To Security Convergence (and Back)

What's the risk of leading a successfully converged organization? That a new CEO will see your department as a dangerously high-profile cost center.

Security convergence—that is, the true meshing of physical and cybersecurity along with business continuity managementâ¬—is one of the most logical concepts that's been introduced to the security world in a very long time. Convergence makes sense conceptually in the boardroom and functionally within the organization. It saves security dollars, increases efficiency and provides more effective incident response, all of which are great incentives for getting and maintaining senior executive support.

But here's a warning for all of you daring enough to push for change. You can do everything right as you go down the road to convergence. You can start getting past the cultural and political issues involved with convergence, and you can begin the tedious process of collecting metrics that demonstrate its positive impacts on the organization. But it may not be enough. The new combined organization may become a target of an efficiency program or a general cost-cutting initiative, or it may suffer after a risk decision upsets the wrong inside player.

Then, you may suddenly find yourself overseeing a transition team into the Dark Ages. The CSO is told that the company needs to "focus on other things." But hey, they say, thanksâ¬your efforts have improved security, so we can now go back to business as usual. (And oh, by the way, we now have one less VP mouth to feed.)

I say all this because I've learned the hard way. But I still wouldn't have done anything differently.

Convergence: The Beginning and the End

There are two camps as far as how companies deal with issues and resolve problems. In the first kind, the CEO hires people and puts them in charge of business units. If things blow up, then it's their problem; it's not the corporation going awry. In the second kind, the business aims for transparency. The CSO outlines risk and works with the business units to accept it.

I belong to the latter camp. When I started with my former employer several years ago, I was asked to build a program that put together all the security pieces, including business continuity, and to be transparent. As a security department, we'd say: Here's where we think we are; we've done vulnerability and risk assessments; here are our results. We strove to make security very much a part of the business process, to be businesspeople who understood how our business worked and built programs that benefited it.

Then the company got a new CEO, who brought in a lot of new executives. At first the organizational changes that followed were presented as cost-cutting measures. But soon it became clear that the new regime thought that transparency wasn't a great thing, and that sometimes it was better to have a risk be the responsibility of a business unit. The new attitude was, "Why are we hearing about this security problem? Here's an issue that we have to deal with now that it's down on paper."