The CSO/CISO Relationship

Oct. 27, 2008
The shifting dynamic between IT and physical security divisions makes their interdependence a sometimes sticky subject.

Editor's Note: This is the first half of William Plante and James Craft's examination of the CSO/CISO relationship. Check out our October issue for the follow-up.

The vice president for an advanced research lab business unit walks out of one of the company's facilities, a multi-tenanted office structure in a downtown location. He is leaving for a lunch appointment. He opens the door to his car and swings his coat into the backseat. As he does this, his photo ID access badge slips out of his coat pocket and hits the ground. Unaware of the loss, he shuts the door and drives off.

A college student passing through the parking lot sees the photo ID a few minutes later. He picks up the badge and notices the familiar name and logo of the company. He is struck by a novel idea. How far into the facility can he get? He walks into the office area, past the receptionist and into the elevator as other people leave for lunch. He uses the card to activate a floor call button, getting off at the seventh floor. He walks to the next door, uses the card to enter a passageway and begins to wander in the office area.

Since there are not many people there, he takes his time, grabbing a slice of pizza from a box on a work table and deciphering figures and yellow post-it notes on whiteboards. He eventually finds himself outside a lab marked AUTHORIZED PERSONNEL ONLY. He tries the card reader and hears the click of the lock disengaging. Entering the lab, he sees banks of servers, a few laptop computers and more notations on white boards. Again inspired, our intruder takes out his camera phone and snaps a few shots of the room, including himself in one of the photos. For one-upmanship purposes, he sends the photos and the name of the company to a fellow student, a university Webmaster and widely read blogger.

Our interloper leaves the building a short while later, dropping the company badge into a visitor badge drop-box as his friend is posting the photos to the Internet blog. Highly sensitive proprietary information is now available for all who surf the Web. Who owns this problem? The corporate security director? The chief information security officer? The vice president of advanced research? The company's president?
Answer: All of them.

The New Enterprise Security
Not long ago, security-related responsibilities were more clearly defined and cleanly separated than they are now. The company president expected security to work and may not have thought much more about it; the business unit managers would wrestle with either the corporate security director or the IT security director, depending on the situation; and each security manager knew the scope of his or her role. Corporate security concerned itself with the physical world, and IT security concerned itself with the logical. The directors of these two departments may have met, but mutual issue identification and strategy development? Probably not. Forward-looking risk mitigation and operational planning? Nope. These two disciplines were competitors for the company's limited internal resources, not collaborators in building an integrated security posture.

That older view of separated physical and logical security is changing in leading enterprises, and it is not hard to see where the corporate security and IT security worlds will fuse together in most organizations.

In the United States, legislative initiatives, most notably Sarbanes-Oxley (SOX) and the Health Information Portability and Accountability Act (HIPAA), are awakening CEOs to the enterprise security risks their corporations face. While enterprise security is not specifically mentioned in SOX, many SOX auditors are conservatively interpreting this legislation to include physical and logical security as factors to be identified and addressed. Other legislation, such as HIPAA, has specific security mandates.

In response, CEOs now often ask IT and corporate security managers to work with other risk managers, or indeed, to lead an enterprise risk management program. The Committee of Sponsoring Organizations of the Treadway Commission (COSO), an independent group that develops recommendations for eliminating the factors that lead to fraudulent financial reporting, advocates an integrated framework for enterprise risk management (ERM). COSO's publication "ERM-Integrated Framework" avers that CEOs ultimately own and must assume leadership for enterprise risk management. While it does not specifically mention physical and IT security matters, it comprehensively addresses internal control issues that include both disciplines.

Another factor in the evolution of the old view is the convergence of physical and IT security systems and programs toward one management point. More often, enterprise-scale physical security systems are riding the LAN infrastructure to provide event notification and support cardholder data management. Consequently, corporations the world over have seen the establishment of a chief security officer or chief information security officer with pan-disciplinary responsibilities.

