Who do you call when you've been caught in a semantics trap?
Steve Hunt was kind to me in his response (Convergence: The Semantics Trap) to my earlier Myth of Convergence piece. I worry that it's because he sees me addled and drooling in my declining years. He refers to me as "Mr. Campbell" and alludes to my tenure in security management somewhere in the primitive analog era. Since he sees me in this dotage, I think I'll refer to him simply in the more youthful and familiar "Steve".
Steve does a really nice job of laying out the evolution of the physical security and IT security relationship from his perspective. I didn't bite my lip until he got to level three where we may find "the convergence of physical security people and processes with IT security people and processes. Here is where tempers flare." Either I did a bad job laying out my thesis in "Myth" or he missed my point when he concludes this evolution with the notion of "bringing the two security teams together under single management." I guess I can't blame him since he has evidence of "the train wrecks" he and others have witnessed when these marriages have contributed to workplace violence.
The failure of a marriage or relationship like this is the heart of the debate on convergence for me. I'm immovable that where these organizational train wrecks occurred, there was an institutional failure in two key areas: relationship management and enterprise risk management. These temper tantrums speak more of low level, immature, school yard shoving matches than security (business?) professionals recognizing their merged interests and commitment to corporate health and hygiene.
Also see The Holistic Security Momentum Theory
I have great respect for Steve's experience and credentials. I proudly had the CISO function in my organization for 7 years and any one of that great team will tell you what I knew of Steve's and their craft would fit in a thimble. My job was to make sure all the moving parts of a risk-focused corporate security program were in synch with each other and the business plan. Physical security and logical security were partners. There were enough bad guys out there to keep us all busy.
I've been at this debate table for the last decade and want to see it end. It gets us no closer to finding the common ground our top management has every right to expect of governance partners. I keep stirring the pot so I'm as much the instigator as anyone. But my passion is around how inclusive I feel about my information security colleagues and how exclusive their context appears to be in so many of the articles on convergence.
I think it's the almost exclusive technological focus on convergence that Steve and many of his equally qualified security colleagues take that has structured the discussion. It's that limited view that sticks in my craw. I don't give a damn who manages the computers and networking of physical or other security functions. I'm after consideration of what a converged enterprise risk management strategy looks like in companies with differing threat and risk profiles. I'm interested in seeing who management would pick to sit around a policy-level table and discuss how we should be organized to best protect the brand and the assets that contribute to its success. I want to be a part of an intelligent discussion around how the competencies of all security functions in the organization can be appropriately structured and focused on mitigating business risk, not risk to turf.
I keep wading into this space because my notion of a converged something implies a planned, logically structured group of elements, a unified whole. It's my way to visualize an organizational model for a corporate security function. To me, the idea of a unconnected camps reflects seriously flawed risk analyses and a lack of managerial initiative to develop an integrated protection strategy. I am a proponent of structuring most of the security function under one executive but recognize that other more balkanized models can work if there is a structure like a security committee to connect the dots and focus the elements on collaborative risk management solutions. Having said that, I'm positively apoplectic when I see a company that has parsed its various security elements across Audit, HR, Facilities, IT and a gaggle of contractors. Steve's convergence model can fit and serve very well in that company while here is where I want to organize one of those train wrecks.
The more I think about this school yard scuffle, the more I wonder about how our upbringings have influenced our outlooks. CSOs are, by necessity, generalists, likely with a major in one aspect of the larger corporate security portfolio and minors in diverse assignments to the top. It seems to me that CISO's are specialists, highly competent in the more vertical range of IT-centric risks. We've largely grown up in different cultures with different vocabularies and experiences. This has to influence the initial connectivity and test continuing dialogue.
In his closing, Steve says "the integrated security Mr. Campbell remembers from his tenure in security management was different." He's right about the increasingly sophisticated involvement from IT. He's missed my point that integrated security to me was always about how all the elements—the people, policies, procedures, technology, architecture and corporate culture—were effectively aligned to enable the enterprise to do what would otherwise be too risky. It's not about technology. It's about the security program's role in a measurably effective business strategy.
My vote is that we focus the convergence discussion on connecting the threat, risk and countermeasure dots and aligning the optimum configuration of piece parts within the host business model. Maybe that could help keep the train on the tracks.
George Campbell is former head of security for a Fortune 500 financial company and current emeritus faculty member of the Security Executive Council. He is the author of Measures and Metrics in Corporate Security: Communicating Business Value
