Cyber Security Versus Physical Security: Smackdown!

Two former colleagues square off to debate the division of roles and responsibilities of security leaders.

Campbell: Where does the audit program fit into this equation, Bill? Are the [auditors] doing their job to point out to committees and senior management what the risks are to their information assets?

Spernow: I think they try, but because the risks aren't actually threats at the doorstep, they fail.

Campbell: It gets back to the notion of a true partnership [between CSO and CISO]. You need a fundamental relationship, based on the risk assessment and the relative roles and responsibilities that are going to be performed by the two organizations. The goal has to be to provide a total umbrella of protection to the enterprise. Otherwise, there are corporations where the [two parties] will never talk. And I bet Bill has seen more cases where CISO and CSO didn't talk than those where they truly had a partnership...

Spernow: ...because they build their moats, and it ends up being ego issues.

Campbell: Well, you know, we're the knuckle-draggers.

Spernow: Right. CSO: George has said more than once that CISOs think CSOs are just cops, that they lock gates and so forth. Talk about those biases and how you get past them.Spernow: From a CISO perspective, we see CSOswithout the info security roleas those whose methodologies are proven from a tactical perspective. That allows them to be totally strategic [in their focus]. In comparison, CISOs are always dealing with new developments. So we have to bounce between tactical and strategic [orientations]. For example, I'm struggling with intrusion detection and prevention, trying to deal with behavior patterns of traffic for which there are no set methodologies of counteraction. I'm trying to be strategic, but I have to figure out how this will just work. I'd like to be in the CSO's position where he has that luxury, of being strategic all the time. CISOs don't have that luxury.

Campbell: The premise here is that Bill's removing the info security function from the CSO...

Spernow: ...for the purpose of the argument.

Campbell: Understood, understood. But if you do that in the real world, the person we're talking about isn't really a CSO anymore. The notion of a CSO must extend to all aspects of protecting assets, including information assets. The perception that we have the luxury of being more strategicum, I'll go along with it to a point. Except that I think our whole landscape is a learning process too. If anything, CISOs are dealing with more absolutes, the laws of physics, with machines. I'm dealing with behavior and the incredible number of variables in behavior. So it's not technically complex, but it's certainly not easy. And that's where I see the intellectual arrogance of Bill's colleagues. We're rejected out of hand as being too ignorant to appreciate their challenges. What about our challenges? I bristle at that.