The CSO/CISO Relationship: Pick Up the Phone

Oct. 27, 2008
Closing the security gaps in your organization could be as simple as initiating a conversation.

Editor’s Note: In our September issue William Plante and Jim Craft wrote about the challenges facing CSOs and CISOs trying to work together to improve security (“The CSO/CISO Relationship,” p.44). This month, we talked with Mr. Plante and Mr. Craft to find out what security professionals can do to surmount those obstacles.

William Plante is senior director of corporate security and brand protection for Symantec Corp.

Jim Craft is a director in a global business consulting and support firm.

ST&D: Much of the argument for interdependency and unified security leadership rests on the convergence of physical and logical security technologies. Do you see convergence playing a part in security across the spectrum, or is this just an issue now for large enterprise companies?

JC: I think it’s an issue for every enterprise regardless of the size for a number of reasons. One is globalization. Even small firms are potentially players in the global market. There are no isolated companies anymore, or there won’t be. Number two, we’re in an age of terrorism, and all the ramifications affect people throughout all nations regardless of company size. And the third thing is, the technologies themselves are converging, whether the little companies want them to converge or not.

WP: I think that logically you first look at the global companies with worldwide security operations where they want to begin to unify their systems because the scale of economy on the first blush makes sense. But as you begin to move down to the mid-range levels, where you might say there’s not such a compelling need to do that, for a security director to then use that as an opportunity to ignore convergence issues is very short sighted.

Because as Jim said, we all understand globalization—companies are merging. We just went through that experience ourselves. We were bringing two enterprise-class systems together. So we had a confounded problem on top of just converging with an IT system. So I would strongly urge any security director, regardless of where in the spectrum he fits, to absolutely be aware of the issue and the trends and technology, because if it doesn’t happen to you today, it might happen to you tomorrow. You should always be prepared for it.

JC: And let me add, as we said in our initial discussion, it’s not just threats and risks and dangers. There are some incredible opportunities that this brings in terms of added capabilities and cost savings that small firms desperately need.

Additionally I would say that if you look at what systems are available—networked cameras, networked alarm systems and stuff like that—it’s just a matter of time. In a few years the older-style systems probably aren’t going to be available.

ST&D: What do you mean by a few years?

JC: Five to 10.

WP: Five to 10 is the horizon, especially with open systems and open technology. It will completely change the character of these converged systems.

ST&D: In your September article you discuss both the possibility of physical security and IT working together in enterprise risk management (ERM), and the possibility of a pan-disciplinary position being created above them both. Do you think one of these options is better, or should they coexist?

WP: I think first of all, if you do not have a pan-disciplinary position overseeing both functions, you would want to see an ERM program developed. But even if you did have a pan-disciplinary position, the ERM model still makes a lot of sense. So not only could they coexist—because ERM is much more than the convergence of physical and IT security, it talks in the broadest sense about the risk to the enterprise—I see that as being out there on the horizon. Both will probably happen.

JC: I agree with that. There’s a principle in the military they call unity of command. In management theory it’s basically having clear, established leadership on any discipline. You can argue that the CEO’s the ultimate authority in an organization; however, they’re not going to get into the details and understand the technology to the degree necessary. I think that the best course is generally to have a person, perhaps working with a consensus-based council if necessary, but a person who’s responsible and has the authority that’s equal to the responsibility. However, that being the ultimate “Gee we wish it could be like that,” the politics of organizations are such that a lot of times it has to be basically a collaboration between two peers, and in that case the success is based on their discipline, their culture, their personalities.

ST&D: Have you seen the pan-disciplinary position being created at an increasing number of companies?

WP: I think you’re seeing more pan-disciplinary CSOs come up, but it’s experimental still. For instance, I believe Howard Schmidt at eBay has got both responsibilities, and it’s a relatively new phenomenon or situation for him, and he talks about a) what it took, and b) what the results have been. I don’t think in the end it will be the dominant model. I think it will be a model that’s adaptive to the culture of the organization and the individuals themselves. But I certainly do think the collaborative task force or enterprise risk management is going to become prominent in organizations, especially global organizations. And from that you might see adapting a pan-disciplinary task-force style approach rather than having one choke-the-throat pan-disciplinary CSO.

JC: From the IT point of view, a lot of organizations are just getting to the point where there’s unification just in terms of IT security. In many places that role has not been clearly established or was scattered among different functions within an organization. In the federal government through FISMA, they actually established the role of the CISO for the first time as a requirement. So I think there’s still a lot of experimenting going on, but at least on the IT side things are starting to go more for that unity of command—that somebody will be responsible who has sufficient training and background to do the job. I think it’s another leap till we get to the point where physical and IT security will go in that direction. And I think unfortunately it might take some disaster that more clearly shows the need than we’ve had in the past to make that happen.

WP: If a CISO and CSO are simply not working well together and the organization needs a unified command structure, then they will force it or they’ll find somebody with the requisite background. But if the two guys aren’t working together well to start with, you could force the position, because somebody’s got to make this work. And I’ve heard of that happening.

