Journalists like to joke that three examples make a trend. The first example is a fluke, the second a coincidence, and the third, a sure harbinger of Things To Come. (Four, of course, is overkill.) While I certainly don't want to declare any such portents this month in Alarmed, three random signs I encountered in the past week seem to point in a heartening direction.
First, I happened to talk to the CSO of a Fortune 500 energy company on the day before he was taking over the reins of information security from the CIO. Then, I came across a press release announcing that ASIS and (ISC)2, groups that issue certifications for physical security and for information security management, respectively, have signed a memorandum of understanding. Finally, I stumbled upon a survey, done outside the security industry, that seemed to take for granted that non-security executives look at security in a holistic way.
Something about these three seemingly unrelated incidents clicked. Maybe - just maybe - the convergence of physical and IT security, which we've been talking about for years, is finally becoming an everyday reality.
It might have been the nonchalance of the energy industry CSO, who was hardly queuing up the brass band over the transfer of powers. "It's not such a big change," he said, explaining that he and the CIO already had done a good job with "segregation of duties." S-O-D, he told me (spelling it out rather than pronouncing it like the carpets of grass), is the latest buzzword in security departments of regulated companies. The key is making sure that whoever is controlling the IT systems is separate from whoever is reporting on the vulnerabilities of those systems. It may seem an obvious point, but it's been a long time coming.
Maybe it was the matter-of-factness of the press release from (ISC)2, which is known for conferring the moniker CISSP, or "certified information systems security professional." (ISC)2 and ASIS International, which grants the CPP certification to "certified protection professionals," have signed a memorandum of understanding that they will recognize each other's certifications. They're not sure what this entails, exactly, but they're off to a hopeful start. "They are the leader in traditional security certification, and we're the leader in information security certification, and there's convergence there," James Duffy, president and CEO of (ISC)2, told one of my colleagues. "This is the first step. We're going to form committees to see what other types of benefits we can provide to each other's membership. Who knows where it could go?"
Then there was the way that Pitney Bowes was marketing its white paper not to security executives, but to everyone. An ad on page two of the business section of The New York Times said: "Ever ask yourself how other executives view security? Here are 409 answers." The questions that were asked in the survey - about everything from espionage to anthrax to infrastructure - seemed to have the underlying assumption that non-security executives see security as security, and not in the stovepipes it has grown up in.
Call all this whatever you want; convergence versus SOD seems to me a glass is half full/half empty kind of difference. I call it common sense. It just doesn't make sense to view information security and physical security as two separate things, when you really can't have one with the other, and you can't have both without solid risk management. Maybe autumn is making me overly optimistic. But can I dare to hope that these three tidbits really do mark some kind of milestone for holistic security?