Why Security Convergence Is Elusive

Last month, CSO's editor asked why CSOs can't all just get along in a world of converged security management. The problem is that we've got to raise our profiles in the corporate world first.

Where is security's importance recognized in the volumes of recent academic discovery on corporate integrity? Where is security's role acknowledged as part of the management lexicon on governance? Shouldn't we find evidence of shared ownership of security risk in newly energized governance models? Have we CSOs established a pattern of linked threats, vulnerabilities, risks and countermeasures to drive corporate risk management models?

Selectively, yes. But generally, no. We have a lot of work to do.In Search of ConvergenceThe editor's letter also asserts that there's an "evolutionary path toward a converged model of governance." What is this nirvana, this "blissful state of unification"?

Just for the record, I have served in both types of models: unification and grieving separation. The first was a converged, wholly integrated security program; the second was a more balkanized place, where information security was initially split between risk and CIOand later brought totally under the CIO. (Corporate Security retained its cyberforensic and investigative missions in both models.) Honesty compels me to say that I'd opt for the former model. It's a situation in which the information and technical environments are, shall we say, more data integrity tranquil and less risk averse. When the enterprise rises or falls on zero downtime, strict confidentiality and flawless data integrity, I'm very happy to have my CIO colleague own information risk management. (Believe me, when it really hits the fan, proximity has its liabilities.) Having "security" as our priority mission, do we share ownership for what just stuck to the fan? You bet. But, like I said earlier, risk is relative.

So what are we converging here? Remember, there's a bigger picture involved than the security function. I'm still hung up on the lack of progress in converging security into the larger corporate governance scheme, not merely a converged assemblage of security parts. What is the embarkation point for this evolutionary path? Should the incremental steps begin at the bottom, with security pushing its way in? Or from the top, launched as an epiphany from the CEO?

There are signs of life. I'm encouraged that a number of my CSO colleagues are taking on new duties associated with a redefined notion of corporate governance (often not including infosec), but I worry about the shelf life of these limited steps. We really need to penetrate MBA programs, question the limited scope of established risk-management concepts and better advertise what we bring to the governance table. We are making selective inroads with our security colleagues, but not with our senior management clientele.