There is a story that circulated soon after September 11 of how the CEO of a large US company summoned his head of corporate security and his head of IT security to discuss the firm’s exposure to disaster. The CEO watched agog as the two executives greeted each other for the first time. Worse followed when it became clear that neither security professional had a coherent strategy let alone any semblance of coordination.
Global IT advisory firm Giga Information Group says it heard similar anecdotes again and again from business leaders who were dumbfounded that two internal departments, each charged to manage business risk, knew so little about the other. But if the management gurus are correct — and if present indications are any guide — this disconnect, like September 11 itself, will soon be part of history. Today, Americans and Europeans speak of the “new normal”: that state of being in life, as in business, where nothing can be taken for granted, least of all the security of the human and infrastructure assets that drive all businesses, governments and countries.
It was once the case that the security of all an organisation’s assets was the responsibility of one person, who usually came from a physical security background. Information security, such that it was, also belonged to this someone. They set up the accounts and assigned passwords. Then the Internet changed everything. As information technology became more interconnected and integral to an organisation’s prosperity, its security was separated from the person who issued ID badges and ensured that fire regulations were observed. But the pendulum is swinging again. Steve Hunt, a vice president and the security research leader at Giga, says the idea of two security departments is understandable because physical security technologies require different expertise from IS technologies. Best practice in security now says that having isolated parts of an organisation monitoring particular pieces of risk is less effective than managing enterprise risk.
“In the past, business managers blissfully relegated technical risk management to specialised IT and corporate security teams,” Hunt says, “while corporate security personnel focused on employee safety, crime prevention and physical risk management. IT security staff had their own interests, such as logical perimeter defences, password management, hacker prevention and Web site security. But after September 11, it seems common to hear security referred to in terms of business value and business process. For example, disaster preparedness, competitive espionage and cyberterrorism each impact the entire company, its shareholders, its employees and both sides of the security program.”
It is increasingly the case that the one person — a very particular person — holds the brief for the security of everything the enterprise holds dear. Today’s mantra is that risk management is as specialised and as vital as information management or financial management. Business continuity planning has brought the physical and IT security worlds closer together because management knows its business is just as susceptible to a flood, fire, theft or a bomb as it is to a hack, a computer failure or a rogue programmer. In the wrong hands, weapons of mass disruption are as scary as weapons of mass destruction. Continuous advances in technology and the realities of today’s world have catapulted the security executive to the door of the boardroom alongside CIOs and CFOs. The chief security officer (CSO) has arrived.
What is at risk? Everything. People, information, machinery, software, hardware, intellectual property, customer privacy, buildings, the company jet, the organisation’s brand, its reputation, the air-conditioning — even the water supply. Such is the delicate nature of security matters for our large corporates that the recently appointed CSOs of Sydney Water and Telstra declined to speak with CIO. An Australian-based CSO who would speak requested anonymity. It’s easy to see why.
“Corporate security remains an immature, inexact science, he says, “in which neither the physical security or IS professionals have sold themselves as practitioners of a strategic function.
“As a result, there is a lot of tactical and operational effort occurring that provides organisations all over the world with a level of comfort. As long as people see money being spent, they’ll think they must be doing something useful. The reality is that we have really only scratched the surface of understanding enterprise security and we are a long, long way from being able to manage it.”
Dean Kingsley, the head of enterprise risk services Asia-Pacific at Deloitte Consulting, says the Bali bombing and Australia’s close allegiance to Britain and the US has changed forever the risk profile of Australian organisations — public and private. He says many have responded by focusing on physical security after promoting IS [security]during the dotcom years. But Kingsley sees a time, fast approaching, when the disciplines will be one.
“In the case of Telstra and Sydney Water they would probably say they have got there already,” Kingsley says. “But they’re the exception rather than the rule. Their senior security people come from a physical security background. They would have needed to upskill on IS. It will be interesting to see when we get the first examples of an IS professional taking over physical security responsibilities.”
Kingsley believes there is little mutual understanding between the physical and IS communities. IS professionals typically come from an IT background. People in physical security roles come mostly from law enforcement or some variant like the military. Their DNA is different. Giga says IT security staff often think they are inventing security measures, unaware that corporate security is rooted in hundreds of years of public safety know-how.
