Why Security Convergence Is Elusive

Last month, CSO's editor asked why CSOs can't all just get along in a world of converged security management. The problem is that we've got to raise our profiles in the corporate world first.

Recalling the frequent diatribes between infosec and "traditional" security executives (let's call them "generalists"), I can't blame McCreary for seeing mistrust and legacy attitudes as barriers to a convergence of security missions. He bemoans the "way too many snarky rejoinders tossed across the divide between traditional and infosec camps. And camps are apparently what, too often, they are. Can someone please explain to me why this is?" Let me give that a try.History ChannelTwenty or 30 years ago, much of our approach to information protection was centered on physical and operational security. Look at the Department of Defense or the protection of corporate trade secrets. Picture confidential media stored in file cabinets within limited-access rooms equipped with alarms and highly structured procedures.

Today's prevalent organizational model reflects the growth of information security within the IT group as data went virtual and threats to information assets grew exponentially. Physical and operational security became service providers. If there is a separate camp philosophy, it reflects short-sighted risk analyses and a lack of managerial initiative to develop an integrated strategy.

Is mistrust a product of being in different camps or of culture and design? CSO generalists come from vastly different backgrounds than their CISO counterparts. The vocabulary, the competencies, the expectations of their bosses on what risks to address, and the whole notion of the threat (the adversary) differ, often dramatically. Generalists deal with a diverse risk environment, while CISOs tend to work within a more predictable and highly structured technical environment. In many organizations, you'll find some jealousy when IT security salaries are compared by non-IT security personnel.

Look at the actuary tables on many of today's CSOs. As this group retires, it will be interesting to see how the emerging generation of security generalists will approach information security given their grounding in day-to-day use of the technology. (It is a daunting task for those of us who grudgingly met computers late in life.)

Sure, both camps have silly and ignorant perceptions along with the occasional snarky rejoinder. The ex-cop who sees geeks speaking in tongues. The technically arrogant CISO who believes those knuckle-draggers are qualified only to handle the confidential trash. Real CSOs take risk seriously, regardless of its source.We're All Hungry for InformationAt day's end, it's the notion of information integrity and how we rate the criticality of information-based assets that tends to separate or meld the camps rather than trust or turf. Where information is king, the crown prince is the CIO. A compelling accountability rationale is made by IT professionals that much of information security is platform- and application-based, with a heavy dose of policy compliance by individuals with access. If a critical system or process tips over due to a breach, more often than not it's the CIO/CISO who is on the carpet. While not blissful, perhaps we have convergence if the CSO is standing tall there beside them.