Aligning Security with the Business Model CSOs and CISOs at SecureWorld Expo discuss their challenges with getting top-level attention for risk issues Steve Lasky, Editor-in-Chief, Security Technology & Design magazine
Detroit, MI â€“ If convergence is the buzzword being bandied about by both corporate and IT security professionals today, then "ensuring your department is aligned with the company's business model" is their mantra.
That was the message being preached by upper security management this week to CSO and CISO-level attendees at Dearborn's Henry Ford Conference Center during the fifth SecureWorld Expo event of the year. This regional conference that hits eight major cities during the year is dedicated to educating security end users and systems integrators to the evolving convergence security landscape from not only a technology standpoint, but from a management perspective as well
One of the most compelling discussions in Dearborn occurred in an invitation-only peer-to-peer roundtable co-sponsored by Security Technology & Design magazine and the CSO Executive Council, which featured more than 25 top CSOs and CISOs from the top corporations from the Detroit area. The roundtable, titled "Aligning Security with the Business Mission", made a bold statement concerning the disconnect between the strategic mission of both physical and IT security and the C-level suites to whom they report. "You have to remember that your department's performance is constantly being measured, whether it is by formal audit or informal discussion," said former manager of security and fire protection for Ford Motor Company Radford Jones, who is now a security faculty member at Michigan State University. "You have to look at the vision and strategies of your company and if the same elements are not aligned with the stated goals within your own department you will not be successful. It is that simple."
For many of the CSOs in the room, getting every player in the organization on the same page when it comes to assessing risk and its eventual strategies throughout the enterprise is proving difficult. They contend that technology is being implemented without consultation and â€“ worse â€“ without long-range goals.
One CSO in the manufacturing sector said that the wireless networks going in at this company are inconsistent and not properly designed for the stated applications. "New projects are initiated without using the standards that had been set on previous jobs. Unfortunately many on the manufacturing side feel you have to do what you have to do just to get the job done," he said. "Often times the job is done without realizing what the eventual security system consequences are going to be.
"There is a distinct lack of security awareness in a manufacturing environment," he continued, "The bread and butter of the company is the production line. They have their own budget and approach to business. The main objective is to save money. The P&L-level manager just does not see the big picture when it comes to risk."
One top CSO stressed the importance of being involved in risk management discussions at an early stage in the planning and at a high level. He added that ensuring alignment among all C-level executives in the organization is crucial not only to security but the business mission as well. "I may be sitting at the table., but if the only other person I am talking to is the CISO and not the CEO or the director of product development or the CFO, then we are looking at a major disconnect in not only our security goals but our business goals," he said. "As a security professional, it is my job to take that risk assessment perspective to the C-level personnel. I should be taking them the 10 reasons they shouldn't be sleeping at night, and hopefully the answers as well."
This CSO added that in an ideal world there would be a straight dotted line between security directors to the executive suite. But he realizes in most companies that is not the case.
"If you want to do right by your company and fully disclose risk, you have to have the ear of your CFO," said the CSO, who asked to remain anonymous. "We sold the idea of letting the security directors participate in the quarterly business leadership meetings. It is a great opportunity for us to bring issues to the table and help management keep their eye on the ball."
This disenfranchisement is not only relegated to the physical security side of the house. At one of the big three US automakers, the CISO had concerns that mirrored his CSO counterparts. "You would think that our company would have great business alignment strategies when it comes to risk. But within the past six months it has become obvious to me and the CSO that our organization really doesn't view IT security as a value-add, as much as they do physical [security]," he said. "They figure they have their firewall and that is plenty. As a security team, we feel it is our fault that the risk message is not getting out. We need to be the ones who are proactive."
That point was brought home by another CISO from a top insurance carrier who said IT needs to sell itself and its risk initiatives to management.
"It is out fault that we have not taken the time to put the metrics in place to prove our points," said the insurance company's CISO. "We have business continuity doing their thing, physical security handling emergency preparedness and data management running risk mitigation. Everyone owns a piece of the risk pie. Unfortunately like many major companies, there is no coordination or accountability," he concluded. "Ultimately the security of the organization is our responsibility. But right now there is too much ownership without clarity of function."
Learn with your peers
There are three SecureWorld Expo conferences remaining in 2006. The remaining venues are Seattle (Oct. 10-11), San Francisco (Nov. 1-2) and Dallas (Dec. 5-6). For more information on these events you can go to the Securityinfowatch.com events page.