Bridging the CISO-CSO Communications Gap
Threats have converged, even though the defenses against them still operate separately.
There was a time when the corporate security team was responsible for setting the policies for overall security within an organization including digital. Today, those responsibilities are likely to be separated between a Chief Security Officer (CSO) and a Chief Information Security Officer (CISO). This brings into play the views, opinions, needs and requirements of both the CSO and the CISO and the potential conflict that may ensue.
While the technologies for securing “physical assets” have evolved immensely over the years, the problems they are tasked with solving have remained relatively unchanged. As an example, if a bad actor successfully breaks into one of your warehouses and steals millions of dollars’ worth of goods, there is nothing good about that scenario, but you will probably have the insurance to cover the losses and perhaps another warehouse to continue to serve your customers in an uninterrupted manner.
However, when you look at the digital side, even the theft of one customer record could be devastating both from a financial perspective and from a pure brand reputation perspective. In my previous role with a major Fortune 500 company, we called this a “company extinction event,” because the major commodity a company offered its customers was trust to protect the data that they willingly choose to share and the loss of trust isn’t something covered in an insurance policy, nor can you pull more out from another warehouse.
In our dealings as a provider of security risk management services, we are often called upon to help start and moderate conversations between CSOs and CISOs to help both accomplish their respective goals, because both have the same mission – to protect their organizations from outside threats.
But too often, what we uncover is a true lack of understanding from both parties that what they are really defending against are potentially the same threats – just viewing them through different lenses. Helping them develop a mutually accepted view of the threat, its potential impact on the business and what role the teams play in addressing the risk is the critical first step in the process of bridging the communications gap.
Complicating that relationship is the fact that that while physical security is seen as a critical layer in the protection of the IT network, it is at the same time a potential source of vulnerabilities to the very network they were designed to protect. The conversation will inevitably migrate to a discussion about a recent attack that leveraged security cameras to breach the network. As a physical security professional, it is sometimes difficult to know if the cameras on the network pose a risk. This presents an opportunity to advocate for, and engage with, the IT security team to help the physical security team make wiser choices around camera selection and to help ensure that the cameras and firmware remain optimized against threats. This can be the critical step in building a collaborative team focused effort to solve your organizations common problems.
Another issue we sometimes face in trying to communicate with our peers on the IT team are the subtleties in common language. Let’s take the word “control;” control often leads to miscommunications because, by definition, it means “the power to influence or direct people’s behavior.” When these teams are talking about who has control over the physical security systems and their components or even control over parts of the facility such as data centers where the servers and panels reside, both teams may position themselves in such a way as to not give up control to the other team. So instead of using the word “control,” a better word may be “access.” Allowing both teams access to the devices, systems and physical locations in question lets them both do their jobs. Even the slightest nuance can help avoid creating a conflict over something that wasn’t real in the first place.
Perhaps the next biggest obstacle we see in these discussions pertains to budget dollars and who has them. Going back to the concept of working toward the goal of reducing a company’s threats from outside influences may help both parties get on a path going in the same direction instead of from opposing ones.
Finally, while enterprise security risk management programs have been around for more than a decade, they were initially embraced by the IT side of the house not the physical security teams. This caused a fracture in the programs as the teams never developed a converged approach to identifying and addressing risk. The threats eventually got to the point of where they targeted both physical and cyber assets. In other words, the threats converged even though the defenses against them still operated separately.
Cyber threats will try to find your weakest link and exploit it. If companies continue to work in silos and focus on a singular threat or problem, they may not see threats coming from unexpected directions. The only reasonable way to minimize cyber threats is to develop programs and tools that are as agile as the threats themselves. In most cases, neither the CSO or CISO is entirely responsible for the risks that cyber threats present. However, without realizing it, they both may ultimately work for the individual or individuals who do own the risk. This realization usually leads to closer ties between the two teams, and that is when the real work can begin.
Enterprise security risk assessment and management is clearly more complicated in today’s world. But open, honest conversations and working together to understand the overall risks to the business will help any organization prepare to combat the threats their business may face every day.