Unified Security: The Payoff...The Pain

The benefits of running a unified security operation are real. CSOs say they can lead their functions to be more effective and save money at the same time. But getting there is tough.

Talk to Jim Mecsics about the benefits of a unified security operation, and you'll first have to stomach a metaphor about belly buttons. At the end of the day, says Mecsics, if there's a security problem, the CEO is going to jab Mecsics' belly button, hold him accountable and say, "Fix it."

His point: In a converged security organization, there's only one button to pushexecutives don't have to contemplate whether to call the corporate security director or head of IT security or the facilities manager when they have a security issue.

More on that later.

Mecsics arrived on the job at credit bureau Equifax in 2002 with a mandate to create a corporate security programto bring together previously disparate pieces of security, including physical and information security, under one roof.

It didn't take long for the unified security reorganization to bear fruit. Some three months into his tenure, a large identity theft ring began hitting credit reporting agencies and was attempting to penetrate Equifax's networks. Mecsics and his team went to workthey set up a plan, mapped out the bad guys' architecture and worked closely with the FBI. Soon they pinpointed the intermediary company where the breach was taking place. (A former help desk employee at the intermediary company had stolen user codes and passwords and sold them to more than a dozen mostly Nigerian nationals in the New York City area.) At the end of 2002, the U.S. attorney's office in New York arrested the culprits, putting a stop to what it said was the largest identity theft ring in the country (some 30,000 identities were stolen).

"That was a pure example of [the benefit of] us having everything under one umbrella," says Mecsics. "I had the ability to bring the data and fraud folks and everyone else together and come up with a cohesive strategy," he says.

Mecsics didn't have to get authorization from people's bosses to work on the converged effort. He had the authority, he acted, and the coordinated security groups worked to the company's benefit. (Mecsics left Equifax last year and now works as a senior security analyst at SAIC, a research and engineering company.)

Improved collaboration among security functions is just one of the payoffs of convergence. Others include better alignment of security with business operations, establishing the CSO as a single point of contact for all security issues, the opportunity to cross-train employees, increased information-sharing that leads to more efficient problem solving and, if you're trying to convince otherwise skeptical execs of why convergence is worth doing, you can pull out your trump card: cost savings.

What's not to like about that? In this story, security executives at BWX Technologies (BWXT), EDS, Level3 Communications, Pemco Financial, Rohm and Haas, SAIC, Triwest Healthcare Alliance, United Rentals and Wells Fargo talk about why they've converged and the payoffs they've achieved from reorganizing their security departments to better meet the needs of their businesses.Payoff #1 A comprehensive security strategy better aligns security goals with

Most CSOs these days would agree that security should dance cheek to cheek with the needs of the business. In a post-9/11 world, companies that hold onto the traditional view of security as just another cost center are failing to recognize the importance of security to day-to-day business activities.

When Marshall Sanders, vice president of corporate security and CSO (and who served as the founding director of security for President Reagan's strategic defense initiative program in the '80s), joined Level3 Communications in 1999, he had a mandate: establish a comprehensive security architecture.

Sanders' mission was made easier because senior executives at the company viewed security as a key enabler for the business. "We're a network services providerwe're all about network availability. If the network isn't available due to a logical or physical incident, it's a revenue-impacting event. So security was seen by our [company leaders] as an integral component of the business architecture," he says.

A corporate risk management council, comprising Sanders and other senior executives, forms the basis for an integrated security governance structure and helps keep security top-of-mind at Level3 (see "Security Committee," Page 28). "It's critical to have top-down sponsorship," Sanders says, adding that in his case, the CEO "realized security needed to be integrated into the architecture of the business." The council, an audience for updates on physical and logical security, business continuity and disaster recovery exercises, is critical to driving this agenda, he says. "It can provide an enterprisewide perspective and accountability for managing the risks to the business; so then security becomes not just security's problemit's a business concern."

Sanders defines unified security or convergence as the integration of logical, information, physical and personnel security; business continuity; disaster recovery; and safety risk management. (Logical security focuses on the tools in a network computing environment; information security focuses on the flow of information across both the logical and physical environment.) Cost savings is one of the important payoffs in this holistic security strategy. Because there's always some duplication in a stovepiped security organizationin overhead and programs, for exampleit's more cost-effective to manage an integrated one. Not only thatduplication can lead to unproductive turf battles among security groups for resources, he adds.

Does every company need to converge to effectively integrate security with the overall goals of the business? Not necessarily. Some companiesfor example, small organizations that may not need a CSOoperate fine with separate information and physical organizations, says Ed Telders, CSO at Pemco Insurance. In others, Telders notes, the lack of effective convergence is a problem. "I tell people to do a risk assessment of the organization, do a cost-benefit of having two groups versus one, and make decisions based on business, not politics or anything else," he says.Payoff #2 The CSO can be a single point of contactBringing together different security silos into one big, happy family and running the combined organization can be a lot easier when one person sits at the top, or, as Mecsics says above, can function as the security belly button.

