A New Vision for Enterprise Security Convergence

The Unification of Security, IT and Enterprise Risk Management Drives the Process

The term “cyberspace” was coined by science fiction writer William Gibson in his 1984 novel Neuromancer, which depicted the world soon to be forged by the Internet as a “Wild West” of lawlessness, chaos and crime. In a 1994 interview, Gibson joked that cyberspace is “where the bank keeps your money.” For security professionals in 2007, cyberspace is perhaps best defined as the place where companies now keep their most valuable assets and where security skills and services are in need as never before.

The implications of the new definition of cyberspace are profound and far-reaching. Today's modern corporation has no real physical boundaries. Sure, the brick-and-mortar facilities still exist, but the most valuable business assets are no longer confined within a physical space or in a locked filing cabinet. Companies now inhabit a virtual universe that banishes space, time and all conventional notions of what is secure and what is at risk.

Hardly a day goes by without new reports of just how vulnerable these boundary- free companies are. Millions of credit records are hacked from a major department store, which waits more than a year to report the loss. Government laptops loaded with confidential IRS and Veterans information are reported missing or stolen, with blame assigned to lax or absent procedures. Global networks of cyberthieves electronically establish new identities and defraud millions of dollars of purchases. The term “identity theft” is on everyone's lips. Millions of people hold their breath while scanning their latest credit card statements looking for fraudulent charges.

If there is a silver lining to the current escalating spiral of cyber-crime, it is that things are reaching a crisis point that will force constructive changes. Companies and government agencies are bracing for lawsuits and class-action claims due to their inability to protect and keep confidential customer information. Customers are refusing to shop at companies that report loss and/or theft of confidential customer information.

Corporations are beginning to respond to the growing menace of cybercrime with a new comprehensive approach. Enterprise Risk Management is an emerging discipline that has grown out of the world of financial management. It approaches risk management from a holistic perspective – one that can potentially integrate traditional security with information technology (IT) departments and, more importantly, elevate the process to the highest levels of company management where the concept of traditional risk management is well-established and respected.

Badges, Bytes and Beans – A Trinity of Convergence

While the convergence of security and IT has been underway for some time, new developments are both accelerating the process and elevating it to the senior-management level. This is a tremendously positive development for security professionals and for the emerging role of Chief Security Officer (CSO). The three groups engaged in this emerging discipline of comprehensive, enterprise-wide risk management are not strangers. In many respects they are former adversaries, operating in different spheres of their corporate environments with somewhat competing agendas.

One of the challenges facing today's security professionals is to learn the language of bytes and beans and understand how those disciplines interconnect with their own. With that comprehensive perspective, security professionals at all levels can effectively leverage their roles and assume a key role in enterprise risk management.

The Badges: Locked and Secure

Traditionally security professionals focused on locking things down, restricting access to valuable assets and keeping things secure. Drawn from the ranks of the military and law enforcement, they viewed their role as one of protecting people, facilities, operations and corporate assets. They have traditionally reported to administrative, facilities or human resources departments, and their role was highly structured and limited in scope. Physical access control, keeping facilities secure and occasional investigation of corporate misconduct defined the scope of their role.

This content continues onto the next page...