Among the successful ways that Williams has seen convergence undertaken is by placing both traditional and IT security under a single leader who can be chosen from either group. He has also seen the maintenance of security functions as independent lines of responsibility, but with both reporting to a single executive manager outside of either group. In this way, budgetary separation is preserved, but the executive manager combines input from both groups and presents it to executive management.
Corporations can achieve the desired results through a variety of structures. While with Nortel, Williams recalls, “I observed great collaboration between the chief security officer (CSO), who reported to the general counsel, but who also had a dotted-line responsibility to the chief information officer (CIO) for Internet security and follow-ups on investigations. In that case, security didn’t run network security, per se, but it did set the policy and responded to the issues when they occurred.”
Another way is to keep the various functions independent while providing a mechanism by which they can create a unified vision and work toward common goals. To this end, Williams says that some companies are setting up internal security councils. Caterpillar, his current employer, has created such a group, which includes “all the groups that have enterprise security risk pieces.”
At press time, the new council had not yet begun to meet, but of the work ahead, says Williams, “We’re going to…make sure we understand where processes overlap between us to make sure there is no ambiguity.”
The security council is a subcommittee of the enterprise compliance council. “This gives us some leverage to raise issues when we need to with the compliance council, which reports to the executive management and audit committee of the board of directors.”
Williams says that everyone involved in the council understands that the benefits are likely to go beyond reducing risk. Fusing business processes can simplify and strengthen them while also making them more efficient and less costly. As a generic example of the latter, Williams mentions running CCTV systems and access controls over a company’s network. If everyone from operational and physical security is involved up front, the process is streamlined, problems are minimized, and costly mistakes are avoided.
“This has to be plotted out with the right people around the table, because doing this will use a lot of bandwidth and may create unforeseen problems if it’s not worked out with those who know the network best,” he states.
One possible benefit of the current economic downturn is that it may lead to an upturn in convergence, given the potential for cost savings. Savvy security professionals will embrace this trend and work to facilitate the transition.
“Unfortunately, the economy has contracted way beyond our imaginings as of late, and I think we’ll see more and more forced convergences,” says Williams. “[T]hose individuals who can think more on an enterprise level than a functional level and who can see how to prevent risk on an enterprise level will be the leaders after this [economic downturn]. Those who try to hunker down and get by, and to retain what they can of the processes, and not collaborate—I don’t think they’re going to fare very well.”
Across the Enterprise
Tyson literally wrote the book on convergence—or at least a book on convergence: the 2007 volume Security Convergence: Managing Enterprise Security Risk.
“Physical and IT security groups grew up as silos with nothing to do with each other,” says Tyson. In the last twenty-odd years, however, business assets have drifted from being largely stored in a warehouse, or displayed in a store, to much of the value being stored online or on computers. This evolution has changed the business requirements for security.
In the early days of data asset expansion, traditional security practitioners were more than happy to leave the job of digital data protection to the IT staff. Traditional security professionals “were very good at protecting assets and people and at investigating fraud, but [IT security] was completely foreign to them,” notes Tyson.
In reality, both groups were doing many of the same functions. Determining who needed access to information was the same as determining who needed access to a building, he says. In the last decade, many companies began to notice the cost of these duplicate security infrastructures.
“It’s expensive to have two groups that are both managing what is basically access control,” says Tyson, “and if both physical and IT security go to the chief financial officer (CFO) asking for $1 million—one for a new camera system and the other for a firewall—how does the CFO choose which request will provide the greatest benefit to the organization?”
Someone has to have the big picture. But in many cases, “silo mentalities prevented anyone from having an idea of the total risk to the organization,” he says.
“I was head of information technology security at the City of Vancouver, British Columbia, Canada, when it was awarded the Winter Olympics for 2010,” says Tyson. “It was known that budgets were going to be tight and resources were going to be scarce, and the only way that I could see it would work was to merge the two groups and manage them as one,” Tyson recalls.
“I made a case to the executive management team to bring the teams together, saying, ‘I’ll tell you what I’m going to do, I’m going to use less money and need 50 percent less of your time, and I’m going to give you real risk mitigation if you let me do this.’ They were very supportive of that kind of a concept.”