Signs of Common Sense

Journalists like to joke that three examples make a trend. The first example is a fluke, the second a coincidence, and the third, a sure harbinger of Things To Come. (Four, of course, is overkill.) While I certainly dont want to declare any such portents this month in Alarmed, three random signs I encountered in the past week seem to point in a heartening direction.

First, I happened to talk to the CSO of a Fortune 500 energy company on the day before he was taking over the reins of information security from the CIO. Then, I came across a press release announcing that ASIS and (ISC)2, groups that issue certifications for physical security and for information security management, respectively, have signed a memorandum of understanding. Finally, I stumbled upon a survey, done outside the security industry, that seemed to take for granted that non-security executives look at security in a holistic way.

Something about these three seemingly unrelated incidents clicked. Maybejust maybethe convergence of physical and IT security, which weve been talking about for years, is finally becoming an everyday reality.

It might have been the nonchalance of the energy industry CSO, who was hardly queuing up the brass band over the transfer of powers. Its not such a big change, he said, explaining that he and the CIO already had done a good job with segregation of duties. S.O.D., he told me (spelling it out rather than pronouncing it like the carpets of grass), is the latest buzzword in security departments of regulated companies. The key is making sure that whoever is controlling the IT systems is separate from whoever is reporting on the vulnerabilities of those systems. It may seem an obvious point, but its been a long time coming.

Maybe it was the matter-of-factness of the press release from (ISC)2, which is known for conferring the moniker CISSP, or certified information systems security professional. (ISC)2 and ASIS International, which grants the CPP certification to certified protection professionals, have signed a memorandum of understanding that they will recognize each others certifications. Theyre not sure what this entails, exactly, but theyre off to a hopeful start. They are the leader in traditional security certification, and were the leader in information security certification, and theres convergence there, James Duffy, president and CEO of (ISC)2, told one of my colleagues. This is the first step. Were going to form committees to see what other types of benefits we can provide to each others membership. Who knows where it could go?

Then there was the way that Pitney Bowes was marketing its white paper not to security executives, but to everyone. An ad on page two of the business section of The New York Times said: Ever ask yourself how other executives view security? Here are 409 answers. The questions that were asked in the surveyabout everything from espionage to anthrax to infrastructureseemed to have the underlying assumption that non-security executives see security as security, and not in the stovepipes it has grown up in.

Call all this whatever you want; convergence versus S.O.D. seems to me a glass is half full/half empty kind of difference. I call it common sense. It just doesnt make sense to view information security and physical security as two separate things, when you really cant have one with the other, and you cant have both without solid risk management. Maybe autumn is making me overly optimistic. But can I dare to hope that these three tidbits really do mark some kind of milestone for holistic security?