[ISN] To Convergence (and Back)

From: InfoSec News (isn@private)
Date: Wed Jan 04 2006 - 03:03:21 PST


By Anonymous
January 2006 Issue

Security convergence - that is, the true meshing of physical and
cybersecurity along with business continuity management.is one of the
most logical concepts that's been introduced to the security world in
a very long time. Convergence makes sense conceptually in the
boardroom and functionally within the organization. It saves security
dollars, increases efficiency and provides more effective incident
response, all of which are great incentives for getting and
maintaining senior executive support.

But here's a warning for all of you daring enough to push for change.  
You can do everything right as you go down the road to convergence.  
You can start getting past the cultural and political issues involved
with convergence, and you can begin the tedious process of collecting
metrics that demonstrate its positive impacts on the organization. But
it may not be enough. The new combined organization may become a
target of an efficiency program or a general cost-cutting initiative,
or it may suffer after a risk decision upsets the wrong inside player.

Then, you may suddenly find yourself overseeing a transition team into
the Dark Ages. The CSO is told that the company needs to "focus on
other things." But hey, they say, thanks.your efforts have improved
security, so we can now go back to business as usual. (And oh, by the
way, we now have one less VP mouth to feed.)

I say all this because I've learned the hard way. But I still wouldn't
have done anything differently.

The Beginning and the End

There are two camps as far as how companies deal with issues and
resolve problems. In the first kind, the CEO hires people and puts
them in charge of business units. If things blow up, then it's their
problem; it's not the corporation going awry. In the second kind, the
business aims for transparency. The CSO outlines risk and works with
the business units to accept it.

I belong to the latter camp. When I started with my former employer
several years ago, I was asked to build a program that put together
all the security pieces, including business continuity, and to be
transparent. As a security department, we'd say: Here's where we think
we are; we've done vulnerability and risk assessments; here are our
results. We strove to make security very much a part of the business
process, to be businesspeople who understood how our business worked
and built programs that benefited it.

Then the company got a new CEO, who brought in a lot of new
executives. At first the organizational changes that followed were
presented as cost-cutting measures. But soon it became clear that the
new regime thought that transparency wasn't a great thing, and that
sometimes it was better to have a risk be the responsibility of a
business unit. The new attitude was, "Why are we hearing about this
security problem? Here's an issue that we have to deal with now that
it's down on paper."

The moment I realized the extent of the change was when the new CFO
was indicating to the chief risk officer that there would be changes
in risk management. Once I heard that, I realized that the new
leadership really didn't like the transparency we had. Culturally, my
security program was the same as the CRO's risk management program. I
thought the same way he did. If he was going down, and his program was
structured the same as mine, that was bad news.

Sure enough, several changes were announced. An internal non-risk
management person was taking over a smaller risk management
organization, and I was told that the new leadership wanted to
transfer me into the shared service organization. Those groups are
usually ones that other business units opt into.like with IT projects,
you could go outside into the market, or you could go to the CIO. From
a security perspective, though, you can't opt in or out of security.  
It was pretty clear to me, uh oh, here it comes.

I was still the CSO, and I had my first meeting with the head of
shared services. At the end of the conversation, that person basically
said, your last day will be X days out. The new CEO's view was that IT
security is an IT issue, and physical security is a facilities
activity. They said, Let's figure out a conversion plan to integrate
those pieces back into the different parts of the organization. To
deconverge. I had a director for physical security and a director for
information security, and management wanted those people to take
demotions. It was very difficult.

The security department had incredible executive support before the
leadership transition. There had been nothing but accolades. We had
done lots of things that had cost savings. We had gone out and
nationally competed our guard-force contract and saved more than $1
million a year. We were much leaner and more efficient than many of
our peers. We had one training group and a common voice to the
employees. We had caught incidents, returned property, recovered
dollars and stopped internal fraud. We were out there solving
problems, protecting value and getting rid of bad apples.

