Unified Security Management: The Pain

Creating a unified security function means overcoming challenges from top executives, existing processes and change-resistant employees

Bob Pembleton, chief security and privacy officer at EDS, wanted to consolidate data security management (which includes policies, standards, education and security compliance monitoring) from multiple local sites, with multiple standards and approaches, into a centralized site. "We had conversations about what we were trying to do, then did a couple of sites to prove the concept," he says. "The centralization proved so efficient that the senior leadership raised the question, Wouldn't it be more efficient to put all four lines in the same security organization?" Ultimately, the success of the consolidation project helped pave the way for Pembleton to converge the privacy group and the physical, logical and information groups under one umbrella.

Communication is also criticalif you don't get buy-in initially, communicate with the leaders who are feeling the impact of whatever change you're trying to make, says Pembleton. "Try to put yourself in the other person's position, and ask yourself, What would I want to know if someone from headquarters showed up and wanted to change the way I deliver security services?" he says.

Another way to sell a convergence project, advises Steve Hunt, a former vice president and research director at Forrester Research, is to package it with something that executives can more easily understand. He cites, as an example, trying to build a better security architecture using public-key infrastructure (PKI)a major undertaking. Executives might view it as an expensive investment that doesn't return immediate value to the company. Implementing PKI would require every business unit to conform their applications to the system, and users would have to change their behavior. Trying to sell that kind of project is a lot of work, says Hunt.

A better way to sell it is to package it with a one-card system that controls both cyber and physical access. Moving to one card will save money and increase operational efficiency. "Everybody gets a digital smart carda big step toward PKIand you can help sell it by saying the card would contain a smart chip that contains all of a user's passwords. Users would get behind the idea, and it would be only a small step toward moving to full-fledged PKI," says Hunt. "A convergence project will fail if it can't demonstrate business value. Some convergence projects have to be made more relevant to the business," he says.

Executive security committees, comprising top management and the heads of security, are another valuable way to gain buy-in. (See "All Together Now," Page 27.)Pain #3 Cultural DifferencesIt's no secret that, oftentimes, corporate security people are from Venus and IT security people are from Mars (see "Mad About You," www.csoonline.com/printlinks). So CSOs with a bent toward convergence need to be aware of the cultural differencesand not just between physical and information, but among all security-related departmentsand have a plan to deal with them.