John Pontrelli, VP and CSO of TriWest Healthcare Alliance Corp., answers readers' questions about security governance and the realities of infosec and physical security convergence
Q: What impact does the convergence of infosec and physec have on corporate risk management, considering the fact that combining the disciplines creates new vulnerabilities?
A: I believe an even greater liability is created by not combining these disciplines.
By designating a single point of contact with visibility to all security-related risks, an organization can assign accountability for security strategy and business plan creation at the highest level. The CSO role is crafted to meet this requirement.
No one person can be responsible for all security-related activities within an organization; however, one person can be accountable and strategic. This security leader communicates security news, good and bad, to C-level leadership on a regular basis, and is accessible 24 hours a day to that same group of leaders.
This person works throughout the organization to identify and prioritize risk. The decision to accept, reduce or eliminate risk is always a business decision, and one that should traverse all business activities, both physically and logically. It has been my experience that if communicated appropriately, C-level leadership will typically follow advice on risk prioritization and resource requirements.
Q: How do you measure the performance of a converged security operation? What metrics do you use?
A: Security metrics come in all flavors. Through interaction with C-level leadership, a deep understanding of the strategic business plan and the organizational value assigned to business metrics, the CSO can identify the type, quantity, frequency, audience and presentation of appropriate security metrics.
Metrics are important for many reasons. However, it has been my experience that if C-level leaders receive regular communication about the security business plan and are confident that security is being addressed at all levels throughout the organization, they may be less inclined to scrutinize metrics.
I use metrics to analyze and trend where a particular security activity was and where it is today. I use the delta between those places in time to highlight and celebrate success with the security team members, C-level leadership and peers within the organization. We are often so engaged in managing our security operations and staying in line with constant business changes -- new technologies and so on -- that we lose sight of the progress that has been made. Metrics that reflect a specific period of time will highlight that progress.
Q: Do you think that ASIS International's recently published CSO Guideline captures the security convergence issues facing organizations?
A: The ASIS CSO Guideline was created over a substantial period of time with input from many of today's leading security practitioners. It is a comprehensive document encompassing the increasing breadth of activities associated with our industry.
The CSO Guideline, directly or indirectly, has contributed to the upward trend of companies recognizing, creating and hiring a CSO. Two takeaways for me are:
1. To be an effective security professional, regardless of title, one must report within the C-level hierarchy. The support, credibility and influence there are necessary for success.
2. The convergence of physical and infosecurity can no longer be denied. A silo approach to security is not in line with 21st century risks or organizational needs.
Q: Since 9/11, has there been progress in minimizing the cultural biases between physec and infosec?
A: I don't know what you mean by cultural biases. I am seeing a trend toward openness and communication between the two disciplines as they gain a clearer understanding of their codependency.
Technology radiates in every aspect of our lives, requiring those who choose the security profession to understand and appreciate what it means to their environment. Physical security has been defined and refined for a much longer period of time, allowing access to time-tested concepts, approaches and strategies. Today's and tomorrow's well-rounded security professionals must embrace, understand and, most of all, appreciate how the convergence of security disciplines will reduce organizational risk through a more comprehensive approach.