98 ◾ Security Strategy: From Requirements to Reality
Focusing on the business and its objectives for convergence is
the best way to deal with turf issues; the eff ort must include any
new stakeholders too. eir objectives may not be security
related, but they are still business related and so deserve consid-
eration. Culture clash is another major challenge. Corporate
security personnel have law enforcement backgrounds, whereas IT security personnel have techni-
cal backgrounds. e skill sets, mind-sets, processes, and even the terminology are very diff erent
for the two groups. While IT people love to experiment with new technologies, corporate security
prefers to stick with what is proven and reliable, which makes sense when you think about it. If
your facility access system fails, all movement within the facility ceases. ink about what that
would mean in an airport.
Processes are also diff erent; corporate security focuses on loss prevention and safety, IT on data
loss. e IT people come to the table with threat models and risk analysis, whereas corporate secu-
rity personnel come armed with hardware, site plans, and building blueprints. Although the new
technologies are producing intersection points in these processes, a concerted training eff ort and a
smart command structure are needed for successful integration. e integration will produce new
roles requiring new skills. Not only is a common management structure needed, but that manage-
ment needs to have the skills required to eff ectively handle both disciplines. One of the issues that
will need to be dealt with is compensation. e pay disparity between corporate security positions
and IT security is substantial. Melding and upgrading skill sets is going to require rethinking
some compensation models, but career and compensation advancement can also be a major sell-
ing point for convergence. ese are not the only challenges companies will face, but they are the
most common ones. Companies would do well to include strategies for dealing with them when
planning for security convergence.
Success Factors
A successful security convergence project consists of some pretty standard factors including
executive sponsorship, buy-in from the management of the organizations being converged, thor-
ough planning, good communications, and ongoing training. Executive sponsorship cuts down
on the politics and turf war aspects of things and makes it much easier to get buy-in from the
managers involved. Memos are nice, but getting a face-to-face meeting with the executive spon-
sor and the group manager is more eff ective. A successful convergence project is going to take
a lot of planning; most managers who have gone through the process recommend small incre-
mental steps starting with the “big wins.” at is, things that can be accomplished in relatively
short time frames and demonstrate real business value should be tackled fi rst—for example,
establishing a common help desk function for both groups and creating a single portal for secu-
rity information, request forms, and so forth. Planning must include defi ning personnel roles
for the new organization and the skill sets expected. is exercise will help solidify the training
curriculum and training plans. One of those roles will be the chief security executive, the person
ultimately responsible for enterprise security in all its forms. Organizations that perform similar
functions but have separate reporting structures create unnecessary business risk, and some of
those risks are substantial. A few years ago Bill performed a security assessment for a large com-
munications company that had a development division and a production operations group with
a separate reporting structure. All the company’s applications were designed, developed, staged,
tested, and secured by the development division. Once the application was approved for release,
Focusing on the business will bridge all those
gaps [turf-wars] naturally.
John Fenske
CSO, Johnson Controls
TAF-K11348-10-0301-C006.indd 98TAF-K11348-10-0301-C006.indd 98 8/18/10 9:28:12 PM8/18/10 9:28:12 PM