All Hazards: Taking Leadership to a New Level

Our Special Report on all-hazards security management (AKA convergence) sees opportunity and inevitability

By Derek Slater

April 15, 2005 — CSO — To understand how the all-hazards approach to security has evolved, play ceo for a moment. (C'mon, you've always wanted to.)

Three weeks before you announce your next-generation productrepresenting three years' investment of R&D sweat equity, not to mention big bucksthe senior VP of sales is in your office, irate. He says your biggest competitor is beating you to the punch with a nearly identical product. Cosmetic differences only. This is no coincidence. The competition has pilfered your intellectual property.

An army of lawyers firing a salvo of lawsuits may or may not stop the enemy launch. But your company has a more insidious problem on its hands, which is to figure out how this theft happened and to stop it from happening again. So how exactly did your IP walk out the door?

There are at least a dozen possibilities, some of them physical, others network related; some are purposeful and criminal, others the result of mere carelessness. The problem is that in most companies, you'd have to interrogate at least a half-dozen department heads to begin to address all the possibilities and plug the holes. Intellectual property protection is a task, or a set of tasks, that doesn't fall neatly and completely under a single branch on the traditional org chart.

Corporate security can tell you whether doors have been left ajar, but network accounts? That's a question for the IT guys. And they'll tell you that when hard-copy drafts of research in progress started rolling off the printers in the graphics department, they effectively rolled out of IT security's bailiwick. For a recent illustration of how a fly ball can fall into the gap between outfielders, look no further than February's disclosures by ChoicePoint and Bank of America. At ChoicePoint, the CISO's widely disseminated statement (essentially, that the perpetrators' posing as customers to gain access to consumer data wasn't an IT security issue, it was fraud) was both technically accurate finger-pointing and of absolutely no interest to identity theft victims who just wanted their personal data kept safe. And Bank of America lost in transit a set of backup tapes containing a gold mine of customer data.

Big companies typically put together a cross-functional investigation team to address situations like our hypothetical IP theft case. And investigations (whether of an IP leak, a fraud, a workplace violence threat, a rumored interoffice pornography incident or some other malefaction) provide a glimpse into the concept of convergencealso known as 'all hazards', integrated or holistic security management. Quite a few leading-edge companies have come to a conclusion that's as obvious to its practitioners as it is unthinkable to those stuck in a stovepiped mentality: Investigations come after something bad has already happened. Why not apply the same principles of cooperation before something bad happens? Why not bring security-focused departments together proactively, aggregating their information and expertise to look at operational risk as a unified picture and create a security plan that is more effective, more cost-efficient and more credible to upper management?