• United States



Cyber Security Versus Physical Security: Smackdown!

Feb 01, 200316 mins
Data and Information SecurityIT LeadershipPhysical Security

Two former colleagues square off to debate the division of roles and responsibilities of security leaders.

George Campbell doesn’t pull punches. Trust us. After CSO’s first issue was published, the former CSO of Fidelity sent us a terse missive about what he thought was a fundamental flaw in our approach to covering CSOs. We were focused too narrowly, he said, on the tactical CISO role and not the strategic CSO role.

In fact, Campbell views that bias as a sort of epidemic spreading through the security community. He’s concerned when he observes that CISOs have “captured” the title of CSO without really having the requisite skill set. And he’s frustrated by what he views as “intellectual arrogance” on the part of IT-centric information security officers. (OK, he actually calls them “propeller heads,” but they started it, he says, by suggesting that CSOs are just retired cops who don’t understand technology.)

Of course, we couldn’t resist a good fight. To that end, we had to find a counterpart to Campbell, a CISO who would go head-to-head with him. We got Georgia Student Finance Commission CISO Bill Spernow. To our delight, we learned that Spernow once worked for Campbell at Fidelity. So it wasn’t a surprise when Campbell started the conversation, which Senior Editor Scott Berinato moderated, by saying, “I’m surprised your parole officer let you do this, Bill.” Spernow ended the conversation by tipping his hat to his old mentor: “Good to see you’re still out there making people uneasy, George.”

CSO: We were turned on to this idea by you, George, when you wrote to us about this topic. You read the first issue, and the letter didn’t read like you were surprised by the focus on IT; disappointed certainly, but not surprised.

Campbell: Well sure. I’ve actually had several people send me responses to the letter you published. Here’s one I got recently: “I read your letter in CSO magazine with interest. FYI, attached please find an executive summary of a CSO leadership program prepared by the Center for National Software Studies. This program focuses on IT security and the role of the CSO.” I responded to that clown as follows: “[Sir], thanks for the information. As I indicated to CSO magazine, what you and others are describing is a CISO, with an emphasis on the I.” I can only conclude that this guy either doesn’t read or doesn’t understand what he’s reading because I made it fairly clear that the CISO deals with some of the most critical assets of any modern corporation. But the role is nevertheless narrower by some significant measure—depending on what the asset base is of a company—than that of a CSO who has to investigate, do background vetting, due diligence examination, business continuity planning, security operations, first response—the whole nine yards.

I get offended when I see the CSO title being captured. Why do they feel compelledBill, why do you feel compelledto take that title, which to me doesn’t imply what their job is?

Spernow: Well, because George is right, and George is wrong.

Campbell: He used to say the same thing when he worked for me. [Laughs.]

Spernow: From the percentage of organizations that reflect your experience, George, you’re right. But you represent only 5 percent of the population of folks doing any type of security. But because that 5 percent has high visibility, it represents most of what happens. That 5 percent gets the press, and as a result, the other 95 percent is struggling with trying to figure out how it’s going to make its security stuff compatible with its infrastructure and IT culture, which primarily hasn’t been focused on anything to do with security.

What most companies are doing is taking their best-case experience and saying, “We need to have somebody in charge of security.” Then they go out and find somebody who is a former bureau agent with great physical security credentials and the stuff that they can relate to, and because he took one information security training course, he’s also considered an information security specialist. So they hire him, and they task him with doing all the security.

I don’t see the people who, according to George, call themselves CSOs but should be information guys only, because that’s all they’re actually doing. In fact I see just the opposite of what George sees. I see guys being hired as CSOs who are only doing physical security, because of their background, but are also in charge of information security.

Campbell: I absolutely agree that people like myself or these ex-bureau agents—who don’t come from a background of information protection in the cyber age—have no business fancying themselves as CISOs. But there’s nothing wrong with them leading that effort as part of the global security strategy, as long as they’ve got the Bill Spernows of the world working within that team, whether directly for them or bridged in some sort of security council.

CSO: So George sees the CISO role as tactical and the CSO role as strategic. It also seems like he sees it, in some cases, as hierarchical, with the CISO under the CSO?

Spernow: I don’t think so. The larger the organization, the more likely the security effort will be accomplished if the CSO and the CISO are on a peer level. In a midsize company, I’d recommend that the CISO be independent to the point where maybe he reports to legal as opposed to IT because most of the IT exposure you’ll see from the information side is legal liability. And if you don’t have the backing of legal to argue your case in front of the board, then you’re probably not going to accomplish too much.

Campbell: I’d underscore that. My complaint with having the CISO as part of the IT department is you get the fox in the henhouse. Where do you have an honest set of controls that can make it before the audit committee in its own right?

Spernow: I’ve actually fought that battle [at the Georgia Student Finance Commission] and won. The CIO should be concerned with how to maintain the infrastructure today and how to plan for its future. The CISO should be looking at the ramifications of new technologies the CIO wants to adopt.