But under a regime where the leadership doesn't like the transparency
of risk, those are all bad things. The CEO doesn't want to hear about
a serious fraud, even if you brought the money back and caught
everyone involved.

The Transparency Backlash

A lot of security guys get away with keeping very under-the-radar
programs. They don't bring things up, and they resolve things at very
low levels. Maybe it works for them.

For me, I had a three-ring binder with 100 pages of all the incidents
that occurred, all the regulatory issues that were affecting us, all
the risk remediation activities that we had conducted. I always said,
"Hey, I'm not hiding anything. My program is here to support the
business. I want absolute transparency." In the end, it worked against
me. If anybody wanted to take a punch at me, they could. I provided
all the information.

I don't think I would have been able to stomach taking the program so
far under the radar that it wasn't an issue with the new leadership. I
always thought we could let our accomplishments speak for themselves.  
But in the end, the decision for the company to deconverge seemed like
an emotional outcome of how the new leadership liked to think about
the world.

Even with everything that happened, even after watching my unified
security department be systematically taken apart, I still really
believe in the convergence model. I believe that today's security
organizations need to be wholly unified and manage all security risk
across the organization. Traditional walls between security
disciplines have to come down, and new positions have to be created to
consolidate functions such as reporting, incident response, blended
risk assessments, security policy and standards development. This
combined security framework, which is made up of many integrated
processes, begins to create its own business function, and it moves
toward a security governance model that is better suited to support
and guide the organization. The process of architecting this structure
emphasizes the requirements and scope of the program, and it raises
security awareness. It allows the security program to identify
opportunities where security can produce business benefits, increase
system and resource efficiency, and achieve enterprise compliance.

A converged organization is positioned to make security a functional
strategy and possibly a business opportunity. Expanding the view and
scope of security is a necessary part of integrating security risk
management into an organization. The definition of security is
broadened to include physical security, information security, risk
management and business continuity. A CSO with this functional breadth
provides more value to the organization and to the overall leadership

The overall goal is to embed security into business processes and
executive decision-making. This is the convergence recipe. The only
ingredients that the CSO can't provide are forward-thinking senior
executives who are willing to do more than pay lip service to ensuring
the company's sustained secure performance.even if this support stems
only from the realization that security will protect their lucrative
jobs and incentive plans.

In doing all this, though, the CSO is taking a personal risk.first, by
getting that level of visibility, and second, by consolidating what in
some people's minds are several cost centers into one bigger cost
center. In a Fortune 500 company with many executives, the CSO,
usually one of the junior executives, is opening himself up by getting
that level of attention in the boardroom. You're going to get your
advocates, and you're going to have the folks who traditionally will
look at security as a cost center no matter what.

There were certain executives that appreciated our level of
transparency and were strong advocates. There were others for whom it
was too much. They didn't want to review and approve the policies we
were writing. They saw security as cumbersome. Low-level grumbling
about security ensued, growing louder, more insistent, its increasing
volume usually inversely proportionate to its substance. When this
happens, it's only a matter of time before CEOs are making critical
decisions on security initiatives.and even on the continued existence
of the security program itself.that are based on 10 percent facts, 80
percent blind acceptance of unfounded opinion and 10 percent their own
uninformed conclusions. The attitude becomes, Don't ask the security
experts; they'll probably just muddy up the water.

Some of us will not survive the process, and organizational pressure
will push the unified organizations back into a more traditional cost
center model. Some will successfully make the transition, and slowly
over time this new and valuable approach will become the norm. Down
the road, I hope to be CSO of an organization where convergence is not
just the reality, but the norm. I'm optimistic that I will be. I even
predict that in a few years, my former employer will go back to the
converged model.

Everything worth achieving comes with risk. As CSOs, we do our best
when facing and managing risk. We should continue to take the
challenge and go into the breach. Chasing after a unified program is
worth it.

This column is written anonymously by a real CSO. Send your comments
via e-mail to csoundercover@private

Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.

This archive was generated by hypermail 2.1.3 : Wed Jan 04 2006 - 03:15:25 PST