• United States



by Senior Editor

Leading a Converged Security Operation: Critical Skills

Sep 02, 20085 mins
CareersData and Information SecurityIT Leadership

The cultural challenges are significant, and the CSO has to lead the way in learning and changing. We spoke with several converged CSOs for their take on building the necessary skills to hold the job.

John had a massive challenge to tackle. A former IT security officer at a large bank in New York, he and his wife packed up and moved across the country so he could take on the role of chief security officer with a well-known provider of loans, retail financing, and other credit related products.

His first task? To build a converged security department (a single organization integrating disparate security branches, typically including digitial and physical security at minimum). An undertaking any veteran security executive will tell you is no easy mission. John, who asked us not to use his name because he is not authorized to speak to the media, decided his strategy would be to take baby steps.

“I spent the first six months to a year just observing,” said John. “Things were highly decentralized. People had built processes in silos. We didn’t buy any tools for two years. We worked on organizational change first.”

Merging things was a slow and met with resistance. Resistance came from personnel on both sides, both physical and IT, as very different types of employees just couldn’t relate to one another. And, of course, there were demands from management to do things as cheaply as possible.

When it comes to converged security, stories like this are not uncommon. How do you bridge both worlds if you come from one? Veteran CSOs agree that it all starts with personal growth and change.

Seek a network of support

John reached out to others who had been through converged efforts. While he said converged CSOs remain a relatively rare breed, he did find others with expertise to talk to—with industry assocation ASIS proving a particularly valuable resource.

“I think that ASIS has the strongest network of converged CSOs that I am personally aware of,” said John. “I helped found an ASIS chapter locally and this association has been a great resource for information, contacts and support.”

Seek practical experience

Martin Carmichael is the CSO of security software developer Mcafee. He is responsible for the company’s internal information and physical security. His experience with convergence began when he was CSO at Asurion Corp., a provider of customer contact and support services. There, he dealt with what he calls a “huge amount of resistance to change” from personnel.

“I found as I brought IT into physical there were complete misunderstandings,” he said “Each thought the other had it easier. Physical security wanted to spend more on things like video surveillance. And the IT people didn’t understand that physical security is critical to infrastructure.”

Carmichael himself, whose background was heavily in technology, decided if he was going to talk the talk, he better walk the walk. He volunteered at the Colorado Springs Police Department to help “round out physical side” of his knowledge base.

For Wolfgang Ziegler, many years spent as both a cop, and later as a police detective, gave him a comprehensive background in physical security. As he saw the security field becoming increasingly technical, he went for a CISSP where, in his words, he was the “only non-fulltime IT person in the class.”

Now, as CSO of Alliance Group Research (AGR) , security consultancy, he counsels clients on threat and risk assessment on both the physical and IT side of things. Based in Houston, AGR has a significant number of clients in the oil and gas industry.

“I often tell them you could have best firewalls and security there is. But if your server room is protected by nothing but a proximity card, your firewalls are meaningless.”

Seek team-building opportunities

Advising clients on a holistic approach to security means handling the tension that comes up when different departments work together. Ziegler refers to these personalities as the bad guys, bytes and bean counters—and they often couldn’t be farther apart when it comes to seeing eye-to-eye.

“They just want to pound each other,” said Ziegler. “That’s where the CSO is going to be put to the test. That person needs people skills, management skills. How can that person compromise, read people, reward each and manage effectively but still make decisions that need to be made that affect the bottom line?”

For Carmichael, the answer has been trying to foster an understanding and team atmosphere ——even though animosity is inevitable.

“I haven’t been in an environment where they’ve tried to integrate where there hasn’t been resistance. But you have to overcome that with communication. Get the team together and say: ‘We are all in risk management. What can you add?'”

Carmichael recalls one meeting that involved department heads from physical security, security engineering and compliance. Each person, said Carmichael, had a distinct style of communication and it was like watching them all have separate conversations.

Then the head of physical security said: “You have it so easy: username and password. You have no idea how difficult access control is with badges. People forget them, use other people’s badge, they find other ways in, bypassing the controls in every building,” according to Carmichael’s recounting of the scene.

“The pause was palpable,” said Carmichael, until the security engineering head jumped in with the difficulties of the username and password environment: the weaknesses, people forget them, use others and find other ways in. And then the compliance head chimed in about password controls and how people bypass them.

“Suddenly, there was a commonality in the room: the concept that people, assets, the company, need to be protected, even when they work against the system,” said Carmichael. “That we are a team. We struggle with the same types of issues from different perspectives.”