There didn’t seem to be any downsides in Howard Schmidt’s mind. In the late 1990s, the former CSO at Microsoft watched as the company’s Web presence explodedand experienced rising numbers of attacks. Schmidt, who headed up IT security, and others had to decide which investigators from physical or IT security should respond. “That’s when we saw value in converging the two,” says Schmidt. Soon the decision was made to converge the IT and physical security teams as a whole. In the spring of 2000, Bob Herbold, Microsoft’s then-COO, gave Schmidt the OK to move security out of the IT organization into his. (The new merged group would report to the COO.) But soon there were problems. “I made my biggest mistakeI didn’t anticipate the cultural differences,” says Schmidt. The physical folks had expected to be promoted to the same pay levels as the IT staff. Schmidt had intended to cross-train his team, but he realized that while some of the physical people were on the way to get technical training, they didn’t have the technical aptitude of some IT security people. The bottom line was that HR decided that pay scales would remain the same. That ticked off some of the physical folks. “Initially everybody was excited, but in a matter of months there was the perspective that, I’m doing the same job, I should be getting higher compensation. It became a distraction from the day-to-day work,” he says. About a year later, when the COO retired, Schmidt helped form a new group, Microsoft’s trustworthy computing security group. The converged security team was moved back into the IT organization under the CIO. And after 9/11, Schmidt left Microsoft to work full-time on national cybersecurity in the White House. But he still believes in convergence. “The best manager of a security organization has physical and IT experience,” he says. Related content news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry news UK data regulator warns that data breaches put abuse victims’ lives at risk The UK Information Commissioner’s Office has reprimanded seven organizations in the past 14 months for data breaches affecting victims of domestic abuse. By Michael Hill Sep 28, 2023 3 mins Electronic Health Records Data Breach Government news EchoMark releases watermarking solution to secure private communications, detect insider threats Enterprise-grade software embeds AI-driven, forensic watermarking in emails and documents to pinpoint potential insider risks By Michael Hill Sep 28, 2023 4 mins Communications Security Threat and Vulnerability Management Security Software news SpecterOps to use in-house approximation to test for global attack variations The new offering uses atomic tests and in-house approximation in purple team assessment to test all known techniques of an attack. By Shweta Sharma Sep 28, 2023 3 mins Penetration Testing Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe