What Are CSOs Worrying About?
WHAT CHIEF security officers (CSOs) worry about was the focus of a recent forum sponsored by ASIS International and the U.S. Chamber of Commerce. The answer to the question “What keeps you up at night?” varied depending on the industry sector.
The forum was attended by a mix of security and other business professionals, government officials, and congressional staff members.
One major complaint that cut across industries was that as laws and regulations are passed and government disaster preparedness exercises are run, private industry is not always adequately consulted by the government.
The FBI should be inviting private industry representatives to participate more in developing regulations and conducting its various tabletop exercises, said Michael Mason, CSO of Verizon. Having that kind of early involvement will help to ensure that the agency will know what companies’ capabilities are and what the true consequences of any disaster might be.
“Loss of a communication network can either cause a crisis or exacerbate it,” Mason said, adding that it would benefit both the telecommunications industry and the government if officials were more inclusive and treated telecom “not just as people who have to be accommodated, but as people who give value to that situation.”
Joseph Petro, Citigroup’s executive vice president and managing director of security and investigative services, said he is concerned that Public Law 110-53, “Implementing the 9/11 Commission Recommendations Act of 2007,” was passed without enough private sector input. He cited in particular Title 9 of that law, which deals with private sector preparedness. Petro is worried by the law’s emphasis on voluntary accreditation and certification, and he asked: What happens if companies don’t voluntarily comply, and how will certification work?
DuPont CSO Ray Mislock added, “The intent may be terrific… what our concern is, it creates another industry of vendors calling to certify the program.”
Mislock had some positive things to say about public-private partnerships, however. He said that as part of the Domestic Security Alliance Council, the FBI provides timely information and that it takes classified information and cleans it up so that it is no longer classified and can be shared with his company. He said that was helpful and that often it includes actionable intelligence.
Attendee James Cain, of the office of the program manager of the Information Sharing Environment, which coordinates information sharing across various domains, was glad to hear that such reports have been helpful. He told Security Management that Mislock “understands that information has been developed into an unclassified form he can use…. That’s an initiative that we’ve been looking to develop…. It’s good that people use that information.”
Outside of the subject of what the government can do to help, the ever-present security buzzword “convergence” was brought up several times. In the security field, convergence describes the concept of merging IT and physical security together under the same umbrella. Mislock doesn’t support that approach, but he does advocate working hand in hand with the chief information security officer (CISO). He and the DuPont CISO are “joined at the hip,” Mislock noted.
He elaborated on his view about convergence, explaining that DuPont has three major global security divisions—corporate, operations, and information—that work closely but remain distinct entities. Companies can find “great value in having the functions work together but be separate,” he said.
Moran and Petro agreed that unique skill sets and responsibilities are needed for the different types of security, and Moran added that security cannot just be made up of former law-enforcement officials but must include other types of professionals such as cyber experts.
The forum speakers also provided advice to attendees on how to build a business case for security in organizations. One approach DuPont had was to create a campaign called “Securing our Future,” which outlined ways that personnel could help security by protecting trade secrets. “We were able to take leadership, demonstrate value, but also engage leadership in helping to do it,” said Mislock.
Petro said it is important that senior management trusts that security recommendations are necessary and effective. And in cases like fraud, there are statistics that can back up a return on investment, so presenting those will ensure that it’s an “easy sell.”