Bringing two such distinct disciplines together is not easy. The personality types of corporate and IT security directors can be very different, simply by dint of the roles they're hired to fill. And even though skills and competencies for both disciplines are evolving, the technical expertise required by each security discipline is still quite unique. Working with a security counterpart now requires a certain degree of mutual understanding and appreciation of the other's expertise.

A security failure cannot be seen as a single manager's problem or responsibility anymore. The failure of one security element is a failure of the entire program, or, as is often said in cyber-security, the risk accepted by one is the risk inflicted on all.

Corporate Security Directors
Strengths. Corporate security is mature within its core functionality. Operational security, personnel security, investigations and crisis management are all areas that business leaders expect corporate security managers to have down pat. Moreover, many corporate security managers are attaining related skills, including business and leadership training. For example, the 2004 ASIS International U.S. Security Salary Survey indicates a greater percentage of security managers-some 63%-now hold undergraduate and graduate-level education. Many corporate security managers are also reading up on technology. Because of the introduction of physical security systems to the WAN/LAN architecture, corporate security managers must understand the concepts and technology behind open systems, IP cameras, LAN latency, data redundancy and data encryption.

Weaknesses. Corporate security programs often compete with business projects for funding, and corporate security managers must pit their usually non-ROI-generating projects against others with well-documented ROI. Some security budgets have increased, such as those in the critical infrastructure sectors, but others have not. Accepting corporate risks and funding security programs to address them is like buying insurance, and the CFO may determine that the risk level doesn't warrant the expense.

The increasing sophistication of physical security technology and the application of IT security to physical security systems is also proving to be a challenge for some corporate security directors. As noted above, many directors are getting educated about IT issues and technology, but many of them are not. Without some education in IT security principles and applications, corporate security directors can be left wondering what an IT security director is talking about. Corporate security directors must become familiar with basic IT security theory and application to remain current in a quickly changing discipline.

Opportunities. More corporate security directors are branching out into non-traditional roles. For example, security managers are now often on the front lines of a corporate crisis. More and more, they are taking business continuity and crisis management into their departments. This can fit very well with the IT disaster recovery roles that many IT security directors have. In reality, collaboration between the disciplines provides the best chance of success for business continuity and disaster recovery.

Another recent trend is the adoption of anti-counterfeiting and anti-piracy functions by corporate security. Counterfeiting of U.S. goods is an increasing threat to both U.S. companies specifically and the world economy. Corporate security managers know how to gather intelligence, develop law enforcement contacts, run down leads, obtain criminal evidence and assist with criminal prosecution-they were made to deal with this type of criminal activity. Any security manager in a corporation that produces a desirable commodity should be assessing the counterfeit threat and preparing programs in collaboration with the legal department.

Also, corporate security managers should be assuming a leadership role in enterprise risk management. The basic principles of risk management (e.g., risk transference, avoidance, mitigation, and acceptance) are foundational to ERM and should be well known to a mature corporate security manager. ERM is a cross-functional, multi-disciplinary approach that is best implemented using a working task group of all risk owners, including corporate security, IT security, treasury/insurance, legal, public relations and business continuity. ERM is relatively new but should emerge as a favorite mechanism for refocusing the company on corporate risk matters.

Threats. Some corporate security managers see the establishment of a chief security officer as a threat to an established hierarchy, especially if the physical security program is re-delegated to report to a CISO cum CSO. The concern is often based on the idea that the physical security program will take a back seat to IT security and will consequently suffer from a resource shift. This could happen, but only if the organization is short-sighted or lacks strong corporate security leadership. The company would be ill served indeed, as our opening example shows, if all the significant security resources are dedicated to logical data protection and then the front door is left open.

Another threat area is the development of security standards and/or guidelines by traditionally non-security entities. Physical security practitioners understand how to identify and mitigate physical risks. However, physical security risks are coming under scrutiny by a growing number of entities (SOX compliance/audit programs and insurance standard-setting entities, to name two). The issue for physical security managers is the stipulation of security requirements by entities that do not have the requisite background or constituency support to make such issuances. However, without careful consideration or process control, corporate security mangers may find themselves in the uncomfortable position of defending or refuting what may come to be perceived as an expert opinion.

