To Security Convergence (and Back)

What's the risk of leading a successfully converged organization? That a new CEO will see your department as a dangerously high-profile cost center.

By Anonymous

Page 3

The Transparency Backlash

A lot of security guys get away with keeping very under-the-radar programs. They don't bring things up, and they resolve things at very low levels. Maybe it works for them.

For me, I had a three-ring binder with 100 pages of all the incidents that occurred, all the regulatory issues that were affecting us, all the risk remediation activities that we had conducted. I always said, "Hey, I'm not hiding anything. My program is here to support the business. I want absolute transparency." In the end, it worked against me. If anybody wanted to take a punch at me, they could. I provided all the information.

I don't think I would have been able to stomach taking the program so far under the radar that it wasn't an issue with the new leadership. I always thought we could let our accomplishments speak for themselves. But in the end, the decision for the company to deconverge seemed like an emotional outcome of how the new leadership liked to think about the world.

Even with everything that happened, even after watching my unified security department be systematically taken apart, I still really believe in the convergence model. I believe that today's security organizations need to be wholly unified and manage all security risk across the organization. Traditional walls between security disciplines have to come down, and new positions have to be created to consolidate functions such as reporting, incident response, blended risk assessments, security policy and standards development. This combined security framework, which is made up of many integrated processes, begins to create its own business function, and it moves toward a security governance model that is better suited to support and guide the organization. The process of architecting this structure emphasizes the requirements and scope of the program, and it raises security awareness. It allows the security program to identify opportunities where security can produce business benefits, increase system and resource efficiency, and achieve enterprise compliance.

A converged organization is positioned to make security a functional strategy and possibly a business opportunity. Expanding the view and scope of security is a necessary part of integrating security risk management into an organization. The definition of security is broadened to include physical security, information security, risk management and business continuity. A CSO with this functional breadth provides more value to the organization and to the overall leadership team.

The overall goal is to embed security into business processes and executive decision-making. This is the convergence recipe. The only ingredients that the CSO can't provide are forward-thinking senior executives who are willing to do more than pay lip service to ensuring the company's sustained secure performanceâ¬even if this support stems only from the realization that security will protect their lucrative jobs and incentive plans.