“There is a segment of the IS industry that comes from the intelligence community and that has some crossover with the guns and bombs crowd,” Kingsley says. “You’re dealing with ex-cops on one side and ex-computer geeks on the other. They don’t have a lot in common — no shared vocabulary and no shared view on life. They have very different ways of thinking.”
This makes Darren O’Loughlin rather unique. He’s a computer geek and an ex-cop. Now the director of IT security at Ernst & Young, O’Loughlin is a former Victoria Police Force detective who spent years in its Computer Crime Investigation Squad. He was responsible for the design and management of the squad’s secure internal networks and its covert Internet investigations. His experience includes network security, computer forensics, incident response, systems development, strategic planning and disaster recovery. O’Loughlin is convinced the worlds of physical security and IS are merging.
“We have reviewed the information security operations at many different companies and the ones that are really successful demonstrate six characteristics, one of which is a strict adherence to physical security disciplines,” O’Loughlin says. “It goes back to the adage that you are only as strong as your weakest link. Many sophisticated IT security matters depend on mundane physical security controls. For example, making sure that only people with the appropriate authority have access to certain systems.
“To me, merging physical and IT security functions is a natural process. But while both disciplines are aligning, we’re also seeing the enterprise risk management strategy function splitting from day-to-day security operations. That’s because security now requires a strong voice at a senior level — a person who doesn’t have time to worry about fire extinguishers, ID passes or the lifts.”
Security advisers like Hunt, Kingsley and O’Loughlin say different kinds of threats demand different kinds of management and specific knowledge.
“How do you protect a person against kidnapping or a facility against bombing as opposed to protecting a system against hacking?” says Kingsley. “Clearly, at operational level, you need different competencies. But when you go to a level above that, where the job is to understand and manage risk, make cost-benefit decisions on behalf of the organisation and gather intelligence on where threats are most likely to manifest, it’s the same discipline.
“Between the two communities we’ve got the spectrum of security needs covered, but because they are not well coordinated you won’t find many people who can do both,” he says. “If you found a great IS manager they would understand the broad nature of their threat environment, how to quantify risk, how to put together a compelling ROI case or how to invest in counter-measures. But they wouldn’t know how that translates to the physical environment.
“Much of the gap between IS and corporate security is as much about vocabulary as it is knowledge. Both know more than they think about the other’s job. But the language in each is so unique that a mystique is built up in both fields that make each feel exclusive. One of the challenges is to get them cross-pollinating in order to create CSOs who can straddle both worlds credibly.”
Learn from the Pros
To appreciate how security will infiltrate every part of business, consider how security services operate. ASIO is Australia’s premier national security agency. One of its prime roles is protecting what is known as Australia’s National Information Infrastructure (NII) — that set of information networks essential for our society to function. It comprises the telecommunications and information networks that support the nation’s banking, finance, transport, distribution, energy and water, and critical government functions such as defence and emergency services. As our society becomes increasingly interconnected, the vulnerability of the NII to attacks from hackers, criminals, terrorists or hostile foreign powers increases.
ASIO says international relationships have become more fluid and spying remains widespread. Australia has information and technology that other countries could use to their advantage. Agents of foreign governments are posted here to collect such intelligence. Some carry shopping lists of scientific and technical knowledge their governments want. One of ASIO’s priorities is to monitor the interests and activities of these agents.
Risk is a key concept in such planning. ASIO uses a risk management model to assess and manage levels of risk to national security. Quantifying the risk involves examining the harm that might be done, for example, by operatives of a foreign government’s intelligence service and comparing this with the level of threat. By considering the harm (How bad would it be?) against the actual threat (How likely is it to happen?), ASIO calculates an assessment of the level of risk.
The ASIO model for assessing risk has wide application and other government agencies have begun using it to determine their own risk levels and security needs. The intention is to help security personnel understand the distinction between risky management and risk management.
And so it is in business. Those who have been employed for years to manage risk know the ASIO approach. They say it is a strategy that will become common among Australia’s public and private organisations since they are all in some way attached to the NII or have their own interconnected infrastructures to protect.
The Shadow Minister for Information Technology, Senator Kate Lundy, continuously pursues the federal government with claims that it does not do enough to protect Australia’s NII. She says that in the wake of the increased terrorist threat posed to Australia the government cannot afford to trail international standards on e-security by investing such small amounts.
