Case Study: Security Convergence

What does it take to make security convergence happen? One secret is to sneak up on it, the way Constellation Energy did, by seeming to be doing something else entirely.

Dunlap, too, saw convergence as an opportunity. "Before, we were kind of...I don't want to say sequestered, but to some degree we were just another guy at the table," he says. "We saw coming out and working for the risk management group as a kind of independence. It's not that we necessarily swing a bigger stick, but we have a very clear escalation path that doesn't go to the CIO anymore. It's not a server maintenance problem. It's a vulnerability management problem."

As for Petruzzi, he's getting savvier about navigating that escalation path. Collins, the CRO, has led him to approach things from a financial risk management perspective. It's been an education. It took Petruzzi three tries to get his first business plan right.

"The first-year approach was kind of going to be, let's just let things run how they are and build a better plan instead trying to come out of the gate with this plan to consolidate, reduce costs and make a more oversight-oriented business function," Petruzzi recalls. "That didn't fly. It was kind of like, 'That's not going to work. I'm a finance person. I want you to show me where you have places you can save costs by consolidation.'"

Three months later, Petruzzi finally got the plan approved and along the way became conversant with the finer points between, say, cost reduction and cost avoidance. Because Collins is chief risk officer and not chief financial officer, Petruzzi says, the focus on cost savings doesn't happen at the expense of good security. "At the same time that [Collins] is making us be financially responsible, he also is saying we're only going to go to a certain level of risk," Petruzzi says. He speaks like a person who has transformed from someone who merely secures assets into someone who analyzes and balances risks. Could it be that at the CSO level, the "new breed of security specialist" will not be a security specialist at all?

As for Constellation, it's still too early to say whether the project truly will lead to the increased efficiency and effectiveness that the company is expecting. Hunt, the analyst, doesn't mince words about the odds Constellation is up against.

"I think that most converged departments lead to a loss of efficiency, of effectiveness, or [to] utter failure. I wish it weren't that way." Hunt is convinced that companies will just not be able to reconcile the cultural differences between the two departments. He also suspects that in the long run, the most effective "convergence" may lie not in the integration of the two departments, but in targeted, specific projects done jointlysay, the installation of a new access management system.