The Defining Moment

By Derek Slater

April 15, 2005 — CSO — Gently prod a convergence conscientious objector, and what you often discover is a misconception about what the term means.

Convergence does not mean ripping the IT security group out from under the CIO and stapling it to the hindquarters of the corporate security group, where a 70-year-old ex-cop security manager can proceed to ignore it. Neither does it mean piling contract guard management on the already overloaded plate of a horn-rimmed, twentysomething firewall jockey who thinks "shredding" is strictly a snowboarding reference.

Those aren't convergence; they are merely dumb ideas. And like a lot of dumb ideasrooted in an insufficient respect for realitythey provoke objections that miss the point, such as: "IT security is too complicated and important to entrust to those 'guns and holsters' guys." Or "How can a technogeek possibly manage an executive protection strategy?" (For a list of five common convergence objections just begging to be overruled, go to www.csoonline.com/printlinks.)

It may be more revealing to think in terms of integrated or holistic security management. In fact, while physical and information security are the cornerstones of holistic security, they aren't the whole ball of wax. Depending on which industry they serve, CSOs need visibility into fraud and loss-prevention efforts, investigations, process-control systems, business continuity, pieces of regulatory compliance, some aspects of the human resources function and audit.

But reworking the organizational chart isn't really the end goal, according to Timothy Williams; it's just one possible means of establishing the necessary accountability and processes that make security effective. Williams is the CSO at Nortel Networks, where he has been leading a centralized, multifaceted security program since 1990.

"Convergence doesn't necessarily mean reporting relationships. It's about how we manage risk and the processes between the domains," he says. A case of intellectual property theft doesn't fit neatly into any of the domains of IT, corporate security or legal; it crosses all of these functions (see "Taking Leadership to a New Level, Page 16). To Williams, convergence is about "what we are doing to make sure we're not creating or missing an interdependency between the various areas." In some cases, the CSO (by whatever title he or she goes) has direct oversight of two or three branches of security, plus dotted-line reports to well-placed employees in other branches. Which lines are dotted and which are solid can depend on the circumstances and priorities of each company, and on the expertise of the CSO. Steve Hunt, a CPP-toting former Forrester Research analyst, goes so far as to say the leadership role is best handled by a committee, an idea he says is gaining traction particularly in Europe. Hunt says he has seen it work, though it's worth noting that leadership by committee generally has a checkered history in the corporate world.