When there's a single point of contact, the CFO or COO can pick up the phone and speed-dial the CSO instead of having to pull out an org chart to figure out whom to call with a security question.

John Pontrelli, vice president and CSO at Triwest Healthcare Alliance, a Department of Defense contractor that manages a health-care program in the western United States for military personnel and their families, wouldn't have left his previous job at W.L. Gore & Associates to come to Triwest unless he had that kind of accountability.

To Pontrelli, convergence means one person is responsible for security, just as a CFO holds the reins over all things financial.

He lists numerous benefits, including having visibility into where the organization is going. "If I didn't have the visibility of where the organization was going, where the C-[level] folks were going, the new technologies coming, it would be hard to put together a business plan to the requirements of the organization," Pontrelli says. "Because I have such access and visibility to the C-level leadership, they know what I'm doing. It's not a mystery. They know my resources, what's being spent."

This status gives him a greater ability to prioritize risk and create a comprehensive security business plan. Having a single point of contact also makes it easier for the CEO, board of directors, contractors, external business partners and employees to know that they can call Pontrelli if they have any questions or problems. Pontrelli, who reports to the COO, says he wouldn't work at a place "that doesn't have a CSO reporting at the C-level with visibility and accountability at that level."

At Wells Fargo, CSO Bill Wipprecht also likes the fact that other execs know they can pick up the phone and call him with any security questions. Wipprecht runs five divisionsinternal investigations, external investigations, physical security, enterprise services and the uniformed services divisionand has almost 300 full-time employees. (He does not manage infosec, though his department is the investigative arm of that unit.) He describes security as having a single voice with a single message, and that translates into the way he handles customer service. "Our rule is, if you call anybody in corporate security on any issue, we don't tell them to call Fred in the other group; we dial the number for them. They don't know they're talking to the wrong divisionit's an invisible transfer to the customer," he says.Payoff #3 Information-sharing among disparate security functions increasesFor all the benefits of convergence, one of the biggest ones is that the level of cooperation and sharing of information among employees should increase. Will sharing happen overnight? Of course not. (See "The Pain," Page 29, for some of the obstacles that need to be overcome.) But bringing team members into a more cohesive organization with one strategic mission and consistent goals will encourage collaboration and help break down some of the walls that can exist among people who previously had prime allegiance to their individual security function.

Richard Loving is reaping the benefits of a more collaborative environment at BWX Technologies, which manages and operates nuclear and national security facilities. Loving, a 25-year veteran at BWXT, wears two hats: He's CSO (a title he picked up last June) and director of administration. For years, the company, which runs or helps run facilities for the U.S. government in nine states, organized its facility teams as self-contained units. That often meant that people in different locations were working on the same problem. Security directors at the plants acted independently to ensure the safety at their own sites, but there was little collaboration among them. Loving and other execs decided last summer that BWXT needed a centralized focus for security, one that would improve information-sharing and get rid of the stovepiped structure. Loving began to coordinate security at the units.

The results were immediate. Last July the Department of Energy ordered a stand-down of all DoE operations that used controlled removable electronic media after two Zip disks containing classified materials were reported missing at the Los Alamos National Laboratory. DoE facilities were not allowed to resume operations until new security procedures were put in place.

"In the past, each site would have gotten guidance from the government, then they'd go off and put protections in place. We were able to bring an expert from each site together to talk about the changes in regulations, how they were going to protect media and share that information back and forth so that as one site found a new and different way to control something, they would share that information the same day," says Loving. (In January, the Energy Department released a report announcing that the two missing disks never actually existed.)

Another payoff Loving cites involved changes in a physical protection hardware system. Blueprints of the system were obtained from one site and shared with others. "That saved significant costs," he says.

CSOs (and CIOs) who work in certain manufacturing industries have been dealing with a different kind of stovepiped structure for years that, after 9/11, has started to get more scrutiny from the federal government. Many critical infrastructure industries, such as chemical, petroleum and nuclear, employ process control systems. Those systems are used for a wide variety of tasksfor example, they turn valves on or off and measure temperatures and pressures in reactors. What's come to light in recent years, as they've become increasingly connected to other company networks and the Internet, is how vulnerable these systems are to cyberattack because the security of these process control networks has been an afterthought. Contributing to the vulnerabilities is that these networks are generally managed by process control engineers, whose job has been to make sure the systems run day and night, not to worry about hackers or other cybercriminals.

For Keith Antonides, corporate information security director at Rohm and Haas, a large specialty chemical manufacturing company, convergence has meant establishing a closer working relationship with the process control engineers. In the past, the engineers did what they had been doing for years, namely, taking care of the systems themselves. "When I joined the company six years ago, it was hands off, you have no authority here. After 9/11, they were asking for my input. It was a major shift," he says. Antonides boned up on process control networks, and now he works in tandem with the engineers to do cybersecurity vulnerability assessments at the plants.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)