Campbell: Let me ask you this, then. To what extent does a CISO’s background and experience as an information security professional detract from his ability to effectively lead and strategize for the other aspects of security that a CSO controls?

Spernow: They become technocentric. I’ve seen CISOs try to integrate authentication log-ins with physical security controls like access cards. That’s usually where they stop because it ends up not working. At first, the locked door and exposed trash bins and all the other physical security issues associated with controlling building entry and exit …

CSO: … they suddenly become technology problems.

Spernow: Yes, but CISOs don’t really grasp the real physical threat, or the human threat. I agree that having CISOs take on CSO responsibilities is usually a disaster. Once they’ve been exposed to it and integrate it into their mind-set, they can be effective. But it’s an uphill battle to make them change their mind-set.

Campbell: I’m reminded of a conversation I had with a CISO. I basically challenged him to tell me how the greater security organization could be engaged in the information security program. After a couple of minutes of pondering, he said, “Well, I suppose they could collect the trash.”

CSO: There does seem to be an institutional arrogance on the IT side. I don’t mean it to be a reflection of personal character. Just, you know, that everything is a problem that technology can solve.

Spernow: For those organizations that have the budget, I’ll agree with you that the technology becomes a solution, regardless of whether it’s actually applicable, because it’s familiar. If I ask an auditor to do an audit, he’s not going to look at AI approaches to technology. He’s going to say, “Give me the books and let me look at the columns.” Our history condemns us to certain limitations.

It reminds me of an article about a city in the Midwest that was experiencing problems with vehicles hitting pedestrians in the downtown area, and I remember reading an editorial suggesting that to fix this, cars should be designed so that when a car is getting ready to turn, it will beep and the pedestrian will know that the car is coming. Nobody suggested we train pedestrians to look out for cars. We need to think from that other perspective. Having that abilityto essentially come into an organization and get it to think another wayI mean, that’s the challenge that we all face. The biggest challenge I’ve had here is getting my employees to think like crooks, instead of like IT guys trying to stop crooks. If they can’t think like crooks, they’re never going to see the things that I need to know about.

Campbell: The bias is clear every year when we make the annual trek to the ASIS exhibit hall to find out what the technocrats have created for us. It’s easy to see this is technology in search of an application, but as CSOs, we also have a responsibility. Are we truly engaged with the technology community in articulating what our needs are? I think the answer to that, quite frankly, is no. For example, issues around trade secrets are soft and don’t necessarily have technology to address them. I’ve been looking for years for a technology like the smokeless, dust-free paper shredder, to make it easy and effective to destroy sensitive information. Because if [an executive has] to get up and walk down the hall to shred a document—these guys who are too damn important to think about things like that—they leave it for others to deal with, which is a security issue.

So I think technology is doing a hell of a job around what it has been built to do, but there’s still an awful lot on the operational side of information protection where it hasn’t been applied. Until now, we’ve let the CISOs have much more say in what the technocrats bring to market.

Spernow: You’re inferring that we don’t look at other solutions, and we’re going to miss the big one that is actually going to work and that, instead, we’re going to spend a lot of time looking at small ones that don’t work. In a lot of cases, that is where we’re at now. A lot of the controls we have here look good, sound good and they’re portable, but they don’t work. Because we don’t take the user into account or the actual individual who is part of the threat.CSO: Let’s get back to the CSO versus the CISO.

CSO: Has there been a tacit promotion of CISOs in some organizations to take on some of the broader CSO roles, whether or not the anointed individuals are prepared?

Spernow: I’ll be honest with you, when I was involved in the analyst community, we were all writing papers that said, “You need to have a CISO as part of your staff because you need somebody to champion the budget for info security that we see coming down the pike. And if that budget is left to IT, it won’t be spent well.” So in some cases we’ve created this quagmire of putting a person in the position [whose credentials weren’t] truly analyzed in depth. But it made sense at the time.

Campbell: Where does the audit program fit into this equation, Bill? Are the [auditors] doing their job to point out to committees and senior management what the risks are to their information assets?

Spernow: I think they try, but because the risks aren’t actually threats at the doorstep, they fail.

Campbell: It gets back to the notion of a true partnership [between CSO and CISO]. You need a fundamental relationship, based on the risk assessment and the relative roles and responsibilities that are going to be performed by the two organizations. The goal has to be to provide a total umbrella of protection to the enterprise. Otherwise, there are corporations where the [two parties] will never talk. And I bet Bill has seen more cases where CISO and CSO didn’t talk than those where they truly had a partnership …

Spernow: … because they build their moats, and it ends up being ego issues.

Campbell: Well, you know, we’re the knuckle-draggers.

Spernow: Right.

CSO: George has said more than once that CISOs think CSOs are just cops, that they lock gates and so forth. Talk about those biases and how you get past them.

