The Defining Moment

Now is the time to consider what convergence isand what it isn't

Having noted that convergence isn't accomplished by remaking reporting relationships, Williams circles back to reemphasize that convergence is not the same as "having lunch once in a while. That doesn't get the job done, because there's no accountability," he says. Whatever the reporting matrix, holistic security has to be institutionalized and cooperation formalized in a set of processes.

Appropriate leadership is a vital component. For starters, the leader of a converged department, regardless of personal background, must aim to raise the prominence of all branches that fall under his purview. Constellation Energy Group CIO Beth Perlman, who handed the reins of information security to ex-Marine John Petruzzi, sums it up: "If you don't trust the person you're giving the group to, forget it; it will never work." But Perlman and Petruzzi established that mutual trust, and the Constellation technical security employees who left Perlman's group to join Petruzzi's feel that they are now more visible to upper management (see "Security 2.0," Page 34).

Another key leadership requirement, Williams adds, is the ability to articulate security and risk issues in the context of business activities and in the language of the corporate boardroom. Williams himself finished an MBA degree to acquire the necessary skills.

Constellation Energy's CEO, Mayo A. Shattuck III, describes integrated security management as part of a top-down approach to getting a handle on an organization's exposure to risk. But just as often, the seeds are planted at the tactical level.

Children's Hospital in Boston has a complicated workforce. It's a teaching hospital, so in addition to normal staff turnover, new physicians come and go "in waves," according to CISO Paul Scheib. Some doctors are actually employees of various foundations rather than of the hospital itself. To help keep pace with creating and managing new network accounts and assigning the right privileges, the hospital first implemented password-management software and later a more complete identity-management suite from Courion.

While the impetus was on the hiring end of the employee lifecycle, Scheib says a big payoff is that access can be shut off in a more timely manner when an employee leaves the organization. And Scheib finds himself working closely with the hospital's physical security group to integrate door access badges into the identity management approach. In the past, Scheib notes, "we had our information and they had theirs"there was very little sharing of information. "Now we're working on a metadirectory project and starting to map both physical and infosecurity data and to define roles that require physical access to high-security areas such as surgical suites." Children's Hospital has no organizational initiative dubbed "convergence"; it's just security people recognizing the efficiencies of working together.