The Evolution of Security

Over the course of two weeks last month I spoke at or attended four security conferences (the fall is a busy event season). I met with hundreds of security professionals, dozens of CSOs and CISOs, and many, many security vendors. I did a lot of talking. More important, I did a lot of listening.

We’ve witnessed a meltdown in the financial markets that is having a significant impact on the CSO job market. In fact, the tenor of career conversations has been ratchetting up at a frantic pace on Wall Street and beyond.

In November we have a presidential election, the outcome of which, in my mind at least, will have profound implications for the United States and, by extension, the world. It will also influence the direction this nation takes as it addresses the variety of security concerns that CSO covers on a regular basis, from regulation to privacy and beyond. It will influence the profession of security, good or bad, for many years to come.

Despite having these great issues to explore, what struck me most in my travels was how security has changed from where it was more than six years ago when we launched CSO. Security has evolved, and it has done so at a speed unlike anything I have seen before. Security has gone from being a cost center that administered firewalls or negotiated guard service contracts, to become an integral part of the business. How do I know this? Because I am now seeing IT automating significant parts of security operations not just for information security but for physical security as well.

Let me explain: IT used to be viewed as strictly a cost center. In an effort to prove its value to the business, CIOs began taking on projects to help automate areas of the business like finance and sales (hence the growth of such software powerhouses as SAP, Oracle, Siebel and more recently, Salesforce.) Their ability to streamline operations and gain significant operational and financial efficiencies from those processes secured their role as a business enabler as opposed to a cost center. They didn’t own those businesses or processes, but they applied technology to make them better and then administered the technology.

For the past few years we have watched IT take on the daily management of information security operations beyond just firewalls and provisioning, which makes a lot of sense since IT was securing its assets, or the assets they were administering for other arms of the business (like finance, sales, HR, etc.). But we are now seeing them take on responsibilities for managing physical security systems like access control and video. Like the example with finance, IT doesn’t own the video and access control systems. They bring knowledge of technology to bear, then improve and administer those systems.

This is a profound change that proves that you must be doing something right. We’ve always professed the importance of selling the business value of security. Here comes the payoff.

—Bob Bragdon, bbragdon@cxo.com