ST&D: In your September article you detail the strengths, weaknesses, opportunities and threats for corporate security directors and IT directors. The weaknesses for both include communication problems. What specific steps can physical security take to better communicate and work with IT?

WP: First of all there’s the educational component. In order for me to speak to my IT security VP, I had to learn his language. I went to CISSP boot camp. I had charts on the wall, just so I could have basic common dialogue with the fellow. And when I speak to him about some of the technology we use, some of it is unique and specialized and he’d scratch his head, but other stuff he’s beginning to understand in the context of IT security. So I frame what I talk about in his context. It’s probably easier for me to come to him and present than the other way around, but that can vary from individual to individual.

Secondly it’s very easy to begin to find common issues. A lot of dialogue happens when you say, I have the same issue you’ve got, and if we work collaboratively these things just get solved easier because now you’re leveraging the fact that two or maybe three functions are affected by a threat that needs to be mitigated. Not just an IT problem or a physical security problem—it’s a combined problem now, and it has more power behind it in terms that need to be resolved.

ST&D: What steps can IT take to better communicate with physical security?

JC: I would say that the first step would be something that forces the IT director to understand the importance of physical security. In the IT realm there’s often a bias against physical security. It’s referred to as “guns, gates and guards,” or some variation of that theme. And what an IT director has to realize for the security of his own systems is that anybody who touches his machines can own the machines. That’s sometimes an eye-opening revelation to them.

The second step is seeing the physical security manager as a valued customer. And if you can spark that revelation in the IT realm, then a lot of time the communication improves.

The third step is actually getting out there and looking at the techniques and mechanisms that physical security uses, trying to understand their business, just like IT should try to understand the business of any of its customers.

ST&D: On the IT side in particular, you seem to identify communication weaknesses as inherent “techie” personality traits. In that case, how can such weaknesses be overcome in a business environment?

JC: I have in my hand Newton’s Telecom Dictionary. The cover says it has over 21,000 terms. This is a portion of the domain-specific language that IT people speak. I struggle to keep up with the language of IT, and if it consumes too much of my time it makes it so I would have difficulty talking plain English to people. When I’m looking at trying to understand the difference between a distribution channel, distribution duct, distribution frame, distribution frequency and distribution group, it doesn’t lend itself to good business communications.

If organizations want their IT people to be able to communicate well, they need to have them customer focused—put customer focus into their culture—and they need to ensure that their professional training includes the soft skills, the writing and speech communication, so that they can present themselves well. And given that an IT professional feels that he’s valued by being current with the latest software or programming language, application or hardware, that will be something they won’t tend to want to do. So if the organization wants to work well with customers, they’re going to have to force that focus into the IT culture.

WP: From the corporate security side, we’ve been in a better position with the soft skills. Not that we don’t have technical language, but for quite a long time now there’s been an evolution toward better business acumen in corporate security directors than existed say 10 or 15 years ago. More often we’re getting invited into the boardroom to present to higher levels of executives than perhaps we ever did. So you’re seeing more VPs, more senior directors. And from my perspective that’s a very good thing because we have more credibility as time goes on.

ST&D: In the first example in your article you implicate the company VP and president in the hypothetical security breach. What should the upper management be doing organization-wide to prevent disciplinary silos, and to keep security accountable?

WP: If I’m a CEO I want to stop for five minutes and say, does my security in the IT and physical world talk? Do I know they have some kind of program that will fill these gaps? All you have to do is put these two guys together in a boardroom in front of the CEO and ask, “Where are our program gaps?” Both these guys know. If they weren’t talking before, they’ll be talking after. It’s really not any more difficult than that. Depending on the organization, a serious breach of security that results in a major lapse is not a position the CSO or the CEO wants to be in.

JC: One thing I’ll add is that a lot of times organizations don’t address this issue until they have a very bad, painful experience. Organizations need to learn that they need to use 1) a good vulnerability assessment technique on a regular basis, and 2) penetration testing, which may be part of the vulnerability assessment or may be a separate issue. The vulnerability assessment, if you’ve got a good framework, is useful in identifying gaps. The penetration testing generally isn’t as comprehensive as a vulnerability assessment but it usually gives ammo that is emotionally charged enough to open the eyes of senior management.

ST&D: What’s the most important thing for security professionals to understand about starting up a relationship with their physical or IT security counterpart?

JC: I would say the necessity for just doing it. Talk is cheap, and this isn’t something that can wait for next month or next quarter. It’s really something that might be as simple as one party or the other picking up the telephone and inviting somebody out to lunch and starting the dialogue. And I guess demonstrating the type of behavior that will build bonds of trust. If you can do that at an honest level, all the rest of it can work itself out. Have a very clear initial vision with a couple swift victories that will achieve a measurable result, instead of some big grandiose plan, but have a vision of what you really want and a couple of concrete steps that everybody will see the benefits of.

WP: Everybody likes to be part of a successful team. Get two security guys who’ve done a few obviously successful things, and you get some recognition, you get support, but also you get people who want to join that group, and it becomes a status thing.

Do you have questions or stories to share about your own experience trying to work with your IT or physical security counterpart? We'd love to hear from you. E-mail