According to Leif Gamertsfelder, the leader of the e-security group at law firm Deacons, Canberra spends 32 cents for every man, woman and child on e-security, compared to the US government’s outlay of $28 per head.
Mark Ames began his career in information security as a “cold warrior” with the US National Security Agency (NSA) in West Berlin. He has extensive policy, technology and risk management experience through his work as a security manager for several large firms and as CTO of TruSecure Asia-Pacific. Ames chairs the board of the Information Security Research Centre at the Queensland University of Technology. He also chairs the Information Security Interest Group in Australia, sits on the Standards Australia Committee for Information Security and consults to many companies and governments though his company, ICT Risk.
“The trend I see is that organisations have someone — and this is often a new position — looking after operational risk,” Ames says. “This used to live with the CFO’s office but more and more it’s with the risk management executive.
If the company is big enough to do international business the first thing this person will manage is currency risk, then product liability, insurances, OH&S, public liability, handling the media, etc. And creeping up on all this is IT, which is now a major component of operational risk. It gets the same attention shown to managing people, raw materials, stock, the manufacturing process, intellectual property, finances, etc. It’s right up there with the ‘big rocks’,” Ames says.
“I’ve had discussions with colleagues from the physical security side and from the IS side and there seems to be a fight for who will get the territory. The physical security people seem really keen to latch onto it since traditionally, their role has not been high up the food chain.”
Ajoy Ghosh is an independent consultant who also lectures in cybercrime at the University of Technology, Sydney. He is a former NSW police investigator and manager of IT security assessments & investigation for Westpac. Ghosh says there are two things driving the importance of IS security: the recognition that security is no longer about protecting technology but about protecting the brand; and the personal liability now faced by company directors who know that catastrophes can hurt their own pockets or land them in gaol. Suddenly, an executive to manage security is a sound investment.
“This person is way past managing firewalls or responding to incidents,” says Ghosh. “They set strategy and establish sound security governance across the company. They’ll come from a diverse range of backgrounds and have diverse skill sets, but what stands them apart is their abilities to promote the notion of security in-house and to rapidly collect and understand information about their organisation.”
Ames says executive management committees will seek in a CSO what they sort from CIOs when they reached the big table — plain-English explanations of complex concepts, detailed reasons why security is important and fiscally sound arguments as to why it should attract investment.
“Picture a CSO asking a board of directors to imagine their company’s manufacturing database — the one that organises all the jobs and runs all the machines — being out of action for half a day,” he says. “That’s when they begin to realise the impact. But it’s still very much an educational process, even if you get past this obstacle.
“The board knows of a problem. It knows they have to do something. But before they commit resources they need to understand what they are doing and why. This is where the CSO comes in and it’s why they will need to be a person who understands security, IT and the business. It’s their mission to get their C-level colleagues thinking of security as a business enabler, not just as an insurance or a tax.”
Ghosh says two of the issues that face IS managers and people who want to be CSOs is understanding how to get investment and how to investigate an incident.
“I see many people who are great security managers. They understand risk, they understand the technology, they know how to run a security operation; but they don’t know how to sell security to the rest of the executive team or how to get the dollars to pay for it. It’s one thing getting money after an incident, quite another to get the investment necessary to prevent one.
“And while the ex-cop might bring a lot to a cyber investigation they don’t necessarily make the best cyber investigators. One of the problems I see time and again is the person who believes they have all the expertise to move an investigation from front-line technical forensics all the way through to the courtroom. This isn’t possible. There are too many disciplines involved and the one person cannot be skilled enough in them all,” Ghosh says.
While the CSO or equivalent may not have an IT background — some of the most successful CIOs don’t come from IT — Ghosh says people from law enforcement and the security services will need to develop sound business skills to apply their risk management expertise to organisations driven by profit. “I know of one large organisation that recently hired a CSO from an intelligence background, but the person concerned recognised — to their credit — that they needed to spend time outside security to improve their business acumen,” he says.
Despite knowing many former Australian Federal Police “computer cops” now working for large management consultancies, Ames says his experience with people from security agencies, the military or law enforcement is that they “do things by the book”.
“They often don’t have an understanding of the underlying business principles, the ability to think outside the box or the flexibility in the application of controls and solutions,” Ames says. “They are not commercially orientated. People from the military or law enforcement are ultra risk-averse. They have to be. That’s fine for that area, but it’s difficult to modify years of training and experience so that they understand that at times, in business, it’s OK to take a risk.”
