Unified Security Management: The Pain

Creating a unified security function means overcoming challenges from top executives, existing processes and change-resistant employees

For the plus side of unified security management, see The Payoff.

Wednesday, April 21, 9:00 P.M. (EST), All Hands on Deck: The Making of a 21st Century Security Department (made-for-TV movie, 2005):

A new corporate security director takes the reins at a company that has just fired his predecessor for being "old school" and "unable to grasp the future of security." The new director is given a mandate to converge all the security functions, which previously had been stovepiped. Members of the various security departments, who once had minimal interaction with each other and ample levels of distrust, are elated. Staffers are cross-trained in each other's disciplines and never fail to ask how they can lend a hand to their colleagues. Employees share many a libation, as well as the best of that week's security stories, every Friday at O'Brien's, the local watering hole ("Can you believe the look on the face of that guy from finance when we nailed him for leaking our 3Q numbers? I thought his eyes were gonna pop out of their sockets!").

A farcical look at how a strong-willed CSO takes a stovepiped organization and whips it into a tight-knit, newly energized outfit, winning the hearts of grateful staffers along the way (including one enthusiastic but verbally challenged firewall specialist who frequently proclaims to his teammates, "There's no 'I' in security!"). Rating: H

For all of you readers who have either converged or toyed with the idea, the plot line for this movie matches the reality of your experiences or expectations, yes?

Of course not. That's why this cheesy plot sounds as far-fetched as a reality show featuring a woman trying to determine her biological father from a group of eight strangers. The stark reality is, like any corporate restructuring, converging is bang-your-head-against-a-wall tricky. It presents a host of challenges: ticked-off employees, fights over budgets, skeptical executives and enough cultural issues to make a typical, backstabbing Thursday night on The Apprentice look like a game of Candyland.

But, as "The Payoff" (see Page 24) shows, those who believe convergence is a path worth pursuing will find that the benefits can be worth the pain. This story outlines five common challenges that confront CSOs and suggests ways to tackle them head-on. Pain #1 Turf Battles Face it: You'd be a fool to think that the director of infosecurity, an IT department veteran who had developed a great relationship with her ex-boss, the CIO, is going to do a touchdown dance once she finds out she's reporting to the CSO. Same for the head of corporate security who finds himself taking directions from the CISO, or the security manager at a local operation giving up control of a monitoring system to headquarters.

The fact is, a gaggle of people, whether it be managers or lower-level employees, will be unhappy with any change to their turf. They're not going to like whom they report to, whom they have to work with and the new projects they're assigned to. Egos will be bruised, if not battered. "Folks are very protective of their rice bowls. That's natural," says Jim Mecsics, senior security analyst at SAIC, a research and engineering company, and the former vice president of corporate security at Equifax.

Mecsics, when he worked at credit bureau Equifax, had to deal with pushback from certain process owners. For example, the CIO was reluctant to turn over control of his systems to Mecsics. So Mecsics used a personal approach in which he listened to their concerns and tried to win their hearts and minds. "I said, I'm not going to do anything to hurt your system or inhibit your business processes. I'm here to protect you so our CEO isn't standing before a congressional committee someday explaining why credit reports are in front of some gym locker," he says. He used the same approach with HR, which, prior to his arrival, handled all company personnel issues. Mecsics convinced the HR leadership that the security organization should take over responsibility for developing background check policies. He also assuaged their fear that he was coming in there to steal people from their department.

Ultimately, says Mecsics, security needs accountability. "They [other execs] don't want something to fall on their shoulders. I said, If we have to go to the boardroom with Donald Trump, by God, I'm going to be there with you," he says, echoing his military past. (Mecsics served in the Air Force for 27 years.)

Territorial issues are not going to go away, but there are ways to lessen their impact. Marshall Sanders, vice president of corporate security and CSO at Level3 Communications, was fortunate to have a mandate to converge when he came on board in 1999. Sanders' job was made easier because Level3 didn't have a heritage of entrenched security stovepipes. But he still needed, for example, to make sure all members of the security organization understood that they were accountable for the success of everybody on the cross-functional team. Sanders says that Level3's performance-oriented culture and use of metrics and balanced scorecards helps ensure that everybody is pulling in the same direction.

"We have a saying: Our goal is to weave security into the fabric and culture of the company. Because we're employee-owned, which contributes to our success in converging, the employees have a sense of ownership and accountability," he says.Pain #2 Executive Buy-In You can propose the most wonderful, cost-saving, mega-ROI convergence project in the universe, but if the CEO doesn't feel as warm and cuddly about it as you do, your proposal will stay just thata proposal. One way to get the green light for your initiative is to demonstrate smaller-scale successes first.

Bob Pembleton, chief security and privacy officer at EDS, wanted to consolidate data security management (which includes policies, standards, education and security compliance monitoring) from multiple local sites, with multiple standards and approaches, into a centralized site. "We had conversations about what we were trying to do, then did a couple of sites to prove the concept," he says. "The centralization proved so efficient that the senior leadership raised the question, Wouldn't it be more efficient to put all four lines in the same security organization?" Ultimately, the success of the consolidation project helped pave the way for Pembleton to converge the privacy group and the physical, logical and information groups under one umbrella.

Communication is also criticalif you don't get buy-in initially, communicate with the leaders who are feeling the impact of whatever change you're trying to make, says Pembleton. "Try to put yourself in the other person's position, and ask yourself, What would I want to know if someone from headquarters showed up and wanted to change the way I deliver security services?" he says.

