Unified Security: The Payoff...The Pain

The benefits of running a unified security operation are real. CSOs say they can lead their functions to be more effective and save money at the same time. But getting there is tough.

Does every company need to converge to effectively integrate security with the overall goals of the business? Not necessarily. Some companiesfor example, small organizations that may not need a CSOoperate fine with separate information and physical organizations, says Ed Telders, CSO at Pemco Insurance. In others, Telders notes, the lack of effective convergence is a problem. "I tell people to do a risk assessment of the organization, do a cost-benefit of having two groups versus one, and make decisions based on business, not politics or anything else," he says.Payoff #2 The CSO can be a single point of contactBringing together different security silos into one big, happy family and running the combined organization can be a lot easier when one person sits at the top, or, as Mecsics says above, can function as the security belly button.

When there's a single point of contact, the CFO or COO can pick up the phone and speed-dial the CSO instead of having to pull out an org chart to figure out whom to call with a security question.

John Pontrelli, vice president and CSO at Triwest Healthcare Alliance, a Department of Defense contractor that manages a health-care program in the western United States for military personnel and their families, wouldn't have left his previous job at W.L. Gore & Associates to come to Triwest unless he had that kind of accountability.

To Pontrelli, convergence means one person is responsible for security, just as a CFO holds the reins over all things financial.

He lists numerous benefits, including having visibility into where the organization is going. "If I didn't have the visibility of where the organization was going, where the C-[level] folks were going, the new technologies coming, it would be hard to put together a business plan to the requirements of the organization," Pontrelli says. "Because I have such access and visibility to the C-level leadership, they know what I'm doing. It's not a mystery. They know my resources, what's being spent."

This status gives him a greater ability to prioritize risk and create a comprehensive security business plan. Having a single point of contact also makes it easier for the CEO, board of directors, contractors, external business partners and employees to know that they can call Pontrelli if they have any questions or problems. Pontrelli, who reports to the COO, says he wouldn't work at a place "that doesn't have a CSO reporting at the C-level with visibility and accountability at that level."