Michael Assante, VP and CISO of American Electric Power and a former US Navy intelligence officer, answers readers' questions about public-private sector partnerships.
Q: The private sector still seems reluctant to share information with the government. What concrete steps can the two sides take to make a stronger partnership a reality?
A: Information-sharing works only when both parties demonstrate value or benefits that outweigh the risk of sharing and losing control over your information. Many share information with the hope that good things will develop and value will be demonstrated over time. Public and private entities' desire to mature and evolve how they create partnerships that manage risk and protect employees, customers' infrastructure and so on is valid, but the consequences and risk associated with providing that information need to be well understood. Always make an informed decision and be able to describe why you thought the benefit outweighed the risk.
Q: How confident are you that when you share information with government agencies, they treat it securely?
A: Your level of confidence develops around two main concepts. First, a demonstrated program needs to be in place that controls sensitive information. This program needs to have direct accountability and an enforced responsibility that requires individuals to safeguard the information. Second, you need to develop a trusted relationship with the principal managers who will receive and handle your information. Certain information requests that are funnelled into a wider, more available data mart represent a real risk to the owner of the information.
Q: Sharing information still seems like a risky thing to do. What will I get in return for taking this risk?
A: There are tangible benefits that develop out of appropriate information-sharing relationships. Your first goal is to provide the information only under conditions where a reciprocal benefit is provided in exchange for the risk associated with losing direct control of your information. Your information-sharing partner should articulate a business case for sharing your information and collaborate with you to establish criteria to measure the value and risk over the life of the relationship. In some cases, you will receive resources and attention during security events, help in determining the threat associated with observed activities or, possibly, federal grant dollars to deploy risk-reducing protective measures.
Q: Do you think physical and logical security should be merged?
A: Yes. Convergence makes sense conceptually in the boardroom and functionally within the organization. Saving security dollars, increasing resource efficiency and providing more effective incident response are great incentives for senior executive support. Convergence is not a matter of carrying out physical and cybersecurity activities on parallel tracks under common management. It combines operations and response under a risk-based and business-centric organizational model. To be effectively converged, a company needs to establish and support security governance over the entire organization.
Reorganizing security programs into one unified activity with an executive leader is one of the only ways to integrate security across the strategic business units of a company. The structuring of security makes it more strategic in its engagement and can create direct links with operations, support, risk management and business development.
A unified program is positioned to enable security as a functional strategy and possibly as a business opportunity. Expanding the view and scope of security is an important enabler in integrating security risk management into an organization. Security's definition is broadened to include physical security, information security, reliability, risk management, new technologies, business continuity and emergency planning.