Editor's Note: This is the first half of William Plante and James Craft's examination of the CSO/CISO relationship. Check out our October issue for the follow-up.
The vice president for an advanced research lab business unit walks out of one of the company's facilities, a multi-tenanted office structure in a downtown location. He is leaving for a lunch appointment. He opens the door to his car and swings his coat into the backseat. As he does this, his photo ID access badge slips out of his coat pocket and hits the ground. Unaware of the loss, he shuts the door and drives off.
A college student passing through the parking lot sees the photo ID a few minutes later. He picks up the badge and notices the familiar name and logo of the company. He is struck by a novel idea. How far into the facility can he get? He walks into the office area, past the receptionist and into the elevator as other people leave for lunch. He uses the card to activate a floor call button, getting off at the seventh floor. He walks to the next door, uses the card to enter a passageway and begins to wander in the office area.
Since there are not many people there, he takes his time, grabbing a slice of pizza from a box on a work table and deciphering figures and yellow post-it notes on whiteboards. He eventually finds himself outside a lab marked AUTHORIZED PERSONNEL ONLY. He tries the card reader and hears the click of the lock disengaging. Entering the lab, he sees banks of servers, a few laptop computers and more notations on white boards. Again inspired, our intruder takes out his camera phone and snaps a few shots of the room, including himself in one of the photos. For one-upmanship purposes, he sends the photos and the name of the company to a fellow student, a university Webmaster and widely read blogger.
Our interloper leaves the building a short while later, dropping the company badge into a visitor badge drop-box as his friend is posting the photos to the Internet blog. Highly sensitive proprietary information is now available for all who surf the Web.
Who owns this problem? The corporate security director? The chief information security officer? The vice president of advanced research? The company's president?
Answer: All of them.
The New Enterprise Security
Not long ago, security-related responsibilities were more clearly defined and cleanly separated than they are now. The company president expected security to work and may not have thought much more about it; the business unit managers would wrestle with either the corporate security director or the IT security director, depending on the situation; and each security manager knew the scope of his or her role. Corporate security concerned itself with the physical world, and IT security concerned itself with the logical. The directors of these two departments may have met, but mutual issue identification and strategy development? Probably not. Forward-looking risk mitigation and operational planning? Nope. These two disciplines were competitors for the company's limited internal resources, not collaborators in building an integrated security posture.
That older view of separated physical and logical security is changing in leading enterprises, and it is not hard to see where the corporate security and IT security worlds will fuse together in most organizations.
In the United States, legislative initiatives, most notably Sarbanes-Oxley (SOX) and the Health Information Portability and Accountability Act (HIPAA), are awakening CEOs to the enterprise security risks their corporations face. While enterprise security is not specifically mentioned in SOX, many SOX auditors are conservatively interpreting this legislation to include physical and logical security as factors to be identified and addressed. Other legislation, such as HIPAA, has specific security mandates.