The 2006 Compass Awards Winners

The ability to step out of one’s comfort zone and convince others to do the same is a rare leadership quality, but it’s one that each of this year’s CSO Compass Award honorees has in spades. Each of these leaders understands that convergence is about creating communication and cooperation, whether it is between security peers, security personnel and their business units, or a government and its partners in industry. We asked each honoree to recount their experiences, and to share what a converged security function looks like.

Timothy Williams

Chief Security Officer, Nortel

Why chosen: Since 1990, Williams has led a converged security department with global responsibility for Nortel’s computer and telecom system security, as well as risk assessment, crisis management, security-related investigations and employee protection. As an author, speaker and member of the ASIS International board of directors, he has been an ardent advocate of the need for better integration between security departments and the businesses they serve.

Turning point: Earning his MBA. He applied some of his new business skills to some nagging problems in risk, strategy and process management, making the case for a converged security department. As people started to agree on process ownership and cross-functional responsibilities, the direction of the entire security apparatus fell into alignment. “Once we had good process management and an understanding of the business risks and what we were trying to mitigate, then we started to see a break in the clouds.”

Why convergence matters: “I’ve seen a more effective response to security issues and crises, better teamwork and a greater ability to come to the best solution for the company when we start to work together in this context. There’s a lot more money saved, a lot less frustration on the security team, and we all have a better understanding of our objectives.”

Dave Cullinane

CISO, Washington Mutual

Why chosen: As a CISO with both a physical security background and a CPP, Cullinane is a rare breed. As the president of the Information Systems Security Association (ISSA), he has advocated for the convergence of traditional and information security functions. On his watch, ISSA has also been very active in forging connections with ASIS International and the Information Systems Audit and Control Association (ISACA).

Turning point: “In 2004, ISACA asked me to speak at an 8 a.m. conference session on convergence. I was shocked when the room, which normally held 2,000 people, was standing room only. I realized something was going on. Afterwards, I was talking with some people from ASIS and saying we need to be doing something here. We’re trying to put together some training that will allow people in the traditional security space to learn information security and vice versa.”

Why convergence matters: “I look at the metrics and measurements that Barry Himel, head of physical and operational security, has in place, and I can’t begin to collect that kind of data. We need to show the influence and effect of [information security] and the ROI on security controls. We need to get down to the level of measuring and quantifying risk. If we can get to the level of building statistics, then we can say, for example, The reputation risk of the project is $25 million; implementing the following controls will cost $X and reduce our risk to $Y.'”

Dave Kent

VP of Security, Genzyme

Why chosen: Kent has built a holistic security department from scratch at Genzyme. He has also worked with Northeastern University’s program in Information Assurance to encourage cross-disciplinary security education.

Turning point: Because Genzyme is only 25 years old, Kent didn’t have to deal with historically siloed functions and business units’ conflicting agendas when he arrived in 1994. He sees the fruits of a converged security department every day. “When the business is going into a new venture and they ask you to sit at the table right away, that’s where you see the impact. It shows up in our physical spaceno building is designed without a member of security. I sign off on every new lease worldwide. We review new applications that come into the desktop, and we’re involved in new product teams so that security can be built in.”

Why convergence matters: “In our group, all discussions are built around people, information and product. We are always talking in terms of a converged approach. Physical security officers who are providing meeting security are going to think beyond access control to wireless security product information. It’s almost through osmosis. If you create the environment, the learning will happen.”

Steve Hunt

President and CEO, 4A International

Why chosen: After spending the first half of his career in physical security and the second half in IT, Hunt formed 4A International, the first consultancy to focus on the convergence of physical security with IT.

Turning point: While at Forrester, Hunt sought corporate projects that required the cooperation of physical and IT security. “After 9/11 there was a little blip around biometrics, facial recognition and smart cards, and then all of a sudden in 2004 we found $400 million budgeted for projects that required this kind of cooperation. Magazines started writing about best practices in convergence projects and the need for the CSO role to be more cooperative. It dawned on me then that there were no consulting firms, industry analysts or resources that were collecting and assimilating best practices in convergence projects.”

Why convergence matters: “One of the greatest breakthroughs [is] the risk management steering committee, with representatives from IT, corporate security, business units, HR, legal and risk management. They empower every player to have a role in solving problems. Convergence of physical and IT security presents a great opportunity for efficiency: better software, better communication, leveraging the infrastructure and adopting the best practices of policy management. All of security, all corporate risk and operational risk management can be done better and ultimately cheaper.”

John Tritak

CEO, Good Harbor Consulting

Why chosen: In his former role as director of the federal government’s Critical Infrastructure Assurance Office (CIAO), Tritak led the effort to create a public-private partnership for securing the nation’s critical infrastructure. At Good Harbor Consulting, he works with partners Richard Clarke and Roger Cressey to continue building partnerships between government and industry.

Turning point: During Tritak’s tenure at CIAO, the government developed Project Matrix to identify the critical infrastructures that the government needs to fulfill its constitutional obligations. Project Matrix calls for each agency to identify its critical assets, and any dependencies those assets have on other government or privately owned or operated infrastructures. Then the agencies must assess their vulnerability to physical or cyber attack and develop plans to mitigate those risks. The Office of Management and Budget is requiring civilian agencies under its authority to use Project Matrix.

Why cooperation is important: “Security has to be viewed as an integral part of decision making, and there has to be a closer relationship between security and operational people. Corporate risk management officers are a very good step in the right direction because that takes away the notion of physical and cyber; instead you have one holistic problem with both dimensions.”

Eduard Telders

Director, Information Security Policy and Compliance, T-Mobile

Why chosen: While at Pemco in 1988, Telders accidentally became head of a converged security department; the physical security chief retired and he took over both his role and head of information security. Telders now heads up information security policy in a convergence-by-risk committee model at T-Mobile where he and other security functions report to the company’s risk management and assurance department.

Turning point: Prior to Pemco, Telders had spent his entire career in IT security. “I realized I didn’t have the skill set to lead both departments, and I ended up with a CPP from ASIS. Pemco had an alliance of companies where we all shared managers in personnel, legal and security; because we could share them across multiple company boundaries, we found opportunities to leverage the abilities of the security staff for massive cost savings.”

Why convergence matters: At Pemco, Telders set up a centralized IP-based monitoring station for seven locations. The system encompassed the physical and IT-based aspects of its access control system from closed-circuit TV and door controls to access card readers, sensors and alarm monitoring. “We had the right equipment managed by the right people, and we saved $2 million in the first year by doing it that way.”