Why Security Convergence Is Elusive

Last month, CSO's editor asked why CSOs can't all just get along in a world of converged security management. The problem is that we've got to raise our profiles in the corporate world first.

Don't get me wrong. I'm one of these readers who is very happy with this journal. CSO has raised the bar on discussion of security management issues. And especially over the past year-plus, it has given more balance and coverage to noninfosecurity topics. That desire for balance is another reflection that information security is but one set of challenges, and maybe not the most pressing for some CSOs.

What are we to do with the idea of a blissful state of unification? Does unification mean one point of accountability for all things security? Or is it achieved in a holistic strategy that addresses risk-ranked priorities? I don't think that governance or convergence are McCreary's real issues. More important is understanding an organization's risks, and then engaging everyone who can contribute to managing them cost effectively.

Of course, all security executives should thirst for insight into the unaddressed risks of infosecurity. Risk analysis is about identifying unaddressed vulnerabilities, the CSO's principal stock in trade. If a company rises or falls on the integrity of its infosec program, I have to assume a thoughtful risk management strategy has connected these dots. And any security element that could contribute to bulletproof protection will be at the table, sharing its hunger for answers with fellow governance stakeholders.