Spernow: From a CISO perspective, we see CSOs—without the info security role—as those whose methodologies are proven from a tactical perspective. That allows them to be totally strategic [in their focus]. In comparison, CISOs are always dealing with new developments. So we have to bounce between tactical and strategic [orientations]. For example, I’m struggling with intrusion detection and prevention, trying to deal with behavior patterns of traffic for which there are no set methodologies of counteraction. I’m trying to be strategic, but I have to figure out how this will just work. I’d like to be in the CSO’s position where he has that luxury, of being strategic all the time. CISOs don’t have that luxury.

Campbell: The premise here is that Bill’s removing the info security function from the CSO …

Spernow: … for the purpose of the argument.

Campbell: Understood, understood. But if you do that in the real world, the person we’re talking about isn’t really a CSO anymore. The notion of a CSO must extend to all aspects of protecting assets, including information assets. The perception that we have the luxury of being more strategicum, I’ll go along with it to a point. Except that I think our whole landscape is a learning process too. If anything, CISOs are dealing with more absolutes, the laws of physics, with machines. I’m dealing with behavior and the incredible number of variables in behavior. So it’s not technically complex, but it’s certainly not easy. And that’s where I see the intellectual arrogance of Bill’s colleagues. We’re rejected out of hand as being too ignorant to appreciate their challenges. What about our challenges? I bristle at that.

Spernow: George is correct in that the CSO cannot appreciate the technical challenges I have because, in a lot of cases, I don’t understand the challenges myself. And if I don’t, I’m damn sure a CSO won’t.

CSO: But can’t the two learn from each other? Aren’t there established CSO methodologies that just might apply to CISOs, if only they had a conversation about what, on a broad level, they were both trying to accomplish?

Spernow: There are some parallels, but the implications if something goes wrong are much more serious at my level than at George’s.CSO: Is that true? Is that fair, George?

Campbell: Well, I think it might be more apparent if something goes wrong in Bill’s world. Either the problem is or it isn’t there, empirically. I’m trying to safeguard without the same set of absolute measures that a technocrat has.

Spernow: I don’t think I agree with this whole “laws of physics” assertion. Conceptually it might be valid, but in reality we’re experimenting every day in how we do this. We’re not dealing with set laws.

Campbell: The sad thing is the need to even have a debate like this. When you peel it back, we’re all in the same business. The fact that there’s a vocabulary, tools, principles applied by CISOs that are arcane or hard for a layman like me to understand doesn’t one bit change the fact that we’re all here to provide integrated controls. Integrated. Underscore that. I have to think about being prepared to work with information security executives; and when it hits the fan, they have to be prepared to help me.

You know, it’s all about vocabulary. CISOs will say, “You guys just aren’t going to understand what I’m trying to deal with here. It requires knowledge that you guys don’t have.” Acknowledged, right, understood. But suppose I ask, “What’s the purpose of the technology, this lexicon that I don’t understand? What are you trying to do?” And the CISO says, “Well, I’m trying to protect against intrusion.” Ah! That I can understand.

Spernow: On the other hand, we’re considered a bunch of propeller heads …

Campbell: … pointy-headed propeller heads. [Laughter.]

Spernow: We’re looked at as techies who somehow managed to wriggle into management. [People like George] view us as being here because of a special skill set and not necessarily because we can do the job.

Campbell: I think CISOs start with the assumption that those guys on the other security side, that CSO team, just aren’t going to understand what my problems are. They don’t understand what I’m up against, they don’t understand the technology, so what’s the sense in even talking to them.

Spernow: But how do you get around that? It’s tough, because you’ve got to essentially convert people to your way of thinking without offending them, and make them understand what you’re trying to do and why you’re doing it. I mean, that’s probably the toughest job that I have on a daily basis.

Campbell: But what happens when it hits the fan? We need a set of protocols between the two organizations so that, when there’s an intrusion, someone separate from the IT side is making sure that evidence is preserved, that logs are preserved. It’s like arson: IT wants to put the fire out. I’m looking for evidence after the fire is out.

Spernow: But if you try to do it during the incident, you’re shooting yourself in the foot—benefitting the bad guys more than the good guys. My point is the opposite of George’s. The CISO needs to be put in place to be entirely in charge of an incident. I don’t suggest to the people I talk to that the CSO be part of an investigation. [At least not] until it gets to the point where we’re talking to employees or to people outside the company, where CSOs normally have the contacts to make it happen. When it’s internal to the network, then the CISO should be in charge.

Campbell: Getting back to the model Bill has adoptedan acknowledgement that the CISO function needs to be outside of IT department, correct Bill?

Spernow: Always, always. It’s the biggest battle I’ve had here. If I see an organization where the CISO reports to some IT component, I see a position that’s not working, guaranteed. The conflict of interest is just too much to overcome. Having the CISO report to IT, it’s a death blow.