Cyber Security Versus Physical Security: Smackdown!

Two former colleagues square off to debate the division of roles and responsibilities of security leaders.

Spernow: George is correct in that the CSO cannot appreciate the technical challenges I have because, in a lot of cases, I don't understand the challenges myself. And if I don't, I'm damn sure a CSO won't.CSO: But can't the two learn from each other? Aren't there established CSO methodologies that just might apply to CISOs, if only they had a conversation about what, on a broad level, they were both trying to accomplish?Spernow: There are some parallels, but the implications if something goes wrong are much more serious at my level than at George's.CSO: Is that true? Is that fair, George?Campbell: Well, I think it might be more apparent if something goes wrong in Bill's world. Either the problem is or it isn't there, empirically. I'm trying to safeguard without the same set of absolute measures that a technocrat has.

Spernow: I don't think I agree with this whole "laws of physics" assertion. Conceptually it might be valid, but in reality we're experimenting every day in how we do this. We're not dealing with set laws.

Campbell: The sad thing is the need to even have a debate like this. When you peel it back, we're all in the same business. The fact that there's a vocabulary, tools, principles applied by CISOs that are arcane or hard for a layman like me to understand doesn't one bit change the fact that we're all here to provide integrated controls. Integrated. Underscore that. I have to think about being prepared to work with information security executives; and when it hits the fan, they have to be prepared to help me.

You know, it's all about vocabulary. CISOs will say, "You guys just aren't going to understand what I'm trying to deal with here. It requires knowledge that you guys don't have." Acknowledged, right, understood. But suppose I ask, "What's the purpose of the technology, this lexicon that I don't understand? What are you trying to do?" And the CISO says, "Well, I'm trying to protect against intrusion." Ah! That I can understand.

Spernow: On the other hand, we're considered a bunch of propeller heads...

Campbell: ...pointy-headed propeller heads. [Laughter.]

Spernow: We're looked at as techies who somehow managed to wriggle into management. [People like George] view us as being here because of a special skill set and not necessarily because we can do the job.

Campbell: I think CISOs start with the assumption that those guys on the other security side, that CSO team, just aren't going to understand what my problems are. They don't understand what I'm up against, they don't understand the technology, so what's the sense in even talking to them.