Unified Security: The Payoff...The Pain

The benefits of running a unified security operation are real. CSOs say they can lead their functions to be more effective and save money at the same time. But getting there is tough.

What's not to like about that? In this story, security executives at BWX Technologies (BWXT), EDS, Level3 Communications, Pemco Financial, Rohm and Haas, SAIC, Triwest Healthcare Alliance, United Rentals and Wells Fargo talk about why they've converged and the payoffs they've achieved from reorganizing their security departments to better meet the needs of their businesses.Payoff #1 A comprehensive security strategy better aligns security goals with

Most CSOs these days would agree that security should dance cheek to cheek with the needs of the business. In a post-9/11 world, companies that hold onto the traditional view of security as just another cost center are failing to recognize the importance of security to day-to-day business activities.

When Marshall Sanders, vice president of corporate security and CSO (and who served as the founding director of security for President Reagan's strategic defense initiative program in the '80s), joined Level3 Communications in 1999, he had a mandate: establish a comprehensive security architecture.

Sanders' mission was made easier because senior executives at the company viewed security as a key enabler for the business. "We're a network services providerwe're all about network availability. If the network isn't available due to a logical or physical incident, it's a revenue-impacting event. So security was seen by our [company leaders] as an integral component of the business architecture," he says.

A corporate risk management council, comprising Sanders and other senior executives, forms the basis for an integrated security governance structure and helps keep security top-of-mind at Level3 (see "Security Committee," Page 28). "It's critical to have top-down sponsorship," Sanders says, adding that in his case, the CEO "realized security needed to be integrated into the architecture of the business." The council, an audience for updates on physical and logical security, business continuity and disaster recovery exercises, is critical to driving this agenda, he says. "It can provide an enterprisewide perspective and accountability for managing the risks to the business; so then security becomes not just security's problemit's a business concern."

Sanders defines unified security or convergence as the integration of logical, information, physical and personnel security; business continuity; disaster recovery; and safety risk management. (Logical security focuses on the tools in a network computing environment; information security focuses on the flow of information across both the logical and physical environment.) Cost savings is one of the important payoffs in this holistic security strategy. Because there's always some duplication in a stovepiped security organizationin overhead and programs, for exampleit's more cost-effective to manage an integrated one. Not only thatduplication can lead to unproductive turf battles among security groups for resources, he adds.