We've talked a lot about the convergence of security functions over the last few years. The hitherto separate functions of physical security and information security appear to be merging. Some companies are leading the charge, while some are struggling to adapt, and others are actively resisting the change or indicating that the new model would not fit in their corporate culture.
The convergence topic has raised some interesting debates, one of which revolves around the relationship between the Chief Information Officer and the Chief Security Officer. Changing technology has transformed both of these positions in the last 20 years, and now convergence is beginning to draw them closer together-too close for comfort, in the eyes of some.
In This Corner: The CIO
Early use of computer technology was based on department-level computing and task- specific processes. Over time the integration of computerized systems began to cross department and functional boundaries. When companies noticed the increasing cost of maintaining multiple computer systems for each department, they began to centralize the disparate functions. The use of technology became a career path for a new kind of department and a new kind of employee.
The new department was in charge of data and data security. It was staffed by technicians who understood computers and who provided support and solutions for specific applications. But these technicians had other duties as well, and they did not see their computer work as a professional career path.
As new applications evolved, the department grew. The company became dissatisfied with the department's cost of operation, so distributed processing and client server computing broke the mold once again. At the same time, companies began to realize the business value of information. The department changed its name from data security to information technology. Enter the Chief Information Officer.
The CIOs of today are both highly technical and business savvy. They are chartered with helping the business use information to support its business model. They ensure that the information is useful, accurate and available. They also help find new and creative ways to use information to further the goals of the organization.
Many companies employ or have employed a Chief Information Security Officer in this department as well. This individual orchestrates the protection of information and reports to the CIO.
In That Corner: The CSO
The development of the CSO position took a more convoluted and tortured path. The physical security function historically concerned itself with topics such as loss reduction, theft prevention and property destruction, external threats and countermeasures, access controls, security guards, surveillance and investigations.
Often physical security departments-usually called, simply, security departments- reported to the facilities or real estate departments. Most security directors were retired law enforcement or military officers. Physical security was often viewed as a cost of doing business. It was rarely seen as a strategic value to the organization. Then convergence began to make its mark on the traditional security department.
Many companies see cost-containment advantages in consolidating IT and physical security controls. More and more new security products incorporate aspects of IT and physical security in their feature sets, forcing security departments to work closely with IT or to learn their bailiwick. Perhaps the most important factor is companies' perception of increased security risk in the United States.
As the importance of security became a more critical issue in the boardroom, companies realized they needed to focus executive attention and support on that function. They began to look for C-level officers to head security with direct access to the CEO and with some control over both information security and physical security. The regular conflicts of interest between the CIO and CISO in the IT department drove home the need for an independent reporting structure for security.
The new C-level position appearing in companies nationwide is the Chief Security Officer. While different businesses handle this role differently, the CSO is commonly charged with responsibility for strategic vision and leadership in the provision and management of all security functions in support of the company's goals and objectives. ASIS provides an excellent source for understanding this role. Its Chief Security Officer Guideline can be accessed at www.asisonline.org.
The CSO and CIO appear to be set up for conflict. To better understand the nature of the tension and evaluate its legitimacy, we should look at the target achievements for each role. What makes these two professionals sit up and take notice?
Let's start with the CIO. What yardsticks does the organization use to determine whether the CIO is effective? They include system and network availability, system and network throughput, system response times, and innovative uses of new technology to enhance and support business objectives. The CIO makes sure things can be done and gets them done efficiently and cost effectively. The CIO often has a level of responsibility for the security of the corporation's information as well, but indirectly or through the influence of other resources, like the CISO.
The CSO, on the other hand, is responsible for the security of the information and assets of the corporation. He lives in a world of risk assessments and risk management, policy and establishing governance, access controls, prevention controls, detection controls and mitigation strategies. The CSO prevents bad things from happening to information and assets. He has a responsibility for ensuring availability of information as well, but indirectly or through the influence of others.
To illuminate these differences, we can look at the focuses of the CIO and the CSO in several security scenarios and functions.
- Theft of a laptop. The CSO is responsible for preventing theft and investigating it when it occurs. If the laptop has sensitive information on it, the CSO must consider the safety of trade secrets, privacy issues, company confidential information, and the recovery of that information. The CIO may also have an interest in the lost information; however, if the information is recoverable from a backup, the CIO is often done at that point. The CSO has to answer questions such as how many thefts have occurred this year, their cost, and what the company is doing about it.