IT Directors
The IT director's world can actually be two or more worlds depending on the organization. There is generally an IT director who has operational responsibility for the IT infrastructure and core business systems of the organization. Sometimes there's also a CIO who has the IT policy and perhaps investment responsibilities, but who may not have direct supervisory oversight for the IT director. And often there's a separate cyber-security manager (occasionally titled CISO). The variations from organization to organization are complex and often ambiguous. For the sake of this discussion, all of these variations are gathered together under the generic title of IT director. Strengths. For the last 30 years, information technology has been booming. The amount of digital information has increased exponentially, and while "information glut" continues to overwhelm us, information handling tools and processes have given great power to this accumulation of knowledge.

The IT director and her or his organization are at the center of the maelstrom. In fact, they may find that they understand the workings of the entire organization better than anyone else. Additionally, they have more and more to offer the organizations they serve. The power and features of new applications continually offer organizations opportunities to expand capabilities and market share while cutting costs. So as security has become a hot issue, for instance, the IT director has the strength of an improving base of security discipline and tools.

Last, the IT field attracts very smart and dedicated folks. A field like IT that is devoted to knowledge attracts those who enjoy intellectual pursuits.

Weaknesses. These smart and passionate people are often weak in basic people skills. Prone to complex technical jargon and acronyms, many IT professionals resist clear, understandable communications.

Because many IT professionals work with rapidly changing online displays, lack of detailed documentation is common. In the view of many IT professionals, the online system is the documentation. This is also sometimes a form of job security in a volatile and competitive field. If you're the only one who knows how to keep the system going, your job isn't likely to be at risk.

As intellectuals that love technology, the IT staff may jump to technical solutions before understanding the problem and inherently miss simple, non-technical solutions. Why change a paragraph in a policy when you can design an application or upgrade your server instead?

Given that the IT field values intellectual give and take, IT professionals are sometimes hostile to restrictions or use of authority, which may create conflict. Another cultural difference is that while the corporate security culture tends to create stability, the IT culture has adapted to continual change.

Finally, the IT director faces a weakness found in the industry generally. Because of past successes in increasing capabilities and reducing costs, IT is increasingly cut to the bone as a "commodity." Continual staff shrinkage often robs IT of the capacity to exploit new opportunities, such as the opportunity to reshape its relationship with corporate security.

Opportunities. The opportunities available to the IT director are many. Maturing technology provides an increasing array of capabilities and cost savings that allow the IT director to come to the table with something to offer. Some terms associated with these opportunities are "Netcentricity" or "Net-centric Operations."

In the case of corporate security, many traditional security devices, such as cameras, locks, alarms and sensors, are now digital and network capable. They produce information and respond to commands that facilitate either central or tailored, distributed control and analysis. Partnering with corporate security, the IT organization can increase the security posture of an enterprise and often lower cost.

The drive for more security by the IT organization creates an opportunity for partnership with corporate security. An IT security culture is rapidly spreading into the mainstream of IT organizations, as evidenced by the rapid increase in certifications such as CISSP. As a security culture becomes part of the IT culture, the ability of the IT organization to understand and appreciate the corporate security organization increases. For example, physical security is one of the 10 domains of the CISSP Common Body of Knowledge.

Threats. The success of IT in bringing new opportunities and capabilities to the table has created massive enterprise dependence and exposure, both internal and external. Malicious and talented groups are able to infiltrate most organizations via the Internet. Faced with often unreasonable enterprise demand to open the infrastructure for collaboration and to bring in new customers and partners, the IT director must deal with difficult security issues complicated by increasing cost risks. If the IT director invests in security, he or she may find that the IT functions will be outsourced or off-shored to an organization that has not so invested.

Both the corporate security director and the IT director face stiff challenges and a need for increased effectiveness. The nature of these challenges and the opportunities the changing world presents point to interdependence between corporate security and IT. Our next installment will present some thoughts on making that interdependence happen to the benefit of both the corporate security and IT directors.

William Plante is senior director of corporate security and brand protection for Symantec Corp. James Craft is a director in a global business consulting and support firm.