When companies decide to combine logical and physical security, one of the first challenges they face is finding a leader who has been exposed to both information security and physical security. Someone has to be put in place to create change. Who is this person? What is their skill set? Where can they be found? Does he or she actually exist?
I speak with both information security and physical security professionals every day, and when the conversation turns to who is best equipped to lead a converged security operation, I hear many opposing opinions. Usually, the opinion of the person to whom I'm speaking has a lot to do with his or her experience. Whose point of view is correct? I don't know for sure, but I can tell you about the conclusions reached by three companies that have recently contacted me for assistance in their search for a converged security leader.
Example 1: At one global company, the newly hired executive will have responsibility over information security, physical security, facilities security, business continuity, global supply chain security, brand and reputation protection, and all the facets of risk management that could be wrapped around the aforementioned topics. Nobody I spoke with possessed expertise in every topic. My client interviewed the top three CSO and top three CISO [chief information security officer] candidates I surfaced, each of whom had some exposure to each topic. After phone interviews, only the top three CISO-tracked professionals were invited in for face-to-face interviews. Each of these business-savvy professionals were technically sound, had significant exposure to physical-security issues and were each outstanding communicators and leaders.
Example 2: A 90-year-old global company that is used to dealing with physical security issues has recently experienced a change in its business model, causing the business to become more and more digitally driven. The company is creating a VP-level security role, and believes that 60% to 70% of the new VP's responsibility will be the protection of electronic assets, while the remaining part of his or her job will be a mix of blended issues such as access controls and fraud detection/prevention, along with many purely physical issues. The search team has concluded that the most desirable candidate to address these needs will come from a strong information-security and risk-management background and will have some exposure to physical-security issues.
Example 3: Another global company recently discussed with me their plans to replace a retiring physical-security-focused CSO. Their intention is to hire someone with an 80% information-security CISO skill set.
In their own ways, each of these three companies came to the same conclusion. They have decided that 50% to 80% of the skill set they need is an information-security skill set. They argue that an information-security-skilled executive should be able to bring the right blend of technical skills, business understanding and executive leadership to be successful in their newly created role. While this executive is not expected to be an expert in all physical security topics, he or she is expected to have enough exposure to the physical side to lead individuals on the team who possess physical security expertise.
Someone with a stronger background in corporate security certainly could argue that he or she could simply put a strong information-security person in place to lead that aspect of the organisation. But in my experience, that argument just hasn't worked as well. For whatever reason, leaders with an information-security background seem more often to have the business savvy that makes upper management confident in their ability to break down the silos that have built up over time — perhaps just by the nature of who they interact with in a corporate environment.
Besides, even a converged CSO role is increasingly a technical one. Electronic record issues, data privacy issues and regulatory compliance pressures are becoming more and more complex. As I listen to the conclusions my clients have reached as they work through the process of determining what a converged security skill set looks like, I hear them place most of the emphasis in their description on a deep and diverse technology and information-security background.
The decision to converge information and physical security is a bigger decision than meets the eye — as is the ability to succeed in a newly converged position. Assigning or acquiring the right talent to successfully lead a new converged operation is the difference between success and failure of the endeavour.
Jeff Snyder is president of SecurityRecruiter.com