Cyber Security Versus Physical Security: Smackdown!

Two former colleagues square off to debate the division of roles and responsibilities of security leaders.

February 01, 2003 — CSO — George Campbell doesn't pull punches. Trust us. After CSO's first issue was published, the former CSO of Fidelity sent us a terse missive about what he thought was a fundamental flaw in our approach to covering CSOs. We were focused too narrowly, he said, on the tactical CISO role and not the strategic CSO role.

In fact, Campbell views that bias as a sort of epidemic spreading through the security community. He's concerned when he observes that CISOs have "captured" the title of CSO without really having the requisite skill set. And he's frustrated by what he views as "intellectual arrogance" on the part of IT-centric information security officers. (OK, he actually calls them "propeller heads," but they started it, he says, by suggesting that CSOs are just retired cops who don't understand technology.)

Of course, we couldn't resist a good fight. To that end, we had to find a counterpart to Campbell, a CISO who would go head-to-head with him. We got Georgia Student Finance Commission CISO Bill Spernow. To our delight, we learned that Spernow once worked for Campbell at Fidelity. So it wasn't a surprise when Campbell started the conversation, which Senior Editor Scott Berinato moderated, by saying, "I'm surprised your parole officer let you do this, Bill." Spernow ended the conversation by tipping his hat to his old mentor: "Good to see you're still out there making people uneasy, George."CSO: We were turned on to this idea by you, George, when you wrote to us about this topic. You read the first issue, and the letter didn't read like you were surprised by the focus on IT; disappointed certainly, but not surprised.Campbell: Well sure. I've actually had several people send me responses to the letter you published. Here's one I got recently: "I read your letter in CSO magazine with interest. FYI, attached please find an executive summary of a CSO leadership program prepared by the Center for National Software Studies. This program focuses on IT security and the role of the CSO." I responded to that clown as follows: "[Sir], thanks for the information. As I indicated to CSO magazine, what you and others are describing is a CISO, with an emphasis on the I." I can only conclude that this guy either doesn't read or doesn't understand what he's reading because I made it fairly clear that the CISO deals with some of the most critical assets of any modern corporation. But the role is nevertheless narrower by some significant measuredepending on what the asset base is of a companythan that of a CSO who has to investigate, do background vetting, due diligence examination, business continuity planning, security operations, first responsethe whole nine yards.