All Hazards: Taking Leadership to a New Level

Our Special Report on all-hazards security management (AKA convergence) sees opportunity and inevitability

To understand how the all-hazards approach to security has evolved, play ceo for a moment. (C'mon, you've always wanted to.)

Three weeks before you announce your next-generation productrepresenting three years' investment of R&D sweat equity, not to mention big bucksthe senior VP of sales is in your office, irate. He says your biggest competitor is beating you to the punch with a nearly identical product. Cosmetic differences only. This is no coincidence. The competition has pilfered your intellectual property.

An army of lawyers firing a salvo of lawsuits may or may not stop the enemy launch. But your company has a more insidious problem on its hands, which is to figure out how this theft happened and to stop it from happening again. So how exactly did your IP walk out the door?

There are at least a dozen possibilities, some of them physical, others network related; some are purposeful and criminal, others the result of mere carelessness. The problem is that in most companies, you'd have to interrogate at least a half-dozen department heads to begin to address all the possibilities and plug the holes. Intellectual property protection is a task, or a set of tasks, that doesn't fall neatly and completely under a single branch on the traditional org chart.

Corporate security can tell you whether doors have been left ajar, but network accounts? That's a question for the IT guys. And they'll tell you that when hard-copy drafts of research in progress started rolling off the printers in the graphics department, they effectively rolled out of IT security's bailiwick. For a recent illustration of how a fly ball can fall into the gap between outfielders, look no further than February's disclosures by ChoicePoint and Bank of America. At ChoicePoint, the CISO's widely disseminated statement (essentially, that the perpetrators' posing as customers to gain access to consumer data wasn't an IT security issue, it was fraud) was both technically accurate finger-pointing and of absolutely no interest to identity theft victims who just wanted their personal data kept safe. And Bank of America lost in transit a set of backup tapes containing a gold mine of customer data.

Big companies typically put together a cross-functional investigation team to address situations like our hypothetical IP theft case. And investigations (whether of an IP leak, a fraud, a workplace violence threat, a rumored interoffice pornography incident or some other malefaction) provide a glimpse into the concept of convergencealso known as 'all hazards', integrated or holistic security management. Quite a few leading-edge companies have come to a conclusion that's as obvious to its practitioners as it is unthinkable to those stuck in a stovepiped mentality: Investigations come after something bad has already happened. Why not apply the same principles of cooperation before something bad happens? Why not bring security-focused departments together proactively, aggregating their information and expertise to look at operational risk as a unified picture and create a security plan that is more effective, more cost-efficient and more credible to upper management?

Skepticsand there are manyhave a list of Why Nots: cultural rifts, differing skill sets, terminology barriers, salary gaps. This special issue of CSO constitutes an in-depth examination of holistic security management and whether those Why Nots can, and should, be overcome. Senior Editors Todd Datz and Sarah D. Scalet put the screws to a score of convergence advocates. We challenged them to prove the payoff in concrete terms (see "The Payoff," Page 24). We grilled them on the stumbling blocks and the pain points experienced as they brought together various security functions (see "The Pain," Page 29). And we dug in for an in-depth case study of a big utility company (see "Security 2.0," Page 34) undertaking a particularly ambitious organizational convergence effort.

These are CSOs who have guided convergence efforts in the real world, and the arguments they presentcombined with trends in technology and the threats facing the corporate world todaycompellingly make the case that convergence, properly defined, is inevitable. And worthwhile.

Better security. Better risk oversight. Lower cost. Why not, indeed?

Copyright © 2005 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.