT and
physical security.

That viewpoint is "absolutely right," said Dennis Treece, director of
corporate security at the Massachusetts Port Authority (Massport) in
Boston. "Until the various factions stop bickering over turf, we're
going to find any holistic security improvements terribly difficult"  
to achieve, he said.

Treece, who oversees both physical and IT security at Massport, said
that the separate security-related functions within companies "all
have different points of view, different cultures, different career
paths, different educations and even different vocabularies."

Physical security practitioners who typically deal with human
intelligence issues and technologies such as intruder alarm systems
often have little in common with IT security professionals, said Eddie
Schwartz, chief technology officer at Securevision LLC, a consultancy
in Fairfax, Va.

Similarly, risk management executives tend to come from financial
backgrounds and often have little technology savvy, said Schwartz, a
former chief information security officer at Nationwide Insurance Co.  
in Columbus, Ohio.

The resulting communications breakdowns often lead to gaps in
security, said Lew Wagner, CISO at Clarian Health Partners Inc. in
Indianapolis. "The secret to any long-lasting and effective security
practice is to have IT security dovetail with physical security, risk
management and human resources" functions, he said.

Wagner added that long-established corporate hierarchies and
territorial boundaries make this integration hard to achieve. "Each of
these groups have already carved out their niches and protected areas
and are resistant to change and have to be shown that this
[integration] is a way to enhance what they are doing," Wagner said.

Demonstrating the value of information integration to all stakeholders
in corporate security can be a challenge, Schwartz said. "But one of
the mistakes that people often make is to assume that everybody needs
to be in the same room with the same color shirt to make this work,"  
he said.

Instead of necessarily breaking down silos and establishing chains of
command, companies should emphasize building a comprehensive
"situational awareness" capability, where executives from different
groups can compare high-level information and look for trends,
Schwartz said.

"Most firms don't understand how and why holistic security is a profit
multiplier and a market differentiator," said Thomas Varney, vice
president of forensic services at TrustWave Corp. in Annapolis, Md.

Varney served most recently in the U.S. Office of the Secretary of
Defense and the Coalition Provisional Authority in Iraq, "where we
understood the necessity of the holistic security perspective," he
said.



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Mon Oct 25 2004 - 08:45:38 PDT