In Part 1 of this series I talked about the evolution of the CSO role and how security shouldn’t be subservient to all other operations in all cases. Let’s dig a little deeper into why this is so.
I understand why organizations have these two separate security groups. Before the Internet days, the CISO function didn’t really exist, and the physical security function was usually relegated to the bottom of the leadership chain. You needed guards and fences and things like that, but those kinds of operations were more like commodity items, like power to the building, trash pickup or other maintenance roles. You needed them but once you established them, they did not materially affect the business even if they failed for a day or two (in most cases). Because of this, Physical Security tended to fall under the Facilities Management groups.
We’ve talked about the Internet of Things, though, and boy, does that change the situation. Everything is interconnected. Just like every other organization in the business, the physical security groups have a lot of IT security components, from badges to IP-enabled surveillance cameras. These groups and their electronic tools could still operate by themselves, but it makes sense that business leadership tasks somebody in the company to make sure that these tools are compatible with the approved security architecture plan. In my mind, that is the CSO organization.
Just like the idea that there is no such thing as cyber risk to the business, only risk to the business, I don’t think there is a need for separate cyber security and physical security teams. In this day and age, it is all security. Just for ease of management, it makes sense to keep it all under one umbrella. My perfect organization would have a CSO in charge of all security of the company, with the CISO under that person with a dotted line to the CIO. The Physical Security Director would also work for the CSO but by design would have a close working relationship with the CISO.
There has always been a healthy tension between the IT people in an organization and the security people in an organization. The IT folks are concerned about security for sure, but they are often more concerned with keeping the systems running and squeezing as much cost out of any particular project that they can. And that is what they should be doing. Meanwhile, the security people are more focused on business risk, not just for IT projects but for every aspect of the business: HR, Legal, Operations, Finance, Strategy, Marketing, and Sales. Most of these other business functions have an IT-Security component, but cyber risk is not the only risk that leaders have to monitor.
Sometime in the mid-2000s, it became convenient to tuck the security function for an organization under the IT function of the organization. In other words, the CISO works for the CIO. This is not a bad idea, per se, and is an arrangement that works in many organizations. The IT folks generally handle the day-to-day automation functions while the security teams perform more of an oversight role in terms of security architecture, policy, risk assessment and SOC Operations. But to me, that kind of organization shows that company leadership does not fully understand the larger problem. We are not talking about only Cyber Risk to the business. We are talking about risk to the business.
Forbes’ Howard Baldwin back in March complained that he did not like recent changes he was seeing within organizations that have broken out the security function to be a peer to the CIO. He says that these CIOs are highly paid executives that can handle competing priorities. But that is not the point – something that was really underscored in the investigation following the Target breach.
In an interview by Jack Rosenberger, Eric Cole, founder and Chief Scientist at Secure Anchor Consulting, speculated on one of the reasons that may have contributed to the Target breach:
“It is almost a guarantee that Target had an amazing security team, and they were screaming and yelling about all of the security issues, but there was no advocate who was listening to them and fighting for their cause with the executives.”
Cole is pointing out that in all of the priorities that the Target CIO had to juggle, security lost out. And as Brian Krebs reported in the Guardian in May,
“Virtually all aspects of retail operations are connected to the Internet these days: when the security breaks down, the technology breaks down – and if the technology breaks down, the business grinds to a halt.”
Before the breach, the pressure to keep the IT infrastructure up and running must have been immense for both the former CIO and CEO. Krebs suggests that in hindsight, because of the devastating impact to the business, the Target CISO should not have worked for the CIO – that it should have been the other way around.
Check back for Part 3 of this series, where we’ll talk about the role of the CSO in relation to the rest of the C-suite.