Unified Security: The Payoff...The Pain

The benefits of running a unified security operation are real. CSOs say they can lead their functions to be more effective and save money at the same time. But getting there is tough.

April 15, 2005 — CSO — Talk to Jim Mecsics about the benefits of a unified security operation, and you'll first have to stomach a metaphor about belly buttons. At the end of the day, says Mecsics, if there's a security problem, the CEO is going to jab Mecsics' belly button, hold him accountable and say, "Fix it."

His point: In a converged security organization, there's only one button to pushexecutives don't have to contemplate whether to call the corporate security director or head of IT security or the facilities manager when they have a security issue.

More on that later.

Mecsics arrived on the job at credit bureau Equifax in 2002 with a mandate to create a corporate security programto bring together previously disparate pieces of security, including physical and information security, under one roof.

It didn't take long for the unified security reorganization to bear fruit. Some three months into his tenure, a large identity theft ring began hitting credit reporting agencies and was attempting to penetrate Equifax's networks. Mecsics and his team went to workthey set up a plan, mapped out the bad guys' architecture and worked closely with the FBI. Soon they pinpointed the intermediary company where the breach was taking place. (A former help desk employee at the intermediary company had stolen user codes and passwords and sold them to more than a dozen mostly Nigerian nationals in the New York City area.) At the end of 2002, the U.S. attorney's office in New York arrested the culprits, putting a stop to what it said was the largest identity theft ring in the country (some 30,000 identities were stolen).

"That was a pure example of [the benefit of] us having everything under one umbrella," says Mecsics. "I had the ability to bring the data and fraud folks and everyone else together and come up with a cohesive strategy," he says.

Mecsics didn't have to get authorization from people's bosses to work on the converged effort. He had the authority, he acted, and the coordinated security groups worked to the company's benefit. (Mecsics left Equifax last year and now works as a senior security analyst at SAIC, a research and engineering company.)

Improved collaboration among security functions is just one of the payoffs of convergence. Others include better alignment of security with business operations, establishing the CSO as a single point of contact for all security issues, the opportunity to cross-train employees, increased information-sharing that leads to more efficient problem solving and, if you're trying to convince otherwise skeptical execs of why convergence is worth doing, you can pull out your trump card: cost savings.