First off, let's get the credibility thing out on the table. When the editors of a magazine called CSO staunchly advocate for the hiring of more and more CSOs, we understand that our motives are, well, open to suspicion. And, yes, it's pretty unlikely we would take the position that there are already enough (or even too many!) CSOs. Obviously, there are not.
Thus, we remain undeterred. Irresistible evidence has piled up during the past 10 years or so. The development of technologies and online systems that both encourage legitimate and enable illegitimate access to an enterprise's vital data assets and operational controls has catapulted security from a matter of principled process hygiene to one of mortal business peril. That is what we believe.
So if you've held out this long without hiring a CSO, either your business operates exclusively on principles of risk avoidance or you're tempting fate in ways that would cause a liability lawyer to cringe. Here are five reasons to post the position right quick:
1. Any big lug (or lugette) can go out and buy products that will provide some degree of security. You just read the marketing materials, perform a little due diligence and write a bunch of checks. But security amounts to more than surveillance systems and firewalls, card readers, and intrusion detection. Security is a business value that needs to be embedded in every system and integrated into the way employees think and operate. It needs to be understood and cared about within the highest business echelons
2. Risk needs to be seen in a business context. Most business activities entail some quotient of risk. It remains to be decided what degree of risk tolerance (or risk aversion) ought to be assigned to those activities. Doing that sort of analysis, and then driving toward rational decisions as its outgrowth, is a high-level art requiring the expert input of a CSO who consults closely with the executives who own the activities in question. Despite the reflexive impulse of security practitioners toward absolutism, risk and business opportunity are intertwined and must be weighed together. A good CSO will lay out the risks, their potential for havoc, the cost of mitigation and the likely impact of mitigation on the quality of the business opportunity. In many organizations, the ultimate decision on risk tolerance will belong to the business owner, not the CSO. But without the guidance of a CSO, fully informed decisions are impossible.
3. Guiding the security process shouldn't be done from the bowels of the ship. If the risks to the business are of board-level concern
4. As a corollary to the above (and we know this is slightly cynical), no problem truly gets adequate attention until someone is made accountable for solving it. When the auditors come around, your CSO is exhibit A in making the case for your new security-mindedness. Consider, too, the inimitable Thornton May, an IT consultant who observed that "what CSOs have done is, they've centralized blame" (see "Why Security Needs to Blow Its Own Horn," June 2003, at www.csoonline.com). As a result of becoming C-level players, CSOs will have to fight that accountability battle one boss at a time. But if you happen to be the boss.... Isn't it great to have someone you can hang out to dry if things don't go as you'd like?
5. Finally, if things do get better, you'll find your organization has learned to bake security into its products, processes, culture, balance sheet, reputation and asset base. And that ain't hay.
-Lew McCrearyPeer to PeerVIEW FROM THE COO
When we first visualized the role of CSO for our company, MOL America, we had major concerns about the effects that this security officer would have on our day-to-day operations. In a large shipping company like ours, smooth, effective operations are critical. Every penny we earn, it can be argued, we earn through precise logistics.
For example, we stack containers onto ships by weight (heaviest on the bottom) or else may become unstable. We also have a process for allowing "late gates," that is, containers that arrive at port late and are loaded just a few hours before the ship leaves port.
U.S. Customs reviews the manifests of all vessels bound for the United States. If they do not have enough information to determine the contents of the container, Customs will give us a "no load" message. In other words, "Sit tight and do not load the container until we can investigate the cargo further." When that happens, cargo cannot be loaded, service deteriorates, customers are upset, and operations suffer.
Nobody can afford to sit tight. But newly minted government regulations, crafted in reaction to Sept. 11, are making no-load orders more and more likely. Consider that we used to prepare manifests for Customs as much as five days after we loaded cargo and set sail. Under the new regulations, we must file a list of all cargo we plan to take on 24 hours before we load the cargo.
So on one hand, we were worried about installing a CSO because he could become a wrench in our logistical gears; on the other hand, we didn't feel like we had much of a choice because the new regulations were like a thousand wrenches in the works. And now we needed someone to help overhaul our operational plans so that they took into account compliance in the United States as well as in, say, Bangledesh or Hong Kong.
We appointed James Galligan to become our point person on all matters security. He has been instrumental in helping us weather the storm of regulations.
Jim implemented a massive security education effort on what the new regs meant. It was no small effort; Jim was working with multiple constituencies, including customers and MOL employees. He got them working together so that we wouldn't have containers sitting in Sri Lanka waiting for the go-ahead from Customs.
