Cyber Security Versus Physical Security: Smackdown!

Two former colleagues square off to debate the division of roles and responsibilities of security leaders.

By Scott Berinato

Page 2

I get offended when I see the CSO title being captured. Why do they feel compelledBill, why do you feel compelledto take that title, which to me doesn't imply what their job is?

Spernow: Well, because George is right, and George is wrong.

Campbell: He used to say the same thing when he worked for me. [Laughs.]

Spernow: From the percentage of organizations that reflect your experience, George, you're right. But you represent only 5 percent of the population of folks doing any type of security. But because that 5 percent has high visibility, it represents most of what happens. That 5 percent gets the press, and as a result, the other 95 percent is struggling with trying to figure out how it's going to make its security stuff compatible with its infrastructure and IT culture, which primarily hasn't been focused on anything to do with security.

What most companies are doing is taking their best-case experience and saying, "We need to have somebody in charge of security." Then they go out and find somebody who is a former bureau agent with great physical security credentials and the stuff that they can relate to, and because he took one information security training course, he's also considered an information security specialist. So they hire him, and they task him with doing all the security.

I don't see the people who, according to George, call themselves CSOs but should be information guys only, because that's all they're actually doing. In fact I see just the opposite of what George sees. I see guys being hired as CSOs who are only doing physical security, because of their background, but are also in charge of information security.

Campbell: I absolutely agree that people like myself or these ex-bureau agentswho don't come from a background of information protection in the cyberagehave no business fancying themselves as CISOs. But there's nothing wrong with them leading that effort as part of the global security strategy, as long as they've got the Bill Spernows of the world working within that team, whether directly for them or bridged in some sort of security council.CSO: So George sees the CISO role as tactical and the CSO role as strategic. It also seems like he sees it, in some cases, as hierarchical, with the CISO under the CSO?Spernow: I don't think so. The larger the organization, the more likely the security effort will be accomplished if the CSO and the CISO are on a peer level. In a midsize company, I'd recommend that the CISO be independent to the point where maybe he reports to legal as opposed to IT because most of the IT exposure you'll see from the information side is legal liability. And if you don't have the backing of legal to argue your case in front of the board, then you're probably not going to accomplish too much.