Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Why Security Convergence Is Elusive

Last month, CSO's editor asked why CSOs can't all just get along in a world of converged security management. The problem is that we've got to raise our profiles in the corporate world first.

By

January 01, 2005CSO — The trouble with reading is you may get invigorated.

Last month, I read Editor in Chief Lew McCreary's letter to readers. In it, he places a fundamental challenge on the table: "As security continues its evolutionary path toward, we believe, a converged model of governance, the blissful state of unification between infosec and traditional disciplines, it still founders on unproductive mistrust and legacy attitudes."

That statement was enough for an entrée, but then came this question for dessert: "If security governance is largely a matter of risk management, shouldn't there be an insatiable hunger among all security executives for insight into the unaddressed risks of infosecurity?"

As someone who understands concepts such as "unproductive mistrust" and "legacy attitudes," let me offer a contrarian view.

First, the question. Any CSO worthy of the title would have to have an "insatiable hunger for insight into unaddressed risks." But what risks? I have a list of 600-plus risks that require some measure of analysis and safeguard. Are these the same for my colleague in a different industry? No! While we have shared concerns, from personnel background checks to the protection of assets, I would quarrel with a common set of risks that confront all businesses. Each CSO has a specific set of risks and responsibilities based on his circumstances.

In many places, risk to information is not the security issue that keeps top management (and therefore their CSOs) awake at night. Business is too diverse, and the franchise-threatening list of unmentionables is all over the map.

Consider that map for a moment. There are 99 major industrial groups, from manufacturing to services to public-sector agencies, in the U.S. government's industrial classification system. It may be said that there is little in common in the way the thousands of entities in each of these groups approach security (if such a function even exists). Each handles the perception and management of risks according to its priorities. Information is likely precious to all of them, yet many manage their risk exposure with relatively mundane security practices. Fiduciary responsibilities and shareholder expectations drive others to devote significant resources to information protection.

I agree with the generalization that "security governance is largely a matter of risk management." But who's defining governance? Sarbanes-Oxley has largely defined the corner office players in corporate governance. The truly converged or "full service" security program, one that constantly works on business conduct investigations, due diligence efforts, background checks, intellectual property protection and other reputation-protection functions, can do a better job mitigating risks than the audit group or other designated hitters in corporate governance, who typically enter the picture periodically.

RESOURCE CENTER