Mainly, he was trying to get our customers to break their old habit of submitting vague descriptions of goods for what was actually in their containers. Instead, he helped them see the importance of much more specific lists of goods. Or maybe he helped them understand how many more no-load orders they'd suffer if they didn't improve the accuracy of their information. Whatever he did, it worked. We've experienced vastly fewer no-load orders from Customs than we thought we would in the wake of the regulations; Jim is largely responsible for that.
The transportation industry in general has a strong security heritage. In our sector, we used to call it safety, and largely that's what it was. We were keeping assets safe around the world, sometimes in volatile places. Shipping's safety culture is deeply ingrained; for MOL, it includes security management systems approved by ISO standards.
But, I must admit that, historically, our security to some degree has focused on fraud, theft and pilfering of containers. These were our concerns. Now, obviously, our concerns are much broader. In a sense, we're building new levels of security into our older, more well-established discipline of safety.
Central to that is the CSO. A role that, when we started thinking about it, worried us. How would a security officer affect operations? Then it felt mandatory, and less than ideal. How would he help us cope with the new regulatory realities? Then we saw the greater benefits to operations from installing a CSO.
How could we not have Jim as part of the executive team?It Takes TwoCONVERGENCE
You could start a pretty good dustup by telling an infosecurity guy just what the physical security guy has to say about him. And vice versa. Not a lot of love is lost between the geeks and the guards. Each side sniffs privately that it is mortally galled by what feels like a fundamental lack of respect from the other. The IT guys scorn the physec guys as a bunch of burned-out ex-cops, and the physec guys see the geeks as arrogant propeller-heads who hide their narrow focus behind an impenetrable fog of gibberish and acronyms.
Infosecurity specialists "start with the assumption that [everyone else]...won't understand the technology, so what's the sense in even talking to them," says George Campbell, former CSO of Fidelity Investments and now president of the International Security Management Association. ISMA's 300-plus members take the broad view of security as a high-level strategic activity touching virtually every enterprise function. Campbell still seethes when he describes one memorable encounter with an IT security professional who proposed a way for corporate security types to lend a helping hand to the IT side: "Well, I suppose they could collect the trash."
And so it would seem surprising to acknowledge that slowly but relentlessly, physical and information security are being brought together in more and more organizations under a single executive's guiding hand. The word to use here is convergence.
"Security is security, whether it's in the physical or IT realm," says Bob Fox, CSO of Sprint corporate security. At his company, says Fox, "the executive management team decided to consolidate all security into one organization with one leader who could look out for the entire corporation."
The challenge of pulling together security domains that have traditionally been divided by background, skill set and temperament can be a tall order. When you add in a history of mutual contempt, the tall order becomes nearly mountainous. The opportunity for an integrated view of security, and a streamlined approach to its governance, now appeals to more and more organizations. What all security mainly boils down to is risk management. Evaluating threats and calibrating appropriate countermeasures that don't unduly shackle important business opportunities are the main elements of an effective security program. Viewing threats as segregated by type
Moreover, the tools for protecting physical spaces and for regulating access to them are increasingly built from information technologies, linking card readers, biometric sensors and surveillance gear to many of the same databases that control access to networked digital assets.
On what rational basis should custody of these converging authorization architectures be allocated? How about accountability for their successful performance? And who will coordinate the setting of policies that underlie their use? The answer, in many enterprises, is that now security is seen as one broad activity rather than two or more smaller ones
At Sprint, says Fox, developing dexterity in both the physical and IT arenas is increasingly important. "When we do a security assessment, we start with the physical and go through all elements into the technical security. Both sides are learning more about each other. I have employees who have asked to be moved into different parts of the security organization so that they can improve [either] their technical or traditional [security] skills."
Convergence leads to unified approaches to formulating security plans and processes. Consider terminations, for example. When an employee quits or is fired, does your company have a coordinated process to block her electronic access to the building while simultaneously shutting off e-mail and network privileges?
"These days," says Steve Hunt, a research analyst with Giga Information Group, "threats are intertwined. The physical and IT security guys have to operate on a coordinated response plan where everyone's on the same page."
While the trend is real, it is not yet an epidemic. In most enterprises, the cultural barriers and organizational habits have so far kept the twain from meeting. But the unified approach is a work in progress.
As the benefits of convergence are reaped, and as the difficulties are either overcome or proved insurmountable, a clearer verdict will arrive. For now, though, it is something that deserves a serious test.
-Lew McCrearyHead to Head A frank conversation about merging IT and physical security
CSO V. CISO