Security convergence--that is, the true meshing of physical and cybersecurity along with business continuity management--is one of the most logical concepts that's been introduced to the security world in a very long time. Convergence makes sense conceptually in the boardroom and functionally within the organization. It saves security dollars, increases efficiency and provides more effective incident response, all of which are great incentives for getting and maintaining senior executive support.
But here's a warning for all of you daring enough to push for change. You can do everything right as you go down the road to convergence. You can start getting past the cultural and political issues involved with convergence, and you can begin the tedious process of collecting metrics that demonstrate its positive impacts on the organization. But it may not be enough. The new combined organization may become a target of an efficiency program or a general cost-cutting initiative, or it may suffer after a risk decision upsets the wrong inside player.
Then, you may suddenly find yourself overseeing a transition team into the Dark Ages. The CSO is told that the company needs to "focus on other things." But hey, they say, thanks--your efforts have improved security, so we can now go back to business as usual. (And oh, by the way, we now have one less VP mouth to feed.)
I say all this because I've learned the hard way. But I still wouldn't have done anything differently.
The Beginning and the End
There are two camps as far as how companies deal with issues and resolve problems. In the first kind, the CEO hires people and puts them in charge of business units. If things blow up, then it's their problem; it's not the corporation going awry. In the second kind, the business aims for transparency. The CSO outlines risk and works with the business units to accept it.
I belong to the latter camp. When I started with my former employer several years ago, I was asked to build a program that put together all the security pieces, including business continuity, and to be transparent. As a security department, we'd say: Here's where we think we are; we've done vulnerability and risk assessments; here are our results. We strove to make security very much a part of the business process, to be businesspeople who understood how our business worked and built programs that benefited it.
Then the company got a new CEO, who brought in a lot of new executives. At first the organizational changes that followed were presented as cost-cutting measures. But soon it became clear that the new regime thought that transparency wasn't a great thing, and that sometimes it was better to have a risk be the responsibility of a business unit. The new attitude was, "Why are we hearing about this security problem? Here's an issue that we have to deal with now that it's down on paper."
The moment I realized the extent of the change was when the new CFO was indicating to the chief risk officer that there would be changes in risk management. Once I heard that, I realized that the new leadership really didn't like the transparency we had. Culturally, my security program was the same as the CRO's risk management program. I thought the same way he did. If he was going down, and his program was structured the same as mine, that was bad news.
Sure enough, several changes were announced. An internal non-risk management person was taking over a smaller risk management organization, and I was told that the new leadership wanted to transfer me into the shared service organization. Those groups are usually ones that other business units opt into--like with IT projects, you could go outside into the market, or you could go to the CIO. From a security perspective, though, you can't opt in or out of security. It was pretty clear to me, uh oh, here it comes.
I was still the CSO, and I had my first meeting with the head of shared services. At the end of the conversation, that person basically said, your last day will be X days out. The new CEO's view was that IT security is an IT issue, and physical security is a facilities activity. They said, Let's figure out a conversion plan to integrate those pieces back into the different parts of the organization. To deconverge. I had a director for physical security and a director for information security, and management wanted those people to take demotions. It was very difficult.
"The security department had incredible executive support before the leadership transition. There had been nothing but accolades. We had done lots of things that had cost savings. We had gone out and nationally competed our guard-force contract and saved more than US$1 million a year. We were much leaner and more efficient than many of our peers. We had one training group and a common voice to the employees. We had caught incidents, returned property, recovered dollars and stopped internal fraud. We were out there solving problems, protecting value and getting rid of bad apples.
But under a regime where the leadership doesn't like the transparency of risk, those are all bad things. The CEO doesn't want to hear about a serious fraud, even if you brought the money back and caught everyone involved.
The Transparency Backlash
A lot of security guys get away with keeping very under-the-radar programs. They don't bring things up, and they resolve things at very low levels. Maybe it works for them.
For me, I had a three-ring binder with 100 pages of all the incidents that occurred, all the regulatory issues that were affecting us, all the risk remediation activities that we had conducted. I always said, "Hey, I'm not hiding anything. My program is here to support the business. I want absolute transparency." In the end, it worked against me. If anybody wanted to take a punch at me, they could. I provided all the information.
I don't think I would have been able to stomach taking the program so far under the radar that it wasn't an issue with the new leadership. I always thought we could let our accomplishments speak for themselves. But in the end, the decision for the company to deconverge seemed like an emotional outcome of how the new leadership liked to think about the world.
Even with everything that happened, even after watching my unified security department be systematically taken apart, I still really believe in the convergence model. I believe that today's security organizations need to be wholly unified and manage all security risk across the organization. Traditional walls between security disciplines have to come down, and new positions have to be created to consolidate functions such as reporting, incident response, blended risk assessments, security policy and standards development. This combined security framework, which is made up of many integrated processes, begins to create its own business function, and it moves toward a security governance model that is better suited to support and guide the organization. The process of architecting this structure emphasizes the requirements and scope of the program, and it raises security awareness. It allows the security program to identify opportunities where security can produce business benefits, increase system and resource efficiency, and achieve enterprise compliance.
A converged organization is positioned to make security a functional strategy and possibly a business opportunity. Expanding the view and scope of security is a necessary part of integrating security risk management into an organization. The definition of security is broadened to include physical security, information security, risk management and business continuity. A CSO with this functional breadth provides more value to the organization and to the overall leadership team.
The overall goal is to embed security into business processes and executive decision-making. This is the convergence recipe. The only ingredients that the CSO can't provide are forward-thinking senior executives who are willing to do more than pay lip service to ensuring the company's sustained secure performance--even if this support stems only from the realization that security will protect their lucrative jobs and incentive plans.
In doing all this, though, the CSO is taking a personal risk--first, by getting that level of visibility, and second, by consolidating what in some people's minds are several cost centers into one bigger cost center. In a Fortune 500 company with many executives, the CSO, usually one of the junior executives, is opening himself up by getting that level of attention in the boardroom. You're going to get your advocates, and you're going to have the folks who traditionally will look at security as a cost center no matter what.
There were certain executives that appreciated our level of transparency and were strong advocates. There were others for whom it was too much. They didn't want to review and approve the policies we were writing. They saw security as cumbersome. Low-level grumbling about security ensued, growing louder, more insistent, its increasing volume usually inversely proportionate to its substance. When this happens, it's only a matter of time before CEOs are making critical decisions on security initiatives--and even on the continued existence of the security program itself--that are based on 10 percent facts, 80 percent blind acceptance of unfounded opinion and 10 percent their own uninformed conclusions. The attitude becomes, Don't ask the security experts; they'll probably just muddy up the water.
Some of us will not survive the process, and organizational pressure will push the unified organizations back into a more traditional cost center model. Some will successfully make the transition, and slowly over time this new and valuable approach will become the norm. Down the road, I hope to be CSO of an organization where convergence is not just the reality, but the norm. I'm optimistic that I will be. I even predict that in a few years, my former employer will go back to the converged model.
Everything worth achieving comes with risk. As CSOs, we do our best when facing and managing risk. We should continue to take the challenge and go into the breach. Chasing after a unified program is worth it.
This column is written anonymously by a real CSO. Send your comments via e-mail to firstname.lastname@example.org.