A New Vision for Enterprise Security Convergence

Oct. 27, 2008
The Unification of Security, IT and Enterprise Risk Management Drives the Process

The term “cyberspace” was coined by science fiction writer William Gibson in his 1984 novel Neuromancer, which depicted the world soon to be forged by the Internet as a “Wild West” of lawlessness, chaos and crime. In a 1994 interview, Gibson joked that cyberspace is “where the bank keeps your money.” For security professionals in 2007, cyberspace is perhaps best defined as the place where companies now keep their most valuable assets and where security skills and services are in need as never before.

The implications of the new definition of cyberspace are profound and far-reaching. Today's modern corporation has no real physical boundaries. Sure, the brick-and-mortar facilities still exist, but the most valuable business assets are no longer confined within a physical space or in a locked filing cabinet. Companies now inhabit a virtual universe that banishes space, time and all conventional notions of what is secure and what is at risk.

Hardly a day goes by without new reports of just how vulnerable these boundary- free companies are. Millions of credit records are hacked from a major department store, which waits more than a year to report the loss. Government laptops loaded with confidential IRS and Veterans information are reported missing or stolen, with blame assigned to lax or absent procedures. Global networks of cyberthieves electronically establish new identities and defraud millions of dollars of purchases. The term “identity theft” is on everyone's lips. Millions of people hold their breath while scanning their latest credit card statements looking for fraudulent charges.

If there is a silver lining to the current escalating spiral of cyber-crime, it is that things are reaching a crisis point that will force constructive changes. Companies and government agencies are bracing for lawsuits and class-action claims due to their inability to protect and keep confidential customer information. Customers are refusing to shop at companies that report loss and/or theft of confidential customer information.

Corporations are beginning to respond to the growing menace of cybercrime with a new comprehensive approach. Enterprise Risk Management is an emerging discipline that has grown out of the world of financial management. It approaches risk management from a holistic perspective – one that can potentially integrate traditional security with information technology (IT) departments and, more importantly, elevate the process to the highest levels of company management where the concept of traditional risk management is well-established and respected.

Badges, Bytes and Beans – A Trinity of Convergence

While the convergence of security and IT has been underway for some time, new developments are both accelerating the process and elevating it to the senior-management level. This is a tremendously positive development for security professionals and for the emerging role of Chief Security Officer (CSO). The three groups engaged in this emerging discipline of comprehensive, enterprise-wide risk management are not strangers. In many respects they are former adversaries, operating in different spheres of their corporate environments with somewhat competing agendas.

One of the challenges facing today's security professionals is to learn the language of bytes and beans and understand how those disciplines interconnect with their own. With that comprehensive perspective, security professionals at all levels can effectively leverage their roles and assume a key role in enterprise risk management.

The Badges: Locked and Secure

Traditionally security professionals focused on locking things down, restricting access to valuable assets and keeping things secure. Drawn from the ranks of the military and law enforcement, they viewed their role as one of protecting people, facilities, operations and corporate assets. They have traditionally reported to administrative, facilities or human resources departments, and their role was highly structured and limited in scope. Physical access control, keeping facilities secure and occasional investigation of corporate misconduct defined the scope of their role.

The Bytes: Open Unfettered Access

IT professionals had a focus that was, in many respects, diametrically opposed to security professionals, particularly as global networks and the Internet became the mandatory avenues for corporate growth and profitability. In the early and middle phases of computerization of business, IT's top priority was making various elements of technology work together within the relatively secure confines of a company. As technology advanced and became more interconnected, integrating and extending technology became a priority, one that sometimes sacrificed security in favor of openness. The arrival of the Internet took that priority to new heights and IT was charged with connecting companies together in global networks. Most recently, a proliferation of new computing devices, such as PDAs, blackberries, cell phones and other mobile equipment, has added new connectivity and accessibility requirements.

The Beans: Cost Justification

In the old world, corporate finance diligently peered down from on high and kept a lid on spending. Drawn from various areas within corporate finance, they typically reported to a chief financial officer and worked to achieve financial efficiency and prevent losses. The quantitative rigor they impose on operations is well known to security professionals who have experienced the frustration of attempting to quantify the hard-dollar value of an intangible – the absence of loss through effective security.

Admittedly, all three entities had a common mission – the well-being of the company. But their agendas frequently came into opposition.

Those historic antagonisms and conflicting agenda are dissolving today as security, IT and financial risk managers come together in the face of a common threat that transcends each of their functional areas – the virtual enterprise under attack. This environment of unprecedented risk creates tremendous opportunities for security professionals to significantly elevate their corporate standing and influence. Companies recognize that the threats they face are real and growing. They perceive their vulnerabilities are becoming liabilities that will jeopardize the company's ability to compete, and to revenue growth and profitability.

The Pandora Paradox

While the Pandora's Box of ancient mythology unleashed evil into the world, the modern technology version has provided tremendous good along with its evils. No company today can unplug from the Internet, shut down its global networks and isolate itself from the dangers the technology creates. Those networks, both internal and external, have become the central nervous system of global commerce and a crucial factor in the success of economies all over the world.

This modern paradox has profound implications for the three disciplines forging the convergence of security and IT. In complex and interconnected ways, the problems are also the solutions and vice versa. Companies creating robust computer networks – linking their suppliers, business partners and, in some cases, customers – are able to compete more effectively and efficiently than those who do not. At the same time, they create tremendous risks in those sprawling, always-available systems.