And at other times, of course, it isn’t. Companies with operations in the Middle East, Africa or South America know through painful experience that their executives face many personal risks. Food manufacturers or pharmaceutical companies live in fear of product tampering and extortion. Water and gas companies dread the nightmare of sabotage. Such risks have little to do with IT and belong with an executive who has the rat cunning of a physical security background.
However, Ghosh spoke of a large Australian financial enterprise in which the same executive responsible for IS organised the evacuation of its Australian branch managers from Fiji soon after the military coup of June 2000. And to illustrate how some organisations now approach security Ghosh quoted The National Counter-Terrorism Capability Assessment conducted by Deloitte for Australia’s Protective Security Coordination Centre (PSCC).
The assessment says: “A security manager should be looking after assassination, hijacking, hostage-taking, chemical attack, biological attack, radiological or nuclear attack, explosive materials and devices, other hazardous materials and devices, and cyber-attack.”
The PSCC is the Commonwealth agency responsible for managing Australia’s protective security, counter-terrorism and dignitary protection. This includes security for high-risk premises and persons such as ministers, their families, staff and foreign dignitaries. The PSCC also promotes security through training programs on physical, computer and personnel security.
CIOs already labouring under their current responsibilities should not contemplate taking on such physical security concerns, but perhaps a career as a CSO awaits.
“In the early days, CIOs had a life expectancy about the same as a second lieutenant in Vietnam,” says Ames. “There’s still high turnover, due to stress and a perceived inability to perform against expectations that are set way too high.
“The true CSO role is about making people feel like everything is under control. Even though it’s very challenging — and if the shit hits the fan they have to deal with it — I think the stresses are quite different from being a CIO. I can imagine many CIOs wanting to be a CSO. It would be a nice, quiet change,” says Ames.
Kingsley says IS professionals are broadening their horizons beyond IT so that their interests are better aligned with someone of a risk mind-set. They understand that security’s task is to uncover the real threats, not get sidetracked down blind alleys.
“It’s folly for a security executive of any sort to put all their energy into managing a certain threat if they leave their organisation vulnerable to more dangerous threats,” he says. “Cyber-terrorism or massive business interruption is awful enough, but it remains extremely unlikely. Contrast this to the rogue employee on your network right now stealing customer lists or intellectual property. Which threat do you want to worry about?” Both physical security and IS experts agree that the biggest challenge facing Australian security executives is managing the perception of what represents real risk. No one should discount the threat of terrorism, especially any organisation located in a CBD. The possibility of having a building disrupted is real, they say. But at the same time, they caution that talk about “real” threats implies that there are sound benchmarks in place or effective information sharing. There isn’t.
“There’s plenty of half-truths and guesses, but unfortunately, the best judgement of whether an organisation is focusing on the right things comes after they have an incident,” says Kingsley.
“People put too much faith in what they read, what they hear or what their colleagues are doing rather than thinking about the real threats themselves,” he says. “There’s a fair amount of the herd mentality in security and there’s plenty of complacency. Organisations are over-estimating how good their controls are or underestimating the danger, particularly for internal threats. Anyone who thinks they are on top of that issue is absolutely kidding themselves.”
Cop It Sweet
O’Loughlin is often surprised how his experiences as a police detective — and the law enforcement mind-set — continue to help him in his current day-to-day with Ernst & Young.
“The ex-copper has the experience of speaking to people across society — from judges to street criminals,” he says. “He knows human nature. He understands the concepts of incident response. He has an investigator’s mind. He knows how to collect evidence that must later withstand judicial scrutiny. It puts him a long way ahead of the IT expert who simply doesn’t realise that you have to think like a thief to catch a thief.” The Australian CSO who asked to remain anonymous says September 11, Bali, the war in Iraq and the civil unrest now evident on Australian streets present corporate leaders with dramatic new business imperatives.
“We’re faced with threats now that once seemed fantasy,” he says. “Security must move from a focus on insurance policies and infrastructure protection to become a core element in strategic business planning. It’s what Booz Allen Hamilton call ‘interdependence risk’. They say that no organisation is an island in today’s global business environment and they warn that terrorists will continue to exploit the soft underbelly of our interdependent economies. “This reality has forced entire industries to restructure. We have to make our people feel safer; have contingency plans to counter predictable and unpredictable events; safeguard networks that extend beyond the company; and make it all cost-effective — as if you can put a price on safety.
