We've talked a lot about the convergence of security functions over the last few years. The hitherto separate functions of physical security and information security appear to be merging. Some companies are leading the charge, while some are struggling to adapt, and others are actively resisting the change or indicating that the new model would not fit in their corporate culture.
The convergence topic has raised some interesting debates, one of which revolves around the relationship between the Chief Information Officer and the Chief Security Officer. Changing technology has transformed both of these positions in the last 20 years, and now convergence is beginning to draw them closer together-too close for comfort, in the eyes of some.
In This Corner: The CIO
Early use of computer technology was based on department-level computing and task- specific processes. Over time the integration of computerized systems began to cross department and functional boundaries. When companies noticed the increasing cost of maintaining multiple computer systems for each department, they began to centralize the disparate functions. The use of technology became a career path for a new kind of department and a new kind of employee.
The new department was in charge of data and data security. It was staffed by technicians who understood computers and who provided support and solutions for specific applications. But these technicians had other duties as well, and they did not see their computer work as a professional career path.
As new applications evolved, the department grew. The company became dissatisfied with the department's cost of operation, so distributed processing and client server computing broke the mold once again. At the same time, companies began to realize the business value of information. The department changed its name from data security to information technology. Enter the Chief Information Officer.
The CIOs of today are both highly technical and business savvy. They are chartered with helping the business use information to support its business model. They ensure that the information is useful, accurate and available. They also help find new and creative ways to use information to further the goals of the organization.
Many companies employ or have employed a Chief Information Security Officer in this department as well. This individual orchestrates the protection of information and reports to the CIO.
In That Corner: The CSO
The development of the CSO position took a more convoluted and tortured path. The physical security function historically concerned itself with topics such as loss reduction, theft prevention and property destruction, external threats and countermeasures, access controls, security guards, surveillance and investigations.
Often physical security departments-usually called, simply, security departments- reported to the facilities or real estate departments. Most security directors were retired law enforcement or military officers. Physical security was often viewed as a cost of doing business. It was rarely seen as a strategic value to the organization. Then convergence began to make its mark on the traditional security department.
Many companies see cost-containment advantages in consolidating IT and physical security controls. More and more new security products incorporate aspects of IT and physical security in their feature sets, forcing security departments to work closely with IT or to learn their bailiwick. Perhaps the most important factor is companies' perception of increased security risk in the United States.
As the importance of security became a more critical issue in the boardroom, companies realized they needed to focus executive attention and support on that function. They began to look for C-level officers to head security with direct access to the CEO and with some control over both information security and physical security. The regular conflicts of interest between the CIO and CISO in the IT department drove home the need for an independent reporting structure for security.