Sage Conversations: Taking a holistic view of security operations

I was listening to Steve Lasky’s interview of Mike Howard, CSO of Microsoft, at The Great Conversation in Seattle, the other day, and was struck by his insight into leadership. I took away the following nuggets:

  • Leadership is self-less. A self-less leader recognizes the worth of the team and, therefore, invests in the development of the people.
  • Leadership understands the mission and goals of the organization and how to mobilize the assets accordingly.
  • Leadership builds relationships both within the team and outside the team, seeking perspective outside the four walls of an office.
  • Leadership is strategic. Blocking and tackling is important and must be measured, but it also must always have a strategic context.

Later, I had these nuggets in mind when I interviewed Benjamin Butchko, the CEO of Butchko Security Solutions. Butchko represents the tip of the spear in the security value stream - his professional discipline and business is to align board level risk with board level value and then assist his clients with creating a robust security operation that manifests that alignment. This is a great measurement of success.

When asked what he believed the greatest challenge was he used a phrase that is commonly associated with corporate bureaucracy: The self-licking ice cream cone.

According to Butchko, often within the security operations of public and private organizations there is a propensity to focus inward, missing the holistic view of how security benefits the greater organization mission. Without that perspective, much of the potential value is unrealized.

This happens in the vendor community as well, where the consultant, technology vendor or integrator are so focused on their one piece of the value stream, they miss the sum of the parts.

Butchko provided an example of a holistic view. He outlined four major data elements for one industry that might be identified to truly create an information data model and architecture for security.

  1. The business data: Such as facility, personnel and identity (active directory), and contracts management.
  2. The physical security data: Such as access control, intrusion, video surveillance and voice.
  3. The operations data: Such as SCADA, core process or workflows, raw materials, product stores and locations.
  4. The environment for safety: Such as proper certifications, medical clearances, and travel.

If this data was identified, captured and organized properly, then it could be persistently evaluated in context of reactive and proactive analysis. This would arm the organization to capture trends that could tell leaders how to improve their operation, as well as predict events in the future.

What Butchko is doing is helping his clients with a provisioning platform for leadership, as Howard has done at Microsoft Global Security with his GSOC (Global Security Operations Center).

How the Butchko’s of this new generation of leadership create the platform of the future is still in flux. The Microsoft approach uses commercial off-the-shelf software and devices that, as much as possible, plug-and-play together. This interoperability is something that Howard touches on in his interview and many of the speeches he delivers. However, Butchko is also practicing a different kind of interoperability when reaching out beyond his consulting discipline to understand the best information architecture that will deliver this value to his clients. Like Howard advises, Butchko is reaching out to technology vendors, software companies developing on Windows, SQL and SharePoint, device companies and integrators to understand and leverage their knowledge and resources. He is practicing what Howard calls “the interoperability of the ecosystem.”

A device company, ISD, is also practicing it’s version of interoperability. ISD’s founder and CEO, Ian Johnston, announced a Microsoft-compatible camera at ISC West earlier this month. This is a company moving beyond the current scorecard for a camera to create a true edge computing platform for security applications like access control, analytics, motion, and video management and business applications that demand customer trend data and business process data. This is interoperability within the ecosystem to create a multiplication of value (through the sum of the parts). ISC is not in the camera business. They are in the information business. And because of that, they must collaborate to be successful.

Another example of this evolving leadership mindset in the security industry is the Security Executive Council (SEC). Bob Hayes, the managing director of the SEC and Francis D’Addario, emeritus faculty for innovation services, have created a Next Generation Security Leader Program that aligns with these leadership elements. From the identification of all-hazards risk and best practices that can be accessed through their Collective Knowledge database and consulting network to the accreditation of risk, resilience and security solutions and services through their Solution Innovation Program (SIP), this organization truly looks outward into the marketplace and internally within their leadership community. I was able to personally sit in on an intense one-day format before The Great Conversation in Seattle attended by more than 80 senior leaders within the industry. It was a galvanizing event, since it truly created and encouraged the “interoperability” Howard refers to by combining operational leaders with SIP (multi-disciplined technology and service vendors) members. This led to using the ‘case study’ as an important articulation of metrics and performance. Dave Komendat, the CSO of The Boeing Company, Randy Harrison, director of corporate security at Delta Airlines, and Howard were all featured in the program.

As we move through 2013, I think we might look back on this year as pivotal. The terms we have used within the industry may be changing in scope and value. Terms like integration, risk, metrics and value will become more tangible and measurable. New leaders will also emerge like Howard, Johnston, Harrison, Hayes, Butchko and D’Addario which will lead the way, inspiring confidence that the approach is sound and the industry is ready for leading change and innovation.

Loading