Converged Security: Can Ex-Cops, Propeller Heads, and Bean Counters Make Nice?
The emergence of the "chief information security officer," or CISO, is clear evidence that higher education has begun to slowly but surely recognize the importance of information security. (See The Rise of the CISO, April 2007 Campus Technology Magazine.) But recent trends in the corporate sector suggest that just appointing a CISO may not be enough!
I had an opportunity this spring at the Security 2007 Professionals Conference (www.educause.edu/sec07) to hear Ira Winkler, author of Spies Among Us, talk about his experiences testing corporate security. One of his case studies described how he and a colleague were hired by an American company to "steal" the plans for a nuclear reactor that the company was developing. Using a business card stolen from a nearby restaurant he was able to enter the company's facility and with a healthy dose of chutzpah obtain a corporate security badge and access to the company's computers, which they then hacked to obtain the nuclear reactor plans. (They also found unauthorized access into the company's servers by a foreign nation.)
The most sophisticated information security technology and procedures can't protect the information if the thief has physical access to the server room. (See It's Not All About Hackers, September 2005 Campus Technology Magazine.) Physical security is just as essential as the information security we techies are familiar with. And a growing number of businesses, such as the Web conferencing firm WebEx, are merging the management of physical and IT security into a single unit. The corporate trend appears to be a more holistic approach to security.
Even the titles for security professionals, which had been a confusing plethora, have begun to coalesce into commonly accepted definitions. The title Chief Security Officer, or CSO, was first used within IT to identify the person responsible for information security. Now the trend is to use the more specific title of Chief Information Security Officer (CISO) for that person and reserve the CSO title for an executive level position with responsibility for both physical and information security.
Security Convergence
From a broader corporate perspective, security goes beyond information security, which focuses on availability, integrity, and confidentiality of information and systems. It includes physical security, which is much more than simply controlling access to facilities and includes insuring the safety of employees, facilities, and assets. Finally, it also includes financial, legal, and compliance security. As Bill Boni, vice president and CISO at Motorola puts it, it involves badges, bytes, and beans.
Traditionally, these functions have been separate silos, and those responsible for each approach security from a different perspective and bring different skills and abilities to address the problem of "security."
The head of physical security is typically drawn from law enforcement or the military and reports to the facilities or business side of the house. Authority and a well defined command and control structure are highly valued.
The head of information security is usually a technologist and typically reports to the CIO. Creativity and technological innovations are valued attributes.
Finally, the head of financial security usually has a financial or auditing background and reports to the CFO. Quantitative financial rigor is a core value.
While each of those perspectives is essential for an enterprise, they evolved independently, each having a specific mission. Since 9/11, however, there has been a growing trend in the corporate sector to more closely integrate or even merge the oversight of information security, physical security, and fiscal security. This trend may be relevant to higher education.
In fact, Ben Palma, former PepsiCo CISO and member of the team that moved the company to an integrated security architecture, has suggested that one reason security has not received more attention from senior management is that the various groups involved in security have not presented a unified and consistent story.
What do companies that have a converged security architecture cite as the advantages? Improved information sharing and coordination between security units provides the organization with more robust and coherent security. A converged architecture provides senior management with a single comprehensive overview of corporate security. If the effort is led by a CSO, it also provides senior management with a single point of contact. Finally, a comprehensive security architecture is easer to align with the institution's goals and objectives.
Given that the corporate sector is much further along in converging badges, bytes, and beans, what can we learn from their experience.
To be successful, any convergence initiative must have support from senior management that views security as a strategic business enabler.
Functional silos are usually well protected. Hostile takeovers or coups seldom work.
Any process or organizational structure must preserve the core functions and capabilities of the physical, information, and financial security units and allow each to do what they are good at.
Convergence does not necessarily mean merging multiple units. It might well be close cooperation, collaboration, and joint planning. It is, however, more than an occasional lunch.
Convergence initiatives are a hard sell if they involve significant additional fiscal expenditures to change, in this case integrate, what you are already doing.
A Cautionary Tale
Discussions, seminars, and conference presentations about combining campus libraries and the information technology unit were the rage in the late 1980s and early 1990s. Now, almost two decades later, it has successfully happened in only a handful of places. The idea was great in theory. Both deal with information. Libraries excel in storing and subsequently finding information. IT organizations excel in manipulating information. What we underestimated was the difficulty and practically of merging two very different cultures, one young and brash and the other steeped in tradition.
Similarly, ex-cops, propeller heads, and bean counters (as each tends to think of the others) come from very different cultures. There is a huge communications gag. Complicating things further, higher education has a highly decentralized environment of largely autonomous fiefdoms. In such an environment, merging disparate operations such as physical and information security may be impractical.
What can be done?
Interdisciplinary teams focused on specific projects, which reduce the threat to existing fiefdoms, are one possibility. A security oversight committee might be another. A comprehensive and converged security architecture is something higher education should consider.