There is a story that circulated soon after September 11 of how the CEO of a large US company summoned his head of corporate security and his head of IT security to discuss the firm's exposure to disaster. The CEO watched agog as the two executives greeted each other for the first time. Worse followed when it became clear that neither security professional had a coherent strategy let alone any semblance of coordination.
Global IT advisory firm Giga Information Group says it heard similar anecdotes again and again from business leaders who were dumbfounded that two internal departments, each charged to manage business risk, knew so little about the other. But if the management gurus are correct - and if present indications are any guide - this disconnect, like September 11 itself, will soon be part of history. Today, Americans and Europeans speak of the "new normal": that state of being in life, as in business, where nothing can be taken for granted, least of all the security of the human and infrastructure assets that drive all businesses, governments and countries.
It was once the case that the security of all an organisation's assets was the responsibility of one person, who usually came from a physical security background. Information security, such that it was, also belonged to this someone. They set up the accounts and assigned passwords. Then the Internet changed everything. As information technology became more interconnected and integral to an organisation's prosperity, its security was separated from the person who issued ID badges and ensured that fire regulations were observed. But the pendulum is swinging again.
Steve Hunt, a vice president and the security research leader at Giga, says the idea of two security departments is understandable because physical security technologies require different expertise from IS technologies. Best practice in security now says that having isolated parts of an organisation monitoring particular pieces of risk is less effective than managing enterprise risk.
"In the past, business managers blissfully relegated technical risk management to specialised IT and corporate security teams," Hunt says, "while corporate security personnel focused on employee safety, crime prevention and physical risk management. IT security staff had their own interests, such as logical perimeter defences, password management, hacker prevention and Web site security. But after September 11, it seems common to hear security referred to in terms of business value and business process. For example, disaster preparedness, competitive espionage and cyberterrorism each impact the entire company, its shareholders, its employees and both sides of the security program."
It is increasingly the case that the one person - a very particular person - holds the brief for the security of everything the enterprise holds dear. Today's mantra is that risk management is as specialised and as vital as information management or financial management. Business continuity planning has brought the physical and IT security worlds closer together because management knows its business is just as susceptible to a flood, fire, theft or a bomb as it is to a hack, a computer failure or a rogue programmer. In the wrong hands, weapons of mass disruption are as scary as weapons of mass destruction. Continuous advances in technology and the realities of today's world have catapulted the security executive to the door of the boardroom alongside CIOs and CFOs. The chief security officer (CSO) has arrived.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.