- Managing a firewall. In some companies, the operational aspects of firewalls fall under the CIO, while the policy and governance of the use of the firewalls is controlled by the CSO. In others, firewalls fall under direct control of technical security staff under the CSO. All this depends on each executive's level of expertise.
- Controlling an IP-enabled CCTV system. The CSO is on point for requirements, governance, operational controls and use of the system. The CIO provides the appropriate bandwidth and availability of the connections over the corporate backbone.
These examples illustrate that the overlap between these positions can be peaceful. But there are plenty of examples out there of the relationship not working the way it should.
Let's consider two examples that illustrate some of the potential tensions in the CSO/CIO relationship.
Example 1. The CIO complains that the CSO's security controls are slowing things down. The impact of the security controls is perceived to be interfering with the delivery of business benefit to application users. The complaint revolves around a proposed business-to-business connection over the Internet. The company, a financial institution, wants to take advantage of a particular vendor of services and needs to establish a network connection with that vendor.
The CSO has a rigorous process that screens potential vendor connections for a battery of security-related issues and controls to ensure no connection presents an unreasonable risk to the organization. The connection is evaluated based on risk management, compensating controls, mitigation strategies and recovery considerations. Establishing all of this takes some time. In addition, because the company is a financial institution, it requires anyone requesting access to its network to undergo a criminal background check. The vendor in question does not have a criminal background check to offer and refuses to submit to one out of philosophical disagreement with that concept. Therefore, the connection is rejected on the grounds that it violates company policy. The CIO is being criticized for not finding a solution to the challenge, but he feels that the CSO is inflexible and is not offering any other solution to meet the need.
Example 2: The CSO complains that the CIO's networking staffs are compromising corporate security by running fast and loose. The CSO has established corporate governance, policy and procedure for the security configurations and management of the network perimeter. These policies encompass firewalls, routers, hubs, switches, and other key network components. A network security audit discovers that a number of wireless access points throughout the network did not go through any security review or risk analysis when implemented. They were implemented by network support staff to provide increased speed of response to network service ticket resolution.
Effectively, in the interest of providing superior response times to service requests, the network security was compromised. Now the CSO is being criticized for being unaware of the exposure, but the CSO feels the CIO is not supporting security requirements. In both cases, there is ample opportunity for teamwork and mutual support. For various reasons this simply did not happen. In both cases each person feels the other created the problem. The end result of each example is increased cost and business delays.
The Ideal Relationship
The CIO and the CSO need each other. Each of them has a functional degree of overlap with the other. Each can assist in the successful completion of the other's responsibilities, and each can negatively impact the other if they do not have a solid working relationship. I attend trade shows and conferences from both the physical security world and the information security world. Both sides recognize that convergence is taking place at least in the technology used by both groups, if not in the functions themselves. Both feel that they should lead the charge to the ideal CSO position in corporate America.
Ironically, both sides seem to feel they are the only ones who truly understand what security is all about. My experience tells me that neither of those disciplines has any natural ownership of this topic, nor does either have an automatic advantage over the other. I believe the talent and ability of the individuals involved will determine who will lead that charge.
To quote Richard P. Tracy, CSO of Telos and Xacta Corporations: "Based on research, security is clearly a critical business priority. The CIO position owns the overall responsibility for IT performance and return on investment, while the emerging CSO position champions secure computing practices. These different objectives can result in unproductive tension between two important executive positions. For organizations to realize the maximum business efficiencies without exposing the IT infrastructure to dangerous vulnerabilities or compromising the integrity of information assets, a cultural shift must occur by which CIOs and CSOs forge synergistic, rather than silo-ed, relationships based on common goals."
Since they effectively speak the same language, the CSO and CIO have the opportunity for mutual respect and support. They can start by simply getting to know each other and spending some time finding out each other's goals and objectives. With that level of understanding they can develop a dialog for mutual support.
I've always believed in the philosophy that anyone in a leadership position needs to be focused externally. A leader's job is not to win, it is to help his peers, his subordinates, and of course his boss, be winners. Think of the CIO and the CSO as the offense and defense of a football team. If one of them is successful and the other is not, the whole team loses.
Eduard Telders has been the security manager for PEMCO Financial Services for 16 years. His responsibilities include physical security, information security, corporate contingency planning and safety programs. Mr. Telders has been providing security management for information and physical security in the banking, insurance, and financial industries since 1981. He is active in a number of security trade groups and associations, such as ASIS and ISACA, and has been a frequent contributor of security articles and speaking engagements for journals, conferences and seminars.