Cyber Security Versus Physical Security: Smackdown!

Two former colleagues square off to debate the division of roles and responsibilities of security leaders.

Campbell: I'd underscore that. My complaint with having the CISO as part of the IT department is you get the fox in the henhouse. Where do you have an honest set of controls that can make it before the audit committee in its own right?

Spernow: I've actually fought that battle [at the Georgia Student Finance Commission] and won. The CIO should be concerned with how to maintain the infrastructure today and how to plan for its future. The CISO should be looking at the ramifications of new technologies the CIO wants to adopt. [For more on this, see "How to Rope in Rowdy Technologies" at www.csoonline .com/printlinks.]

Campbell: Let me ask you this, then. To what extent does a CISO's background and experience as an information security professional detract from his ability to effectively lead and strategize for the other aspects of security that a CSO controls?

Spernow: They become technocentric. I've seen CISOs try to integrate authentication log-ins with physical security controls like access cards. That's usually where they stop because it ends up not working. At first, the locked door and exposed trash bins and all the other physical security issues associated with controlling building entry and exit...CSO: ...they suddenly become technology problems.Spernow: Yes, but CISOs don't really grasp the real physical threat, or the human threat. I agree that having CISOs take on CSO responsibilities is usually a disaster. Once they've been exposed to it and integrate it into their mind-set, they can be effective. But it's an uphill battle to make them change their mind-set.

Campbell: I'm reminded of a conversation I had with a CISO. I basically challenged him to tell me how the greater security organization could be engaged in the information security program. After a couple of minutes of pondering, he said, "Well, I suppose they could collect the trash."CSO: There does seem to be an institutional arrogance on the IT side. I don't mean it to be a reflection of personal character. Just, you know, that everything is a problem that technology can solve.Spernow: For those organizations that have the budget, I'll agree with you that the technology becomes a solution, regardless of whether it's actually applicable, because it's familiar. If I ask an auditor to do an audit, he's not going to look at AI approaches to technology. He's going to say, "Give me the books and let me look at the columns." Our history condemns us to certain limitations.