CSO Perspectives: Burill calls security convergence "inevitable"
COLORADO SPRINGS, COLO -- Convergence. That word bests all others as the most hotly debated here at CSO Perspectives. Industry veteran George Campbell yesterday called it "crap." David Burrill, delivering the morning's first address, called it "inevitable."
So which is it? Both, probably.
"I'll defuse that debate," Burrill told the house. "In yesterday's session [when Campbell and others poo-poohed the conecpt of convergence], the question put to the panel was about physical security and IT. Very narrow. What we're talking about here is broader. Each and every person yesterday supported convergence, just different types under different names." In other words, the argument is about semantics, but everyone agrees the model of unifying security makes sense.
Burrill, the former head of security for British American Tobacco and now the head of a security consulting firm, said his notion of convergence, in fact, relies less on an organization's structure, its leaders and its budgets and more on a cultural shift to treat security as a core value across the entire company.
To make it clear Burrill used one of his favorite analogies: Corporate security is to companies what national security is to governments. "When you think of it that way, suddenly it's bigger than just how you shape the department," Burrill said. "The CSO is not the owner of security then, the company is. The CSO of course may play a leadership role." As a bonus to presenting security this way, Burrill added, "CEOs understand this. That's the big picture and they understand that."
Punctuating his points with humorous videos, one of which was literally potty humor, Burrill first focused on those industries that don't practice convergence. He called this "conscious incompetence, in my view the biggest management sin of all. When people block progress caused by their insecurity, prejudice and self-aggrandizement."
Burrill cited the air travel industry as a prime example of this. "The failure on the part of this sector makes my brain shudder," he said. He cited responses by the industry post 9/11 and post 8/11 (when the debated threat over liquid explosives emerged from the United Kingdom), as well as the recent weather-related crises suffered by passenger airlines. The responses to those events were marked by chaos and confusion, the absence of cooperation and alienation of the customer.
"It's a masterly example of conscious non-convergence, and in the context of a risk more likely to occur than many others," Burrill said, adding that the consequences of non-convergence included missed business opportunities, brand erosion and exposure to ridicule.
Burrill then launched into a litany of benefits of convergence: It improves corporate governance and the ability of security to support unpopular-but-necessary controls. It elevates IT security, brings younger blood into the corporate security ranks from the IT side, improves succession planning and educates security managers on technology, and vice versa.
But still, the hard part is figuring out how one does this convergence. Here, Burrill said there's no one way. "It's important to know, though that convergence does not equal centralization. It could do, but it doesn't have to, and in fact the trend is away from centralization.
"It doesn't have to be one entity. It can be informal, though I have to say I'm not completely sold on that," he continued. "It could be shared responsibility. All these things are possible. But in an informed, creative environment, just making a single budget should not be the driver of convergence."
He summed up: "Convergence can only be done with the two groups working together as one, whether they are one or whether they act as one."
Finally, during Q+A, George Campbell stood to ask a question. "Excellent presentation," he said." All's well that ends well.
--Scott Berinato
Also see:
CSO Fundamentals: ABCs of Physical and IT Security Convergence
Next Generation Security
David Burrill and other CSOs discuss succession planning, a key part of well-managed security leadership. See "Natural Selection" from CSO's archives.
Print
So which is it? Both, probably.
"I'll defuse that debate," Burrill told the house. "In yesterday's session [when Campbell and others poo-poohed the conecpt of convergence], the question put to the panel was about physical security and IT. Very narrow. What we're talking about here is broader. Each and every person yesterday supported convergence, just different types under different names." In other words, the argument is about semantics, but everyone agrees the model of unifying security makes sense.
Burrill, the former head of security for British American Tobacco and now the head of a security consulting firm, said his notion of convergence, in fact, relies less on an organization's structure, its leaders and its budgets and more on a cultural shift to treat security as a core value across the entire company.
To make it clear Burrill used one of his favorite analogies: Corporate security is to companies what national security is to governments. "When you think of it that way, suddenly it's bigger than just how you shape the department," Burrill said. "The CSO is not the owner of security then, the company is. The CSO of course may play a leadership role." As a bonus to presenting security this way, Burrill added, "CEOs understand this. That's the big picture and they understand that."
Punctuating his points with humorous videos, one of which was literally potty humor, Burrill first focused on those industries that don't practice convergence. He called this "conscious incompetence, in my view the biggest management sin of all. When people block progress caused by their insecurity, prejudice and self-aggrandizement."
Burrill cited the air travel industry as a prime example of this. "The failure on the part of this sector makes my brain shudder," he said. He cited responses by the industry post 9/11 and post 8/11 (when the debated threat over liquid explosives emerged from the United Kingdom), as well as the recent weather-related crises suffered by passenger airlines. The responses to those events were marked by chaos and confusion, the absence of cooperation and alienation of the customer.
"It's a masterly example of conscious non-convergence, and in the context of a risk more likely to occur than many others," Burrill said, adding that the consequences of non-convergence included missed business opportunities, brand erosion and exposure to ridicule.
Burrill then launched into a litany of benefits of convergence: It improves corporate governance and the ability of security to support unpopular-but-necessary controls. It elevates IT security, brings younger blood into the corporate security ranks from the IT side, improves succession planning and educates security managers on technology, and vice versa.
But still, the hard part is figuring out how one does this convergence. Here, Burrill said there's no one way. "It's important to know, though that convergence does not equal centralization. It could do, but it doesn't have to, and in fact the trend is away from centralization.
"It doesn't have to be one entity. It can be informal, though I have to say I'm not completely sold on that," he continued. "It could be shared responsibility. All these things are possible. But in an informed, creative environment, just making a single budget should not be the driver of convergence."
He summed up: "Convergence can only be done with the two groups working together as one, whether they are one or whether they act as one."
Finally, during Q+A, George Campbell stood to ask a question. "Excellent presentation," he said." All's well that ends well.
--Scott Berinato
Also see:
CSO Fundamentals: ABCs of Physical and IT Security Convergence
Next Generation Security
David Burrill and other CSOs discuss succession planning, a key part of well-managed security leadership. See "Natural Selection" from CSO's archives.
Previous Post: Security Awareness Requires Carrots, Sticks -- and Lots of CommunicationNext Post: Measure, then Act: General Electric CSO Frank Taylor on the Importance of...
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
WHITE PAPER
Reduce Email Archives up to 60%
Are you considering implementing a proactive archiving and eDiscovery solutions? This paper summarizes 15 separate soft cost savings when implementing Symantec Enterprise Vault and the Clearwell eDiscovery Platform.
WHITE PAPER
Aberdeen Report: To Patch, or Not to Patch? (Not If, But How)
The report explores the correlation between the current use of patch management and the level of endpoint-related risk that companies are effectively accepting.
Recent Comments
Webcasts
- The CISO's Survival Guide to Securing Data
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- FireEye Advanced Threat Protection KnowledgeVault
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- Comprehensive Server Protection
White Papers