“Some days it all makes me feel more like an army general than a business executive,” he says.
Pros + Provides better protection with one coordinated threat response plan + Saves money by eliminating redundant functions + Gets an integrated view of your security landscape + Improves security effectiveness by looking at both IT and physical angles
Cons - Doesn’t make sense for every company — Requires a mix of both physical and IT skill sets — Complicates the reporting structure — Moves security employees outside their regular environment and reduces their efficiency
SIDEBAR:Training the Two-Headed Beast
Are certifications a valid mark of a person’s skill and knowledge level, or are they just resume fluff?
SECURITY BODIES IN AUSTRALIA SUCH AS THE Australian Security Intelligence Organisation (ASIO) and the Australian Security Intelligence Service (ASIS) are reaching out to engage the IS community. Individuals within the intelligence community realise this is where their futures lie. They see themselves as best placed to fill the emerging CSO roles and they are jockeying to benefit from the demand.
Corporate security professional bodies such as the Australian Security Industry Association Limited (ASIAL) and the Australian Society for Industrial Security (ASIS) are actively promoting the CSO concept and the integration of the physical and IS professions. Dean Kingsley, the head of enterprise risk services Asia-Pacific at Deloitte Consulting, says he is intrigued that local IS professionals, by and large, are not positioning themselves for the CSO trend.
So what makes a great CSO? Where do they come from? What will companies need them to do?
Emma Stonham, a spokesperson for Candle IT Recruitment, says in a senior security executive Australian companies are looking for a very particular person. Candle’s experience is that the CSO role is difficult to fill. They see many companies retraining senior IT staff to meet new security needs.
“Companies want it all in the one person,” says Stonham. “Not only do security managers need to be able to manage aspects of security exposure for the business, such as firewall and WAN/LAN security, they need to be able to develop and implement IT and business strategies too. The job covers everything from security of data and information to security passes and intellectual property.
“This growing security need is taking the security executive higher in the organisation. They are now contributing with their own project plans and business plans, not just following orders from the CEO or the CIO,” she says. “The new security outlook even means some are now the decision makers within the IT environment with regard to new implementations and direction.”
In Demand There are perhaps less than 100 certified information systems security professionals (CISSPs) in Australia — a qualification in such short supply that it is on the federal government’s Migration Occupations in Demand List. This certification is primarily for those in security consulting and is regarded as a well-recognised credential for CSOs. But the CISSP exam has been criticised in the past for being too broad or for its supposed focus on the needs of US government and military organisations — precisely the characteristics that have brought it back into vogue.
Meanwhile, a new qualification is emerging called certified information security manager (CISM). It is being packaged and operated by the Information Systems Audit and Control Association (ISACA), a global professional body that promotes IT governance. CISM springs from the realisation that most security training and certification focuses on lower level technical solutions. Even a certification like CISSP concentrates on tactical and procedural matters. The industry has also become concerned about measurement. How do security professionals know if they are succeeding? How do they avoid over-optimism? What is the compelling reason to combine the physical and IS functions? CISM is designed for IS managers facing these questions. Its proponents say CISM is not a CSO certification — although that might be a logical next step — but one for chief information security officer (CISO).
Skills Gap It came as no surprise last year when a national study by the IT Skills Hub called IT Security and Risk Management Skill Requirements found there was an urgent need for staff with both IS skills and corporate risk management knowledge.
The study involved detailed interviews with senior security risk managers at leading organisations, vendors and education providers. It revealed that even though enterprises realise their perceived and real IS vulnerabilities, companies and education authorities are not doing enough to close the growing skills gap caused by corporate Australia’s new focus on security. The findings indicate that leading companies are incorporating IS within their overall corporate audit and risk management strategies to comply with emerging national and international standards for e-commerce. It noted that Australian companies wanting to participate in global financial transactions must comply with standards such as the Basel Accord and Identrus, which set international benchmarks for managing IS risk, privacy and associated legal issues. This is stimulating demand for people with more than just technical security skills. The corporate world now wants people who can reconcile IS performance with corporate risk and compliance issues.
The IT Skills Hub report recommended that IS and risk management should be fundamental components of all tertiary computer courses. It also said business courses must include training in managing IS as an integral part of corporate risk management.