Unified Security Management: The Pain

Creating a unified security function means overcoming challenges from top executives, existing processes and change-resistant employees

The fact is, a gaggle of people, whether it be managers or lower-level employees, will be unhappy with any change to their turf. They're not going to like whom they report to, whom they have to work with and the new projects they're assigned to. Egos will be bruised, if not battered. "Folks are very protective of their rice bowls. That's natural," says Jim Mecsics, senior security analyst at SAIC, a research and engineering company, and the former vice president of corporate security at Equifax.

Mecsics, when he worked at credit bureau Equifax, had to deal with pushback from certain process owners. For example, the CIO was reluctant to turn over control of his systems to Mecsics. So Mecsics used a personal approach in which he listened to their concerns and tried to win their hearts and minds. "I said, I'm not going to do anything to hurt your system or inhibit your business processes. I'm here to protect you so our CEO isn't standing before a congressional committee someday explaining why credit reports are in front of some gym locker," he says. He used the same approach with HR, which, prior to his arrival, handled all company personnel issues. Mecsics convinced the HR leadership that the security organization should take over responsibility for developing background check policies. He also assuaged their fear that he was coming in there to steal people from their department.

Ultimately, says Mecsics, security needs accountability. "They [other execs] don't want something to fall on their shoulders. I said, If we have to go to the boardroom with Donald Trump, by God, I'm going to be there with you," he says, echoing his military past. (Mecsics served in the Air Force for 27 years.)

Territorial issues are not going to go away, but there are ways to lessen their impact. Marshall Sanders, vice president of corporate security and CSO at Level3 Communications, was fortunate to have a mandate to converge when he came on board in 1999. Sanders' job was made easier because Level3 didn't have a heritage of entrenched security stovepipes. But he still needed, for example, to make sure all members of the security organization understood that they were accountable for the success of everybody on the cross-functional team. Sanders says that Level3's performance-oriented culture and use of metrics and balanced scorecards helps ensure that everybody is pulling in the same direction.

"We have a saying: Our goal is to weave security into the fabric and culture of the company. Because we're employee-owned, which contributes to our success in converging, the employees have a sense of ownership and accountability," he says.Pain #2 Executive Buy-In You can propose the most wonderful, cost-saving, mega-ROI convergence project in the universe, but if the CEO doesn't feel as warm and cuddly about it as you do, your proposal will stay just thata proposal. One way to get the green light for your initiative is to demonstrate smaller-scale successes first.