Unified Security: The Payoff...The Pain

The benefits of running a unified security operation are real. CSOs say they can lead their functions to be more effective and save money at the same time. But getting there is tough.

"In the past, each site would have gotten guidance from the government, then they'd go off and put protections in place. We were able to bring an expert from each site together to talk about the changes in regulations, how they were going to protect media and share that information back and forth so that as one site found a new and different way to control something, they would share that information the same day," says Loving. (In January, the Energy Department released a report announcing that the two missing disks never actually existed.)

Another payoff Loving cites involved changes in a physical protection hardware system. Blueprints of the system were obtained from one site and shared with others. "That saved significant costs," he says.

CSOs (and CIOs) who work in certain manufacturing industries have been dealing with a different kind of stovepiped structure for years that, after 9/11, has started to get more scrutiny from the federal government. Many critical infrastructure industries, such as chemical, petroleum and nuclear, employ process control systems. Those systems are used for a wide variety of tasksfor example, they turn valves on or off and measure temperatures and pressures in reactors. What's come to light in recent years, as they've become increasingly connected to other company networks and the Internet, is how vulnerable these systems are to cyberattack because the security of these process control networks has been an afterthought. Contributing to the vulnerabilities is that these networks are generally managed by process control engineers, whose job has been to make sure the systems run day and night, not to worry about hackers or other cybercriminals.

For Keith Antonides, corporate information security director at Rohm and Haas, a large specialty chemical manufacturing company, convergence has meant establishing a closer working relationship with the process control engineers. In the past, the engineers did what they had been doing for years, namely, taking care of the systems themselves. "When I joined the company six years ago, it was hands off, you have no authority here. After 9/11, they were asking for my input. It was a major shift," he says. Antonides boned up on process control networks, and now he works in tandem with the engineers to do cybersecurity vulnerability assessments at the plants.

Bob Pembleton has also been experienc-ing the benefits of closer collaboration. The 30-year security veteran (he previously held positions at IBM and MCI) arrived at EDS in 2001 as director of global security operations and became leader of a fragmented security department. "I couldn't get a clear picture of a program for the whole enterprise," he says.