Under the merciless pressure of global competition, companies are applying technology to create the efficiencies they need to survive. Outsourcing such operational areas as manufacturing and customer support to low-cost regions of the world creates huge demand for highly sophisticated computer networks capable of transmitting vast amounts of information instantly.

These new forms of corporate structure come with enormous risk. Maintaining an extended enterprise demands careful due diligence of business partners, suppliers and other entities relied on for operations. Today, these external organizations are more closely tied to companies than ever before. Outsourced manufacturing, for example, necessitates that product strategies, plans and other highly competitive and confidential information be shared. While most business partners are honest, there are cases where contract manufacturers producing products for a company also make cheaper knock-off versions of those same products for the counterfeit market. Even more insidious are unscrupulous distributors who divert products into unauthorized sales channels, damaging the integrity of overall sales distribution.

Expanding Opportunities Create Expanding Risks

Global geo-political changes are also opening new markets for economic development in some of the most high-risk regions of the world, including Eastern Europe, the Middle East, Latin America and Africa . Companies are compelled to enter these dangerous markets early to take advantage of the burgeoning opportunities and establish themselves as leaders. Securing operations in those areas is a daunting task hampered by immature infrastructure, social and political unrest and organized criminal activities.

In many industries, joint ventures with competitors impose additional risks. Companies compete in some markets while partnering in others. Only sophisticated and well-coordinated security processes and procedures developed in close cooperation with IT experts can effectively protect companies in such risk-laden endeavors.

Another recent development is adding to the threat equation. Employees today expect and are expected to stay in contact with their companies almost constantly. Workers log into corporate networks from home computers, from cell phones and other mobile devices. The levels of security in place for the use of these new communications processes are far from adequate. Stolen and/or lost laptops contain volumes of sensitive and confidential data. Only now that the problem is impacting the general public are efforts underway to determine the scope of the problem and begin to defend against it.

Against this backdrop of spiraling risk, cyber criminals are constantly upping the ante and devising new and more insidious methods of breaching even the most robust corporate security systems. Corporate networks are under constant siege from viruses, worms, SPAM attacks and spyware. It is the arms race of the 21 st century – and the bad guys are proving to be extraordinarily adept at keeping several steps ahead of the law.

A New Tool From An Unlikely Source

Government oversight and regulation is usually an anathema in the world of business. Unfettered free market growth and competition are seen as the most tested and reliable path to economic growth, profitability and societal prosperity. Responding to highly publicized instances of corporate wrongdoing like that of Enron, Global Crossing and others, government regulators are imposing stiff new regulatory compliance laws aimed at curbing such crimes and making companies more accountable for protecting the interests of shareholders, investors and the general public. New regulations like Sarbanes Oxley, GLBA, HIPAA and the Patriot Act demand that companies not only institute effective controls over their financial and operational systems but that they document the effectiveness of those processes on a continual basis.

As the initial wave of protest over the financial and administrative costs of the new regulations subsided, some companies began to perceive some unexpected benefits from the new rules. Careful scrutiny of financial and operational audits often exposes potential weaknesses and vulnerabilities that can be corrected. Forward-looking companies recognized the competitive advantage from applying risk management techniques to all that new information. It is precisely that approach that many anticipate will ultimately address the growing threat of unsecured information systems and data theft.

Indeed, the prism of regulation compliance combined with the convergence of traditional security, IT and financial risk management gives new and powerful focus to the conventional tactics companies use to institute and maintain effective enterprise-wide security. The essential mission of protecting key assets and capabilities, detecting attacks and malicious actions, responding to those threats with rapid notification and reaction, and recovering from them with disaster recovery and business continuity planning can now be greatly enhanced by regulatory compliance.

CSOs in today's corporation can use this new focus on risk management to break down the “silos of independence” that stand in the way of a holistic approach to enterprise security. Implementing a “Risk Council” across the disciplines can be an effective tool. The gradual convergence of security, IT and corporate operational management have made some progress in fostering cooperation and a degree of collaboration but today the prospect of a unified organizational approach is within reach.

The implications of these developments are powerful. Using the analysis of network monitoring systems, for example, security can anticipate security breaches rather than merely respond to them after the fact. Unusual patterns of network access can signal potential data theft, misappropriation of computing resources or other illegal behavior. Working in a seamless, iterative process, security and IT can continuously strengthen data security and the policies and procedures governing those activities. Similarly, financial audits and reports can serve as early-warning systems for security issues.

Back to School

As always, the ultimate success of these new capabilities for achieving strong and comprehensive enterprise security rests with people and the quality of the interactions between them. For security professionals, this means expanding on the traditional skill sets and training objectives. To be successful, they must become capable program/project managers grounded in multiple protection disciplines. They must develop strong business acumen and be diplomatic and adaptable in framing issues within the context of enterprise risk management. Perhaps most importantly, they must embrace an ethic of life-long learning and more rigorously undertake professional training and active involvement in professional organizations both within and beyond the security profession.

Ray O'Hara CPP is Senior Vice President of Vance, a Garda Company and a leading provider in consulting, investigation and security services. He has served as the elected Secretary of the American Society for Industrial Security (ASIS) International Board of Directors. He ALSO has served as president of ASIS' Professional Certification Board, chair of the International Investigations Council and a member of the Substance Abuse Standing Committee. Mr. O'Hara is board-certified in security management by ASIS International