Aligning Security with the Business Model CSOs and CISOs at SecureWorld Expo discuss their challenges with getting top-level attention for risk issues Steve Lasky, Editor-in-Chief, Security Technology & Design magazine
Detroit, MI â€“ If convergence is the buzzword being bandied about by both corporate and IT security professionals today, then "ensuring your department is aligned with the company's business model" is their mantra.
That was the message being preached by upper security management this week to CSO and CISO-level attendees at Dearborn's Henry Ford Conference Center during the fifth SecureWorld Expo event of the year. This regional conference that hits eight major cities during the year is dedicated to educating security end users and systems integrators to the evolving convergence security landscape from not only a technology standpoint, but from a management perspective as well
One of the most compelling discussions in Dearborn occurred in an invitation-only peer-to-peer roundtable co-sponsored by Security Technology & Design magazine and the CSO Executive Council, which featured more than 25 top CSOs and CISOs from the top corporations from the Detroit area. The roundtable, titled "Aligning Security with the Business Mission", made a bold statement concerning the disconnect between the strategic mission of both physical and IT security and the C-level suites to whom they report. "You have to remember that your department's performance is constantly being measured, whether it is by formal audit or informal discussion," said former manager of security and fire protection for Ford Motor Company Radford Jones, who is now a security faculty member at Michigan State University. "You have to look at the vision and strategies of your company and if the same elements are not aligned with the stated goals within your own department you will not be successful. It is that simple."
For many of the CSOs in the room, getting every player in the organization on the same page when it comes to assessing risk and its eventual strategies throughout the enterprise is proving difficult. They contend that technology is being implemented without consultation and â€“ worse â€“ without long-range goals.
One CSO in the manufacturing sector said that the wireless networks going in at this company are inconsistent and not properly designed for the stated applications. "New projects are initiated without using the standards that had been set on previous jobs. Unfortunately many on the manufacturing side feel you have to do what you have to do just to get the job done," he said. "Often times the job is done without realizing what the eventual security system consequences are going to be.
"There is a distinct lack of security awareness in a manufacturing environment," he continued, "The bread and butter of the company is the production line. They have their own budget and approach to business. The main objective is to save money. The P&L-level manager just does not see the big picture when it comes to risk."
One top CSO stressed the importance of being involved in risk management discussions at an early stage in the planning and at a high level. He added that ensuring alignment among all C-level executives in the organization is crucial not only to security but the business mission as well. "I may be sitting at the table., but if the only other person I am talking to is the CISO and not the CEO or the director of product development or the CFO, then we are looking at a major disconnect in not only our security goals but our business goals," he said. "As a security professional, it is my job to take that risk assessment perspective to the C-level personnel. I should be taking them the 10 reasons they shouldn't be sleeping at night, and hopefully the answers as well."