Unified Security Management: The Pain

Creating a unified security function means overcoming challenges from top executives, existing processes and change-resistant employees

By Todd Datz

Page 4

Executive security committees are a good place to not only gain buy-in for security initiatives but to get help from senior leadership in bridging cultural gaps.

Keith Antonides, corporate information security director at a large chemical maker, has used his executive oversight committee for infosecurity to help him deal with the cultural differences between his IT organization and the engineers that manage the process control networks at the company's plants. Historically, the two staffs have had limited interaction. But in recent years, traditionally standalone process control networks have become increasingly connected to corporate networks. That has opened them up to Internet viruses, worms and other cyberattacks and made them potential targets for terrorists. (One disgruntled techie hacked into the computerized wastewater system to release raw sewage at an Australian plant in 2000. See "Out of Control," www.csoonline.com/ printlinks.) After 9/11, process control engineers and IT departments realized they needed closer cooperation to help protect plant networks. Helping it happen, says Antonides, is the oversight committee, a venue that company executives have used to ensure collaboration between the two sides.

Cross-training is another effective way to make people more understanding of their fellow employees. John Pontrelli, vice president and CSO at Triwest, and Ed Telders, CSO at Pemco Insurance, both cross-train their physical and information security staffers. At Wells Fargo, CSO Bill Wipprecht began cross-training his external and internal investigations agents to do each others' jobs.

Of course, there's no silver bullet to tearing down the cultural walls separating security departments, in place for years in many companies. Cops aren't going to start sporting goatees and flannel shirts overnight, and geeks are still going to look at suits as well-tailored straitjackets. But some CSOs are making progress. Overcoming the differences between physical and information security people, says Telders, "is not as big a hurdle as it used to be."Pain #4 Organizational Structure As part of the convergence process at Wells Fargo, in which external and internal investigations were brought under the corporate security umbrella, Wipprecht took a long, hard look at the structure of his department. His guiding question became, Do we have the right people with the right expertise in the right jobs in the right locations?

"With 300 people, it becomes a significant issue evaluating where your needs are," he says of his security organization. After spending several months studying case metrics, such as volume of work and number of phone calls, Wipprecht found that there were some redundant management positions. That led the company to offer retirement packages to some of the agents and management team members (he declined to say how many).