In Depth

Leading a Converged Security Operation: Critical Skills

The cultural challenges are significant, and the CSO has to lead the way in learning and changing. We spoke with several converged CSOs for their take on building the necessary skills to hold the job.

By Joan Goodchild, Senior Editor

September 02, 2008 — CSO —

John had a massive challenge to tackle. A former IT security officer at a large bank in New York, he and his wife packed up and moved across the country so he could take on the role of chief security officer with a well-known provider of loans, retail financing, and other credit related products.

His first task? To build a converged security department (a single organization integrating disparate security branches, typically including digitial and physical security at minimum). An undertaking any veteran security executive will tell you is no easy mission. John, who asked us not to use his name because he is not authorized to speak to the media, decided his strategy would be to take baby steps.

"I spent the first six months to a year just observing," said John. "Things were highly decentralized. People had built processes in silos. We didn't buy any tools for two years. We worked on organizational change first."

Merging things was a slow and met with resistance. Resistance came from personnel on both sides, both physical and IT, as very different types of employees just couldn't relate to one another. And, of course, there were demands from management to do things as cheaply as possible.

When it comes to converged security, stories like this are not uncommon. How do you bridge both worlds if you come from one? Veteran CSOs agree that it all starts with personal growth and change.

Seek a network of support

John reached out to others who had been through converged efforts. While he said converged CSOs remain a relatively rare breed, he did find others with expertise to talk to—with industry assocation ASIS proving a particularly valuable resource.

"I think that ASIS has the strongest network of converged CSOs that I am personally aware of," said John. "I helped found an ASIS chapter locally and this association has been a great resource for information, contacts and support."

Seek practical experience

Martin Carmichael is the CSO of security software developer Mcafee. He is responsible for the company's internal information and physical security. His experience with convergence began when he was CSO at Asurion Corp., a provider of customer contact and support services. There, he dealt with what he calls a "huge amount of resistance to change" from personnel.

"I found as I brought IT into physical there were complete misunderstandings," he said "Each thought the other had it easier. Physical security wanted to spend more on things like video surveillance. And the IT people didn't understand that physical security is critical to infrastructure."