Another way to sell a convergence project, advises Steve Hunt, a former vice president and research director at Forrester Research, is to package it with something that executives can more easily understand. He cites, as an example, trying to build a better security architecture using public-key infrastructure (PKI)a major undertaking. Executives might view it as an expensive investment that doesn't return immediate value to the company. Implementing PKI would require every business unit to conform their applications to the system, and users would have to change their behavior. Trying to sell that kind of project is a lot of work, says Hunt.

A better way to sell it is to package it with a one-card system that controls both cyber and physical access. Moving to one card will save money and increase operational efficiency. "Everybody gets a digital smart carda big step toward PKIand you can help sell it by saying the card would contain a smart chip that contains all of a user's passwords. Users would get behind the idea, and it would be only a small step toward moving to full-fledged PKI," says Hunt. "A convergence project will fail if it can't demonstrate business value. Some convergence projects have to be made more relevant to the business," he says.

Executive security committees, comprising top management and the heads of security, are another valuable way to gain buy-in. (See "All Together Now," Page 27.)Pain #3 Cultural DifferencesIt's no secret that, oftentimes, corporate security people are from Venus and IT security people are from Mars (see "Mad About You," www.csoonline.com/printlinks). So CSOs with a bent toward convergence need to be aware of the cultural differencesand not just between physical and information, but among all security-related departmentsand have a plan to deal with them.

Executive security committees are a good place to not only gain buy-in for security initiatives but to get help from senior leadership in bridging cultural gaps.

Keith Antonides, corporate information security director at a large chemical maker, has used his executive oversight committee for infosecurity to help him deal with the cultural differences between his IT organization and the engineers that manage the process control networks at the company's plants. Historically, the two staffs have had limited interaction. But in recent years, traditionally standalone process control networks have become increasingly connected to corporate networks. That has opened them up to Internet viruses, worms and other cyberattacks and made them potential targets for terrorists. (One disgruntled techie hacked into the computerized wastewater system to release raw sewage at an Australian plant in 2000. See "Out of Control," www.csoonline.com/ printlinks.) After 9/11, process control engineers and IT departments realized they needed closer cooperation to help protect plant networks. Helping it happen, says Antonides, is the oversight committee, a venue that company executives have used to ensure collaboration between the two sides.

Cross-training is another effective way to make people more understanding of their fellow employees. John Pontrelli, vice president and CSO at Triwest, and Ed Telders, CSO at Pemco Insurance, both cross-train their physical and information security staffers. At Wells Fargo, CSO Bill Wipprecht began cross-training his external and internal investigations agents to do each others' jobs.

Of course, there's no silver bullet to tearing down the cultural walls separating security departments, in place for years in many companies. Cops aren't going to start sporting goatees and flannel shirts overnight, and geeks are still going to look at suits as well-tailored straitjackets. But some CSOs are making progress. Overcoming the differences between physical and information security people, says Telders, "is not as big a hurdle as it used to be."Pain #4 Organizational Structure As part of the convergence process at Wells Fargo, in which external and internal investigations were brought under the corporate security umbrella, Wipprecht took a long, hard look at the structure of his department. His guiding question became, Do we have the right people with the right expertise in the right jobs in the right locations?

"With 300 people, it becomes a significant issue evaluating where your needs are," he says of his security organization. After spending several months studying case metrics, such as volume of work and number of phone calls, Wipprecht found that there were some redundant management positions. That led the company to offer retirement packages to some of the agents and management team members (he declined to say how many).

During the review process, Wipprecht also sought the input of his staff. "You have to communicate. You redefine the new organization, set goals, then go to the agent level for their input. We want participatory management. The responses I got really helped formulate what our organization was going to be today," he says.

Wipprecht also says training is key to a successful, converged department. "We as a management team have an obligation to have the best and the brightest," he says. "To do that, we need to provide the training they need to maintain an expert level. If they're the best they can be, that can only assist you in the field as agents communicate with customers, the FBI, Secret Service, whatever. It saves time and money."Pain #5 Information-Sharing Think about information-sharing between the FBI and CIA. Or FBI and CIA and NSA. Or FBI and CIA and NSA and DoD. You get the drift: Getting security folks to share information can be as hard as telling your boss his putt isn't a gimme.

Security pros "are not accustomed to talking a lot; they're trained to protect information," says Richard Loving, CSO and director of administration at BWX Technologies (BWXT), a manager of nuclear plants and other high-security facilities.

Loving says communication across his organization was the biggest challenge he dealt with last summer as he centralized security, which previously was the domain of each individual nuclear facility. To get over that hurdle, Loving has emphasized to facility security managers that working together is in the best interests of the company and that headquarters is trying to enhancenot controltheir local operations.

He also advises showing employees the successes of their collaboration. "One time you may be sharing, the next time you may be on the receiving end," says Loving. For BWXT, the benefits of information-sharing came after the Department of Energy ordered all its facilities to improve security of controlled removable electronic media (CREM). Loving and his colleagues coordinated a group response across BWXT facilities rather than having each plant act on its own to comply.

This kind of sharing won't come easily; it's an evolution, Loving says. "It really is getting people to open up and share and recognize that there will ultimately be benefits, whether in operations, security or safety."

Got a painful convergence story? E-mail Senior Editor Todd Datz at tdatz@cxo.com.

Copyright © 2005 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!