To Security Convergence (and Back)

What's the risk of leading a successfully converged organization? That a new CEO will see your department as a dangerously high-profile cost center.

In doing all this, though, the CSO is taking a personal riskâ¬first, by getting that level of visibility, and second, by consolidating what in some people's minds are several cost centers into one bigger cost center. In a Fortune 500 company with many executives, the CSO, usually one of the junior executives, is opening himself up by getting that level of attention in the boardroom. You're going to get your advocates, and you're going to have the folks who traditionally will look at security as a cost center no matter what.

There were certain executives that appreciated our level of transparency and were strong advocates. There were others for whom it was too much. They didn't want to review and approve the policies we were writing. They saw security as cumbersome. Low-level grumbling about security ensued, growing louder, more insistent, its increasing volume usually inversely proportionate to its substance. When this happens, it's only a matter of time before CEOs are making critical decisions on security initiativesâ¬and even on the continued existence of the security program itselfâ¬that are based on 10 percent facts, 80 percent blind acceptance of unfounded opinion and 10 percent their own uninformed conclusions. The attitude becomes, Don't ask the security experts; they'll probably just muddy up the water.

Some of us will not survive the process, and organizational pressure will push the unified organizations back into a more traditional cost center model. Some will successfully make the transition, and slowly over time this new and valuable approach will become the norm. Down the road, I hope to be CSO of an organization where convergence is not just the reality, but the norm. I'm optimistic that I will be. I even predict that in a few years, my former employer will go back to the converged model.

Everything worth achieving comes with risk. As CSOs, we do our best when facing and managing risk. We should continue to take the challenge and go into the breach. Chasing after a unified program is worth it.