This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Subscribe
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2018
      • ASIS 2017
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
  • InfoCenters
    • Video Management Systems
  • Contact
    • Editorial Guidelines
  • Advertise
Home » Bridging the CISO-CSO Communications Gap
Cyber Security NewsSecurity Leadership and Management

Bridging the CISO-CSO Communications Gap

Threats have converged, even though the defenses against them still operate separately.

handshake-enews
November 12, 2018
Ed Bacco
KEYWORDS information security / network security / security careers / security leaders
Reprints
No Comments

There was a time when the corporate security team was responsible for setting the policies for overall security within an organization including digital. Today, those responsibilities are likely to be separated between a Chief Security Officer (CSO) and a Chief Information Security Officer (CISO).  This brings into play the views, opinions, needs and requirements of both the CSO and the CISO and the potential conflict that may ensue.

While the technologies for securing “physical assets” have evolved immensely over the years, the problems they are tasked with solving have remained relatively unchanged. As an example, if a bad actor successfully breaks into one of your warehouses and steals millions of dollars’ worth of goods, there is nothing good about that scenario, but you will probably have the insurance to cover the losses and perhaps another warehouse to continue to serve your customers in an uninterrupted manner.

However, when you look at the digital side, even the theft of one customer record could be devastating both from a financial perspective and from a pure brand reputation perspective. In my previous role with a major Fortune 500 company, we called this a “company extinction event,” because the major commodity a company offered its customers was trust to protect the data that they willingly choose to share and the loss of trust isn’t something covered in an insurance policy, nor can you pull more out from another warehouse.

In our dealings as a provider of security risk management services, we are often called upon to help start and moderate conversations between CSOs and CISOs to help both accomplish their respective goals, because both have the same mission – to protect their organizations from outside threats.

But too often, what we uncover is a true lack of understanding from both parties that what they are really defending against are potentially the same threats – just viewing them through different lenses. Helping them develop a mutually accepted view of the threat, its potential impact on the business and what role the teams play in addressing the risk is the critical first step in the process of bridging the communications gap.

Complicating that relationship is the fact that that while physical security is seen as a critical layer in the protection of the IT network, it is at the same time a potential source of vulnerabilities to the very network they were designed to protect. The conversation will inevitably migrate to a discussion about a recent attack that leveraged security cameras to breach the network. As a physical security professional, it is sometimes difficult to know if the cameras on the network pose a risk. This presents an opportunity to advocate for, and engage with, the IT security team to help the physical security team make wiser choices around camera selection and to help ensure that the cameras and firmware remain optimized against threats. This can be the critical step in building a collaborative team focused effort to solve your organizations common problems.

Another issue we sometimes face in trying to communicate with our peers on the IT team are the subtleties in common language.  Let’s take the word “control;” control often leads to miscommunications because, by definition, it means “the power to influence or direct people’s behavior.” When these teams are talking about who has control over the physical security systems and their components or even control over parts of the facility such as data centers where the servers and panels reside, both teams may position themselves in such a way as to not give up control to the other team.  So instead of using the word “control,” a better word may be “access.” Allowing both teams access to the devices, systems and physical locations in question lets them both do their jobs. Even the slightest nuance can help avoid creating a conflict over something that wasn’t real in the first place.

Perhaps the next biggest obstacle we see in these discussions pertains to budget dollars and who has them. Going back to the concept of working toward the goal of reducing a company’s threats from outside influences may help both parties get on a path going in the same direction instead of from opposing ones.

Finally, while enterprise security risk management programs have been around for more than a decade, they were initially embraced by the IT side of the house not the physical security teams. This caused a fracture in the programs as the teams never developed a converged approach to identifying and addressing risk. The threats eventually got to the point of where they targeted both physical and cyber assets. In other words, the threats converged even though the defenses against them still operated separately.

Cyber threats will try to find your weakest link and exploit it. If companies continue to work in silos and focus on a singular threat or problem, they may not see threats coming from unexpected directions. The only reasonable way to minimize cyber threats is to develop programs and tools that are as agile as the threats themselves. In most cases, neither the CSO or CISO is entirely responsible for the risks that cyber threats present. However, without realizing it, they both may ultimately work for the individual or individuals who do own the risk. This realization usually leads to closer ties between the two teams, and that is when the real work can begin.

Enterprise security risk assessment and management is clearly more complicated in today’s world. But open, honest conversations and working together to understand the overall risks to the business will help any organization prepare to combat the threats their business may face every day.

Subscribe to Security Magazine

Ed-bacco

Ed Bacco brings more than 30 years of Security Management, Physical Security and Project Management experience and expertise to his role as the Chief Security Officer (CSO) at Aronson Security Group, an ADT Company, where he leads the Enterprise Security Risk Group (eSRG). Prior to joining the ASG team, Bacco was the global head of corporate security for Amazon where he was responsible for leading and expanding the corporate security & safety programs at more than 105 locations in over 29 countries. Previous to making the jump to the corporate world, Bacco was the Director of the National Transportation Security Operation Center where he coordinated the security at over 440 airports, seaports, rail lines, pipelines and public transportation hubs

Ed Bacco received the first ever U.S. Navy Award of Excellence for Physical Security,and he holds numerous patents, both in the U.S. and in Europe for physical security devices.

Related Articles

6 Tips for CISOs Selling to the Board

The New CISO: How the Role Has Changed

Why the Security Talent Gap Is the Next Big Crisis

2015 Security Leadership Issue: Making the CSO the Next Enterprise Leader

Related Products

The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws 2E

You must login or register in order to post a comment.

Report Abusive Comment

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

security-center

The Top 5 Reasons Why Your Security Program Needs Intelligence Personnel

Globe

Which Countries Have the Worst and Best Cybersecurity?

SEC0219-cover-Feat-slide_900px

The Road to CSO: Meet Microsoft's New Security Leader

Cyber Doors

2018 Set a New Record for Security Vulnerabilities

cyber-SMB

8 Vulnerabilities Penetration Testers Recommend You Address in 2019

20180222ENR_Skyward_Drones_360x184customcontent

Events

February 19, 2019

Drones and Surveillance at MetLife Stadium

Unmanned aerial systems pose a legitimate threat to sporting events in America. The devices are not only becoming cheaper and easier to own, but technology has advanced to such a point that virtually anyone — hobbyist or terrorist — can fly one. MetLife Stadium is home of the New York Jets and New York Giants, in addition to numerous entertainment events and concerts each year.

February 26, 2019

Harness Real-time Public Information to Improve Active Shooter Response

Corporate security teams hope never to respond to an active shooter situation. But given today’s realities, companies spend a great deal of time developing guidelines, holding training sessions, and carrying out drills to ensure that their staff will be prepared in case an active shooter event occurs.
View All Submit An Event

Poll

Employee Background Screening

How Often Does Your Organization Conduct Background Screening on Employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
Security-500

Security Magazine

SEC-Feb-2019-Cover_144px

2019 February

In Security’s February 2019 issue, meet Brian Tuskan, Microsoft's New Security Leader. Learn how he has used technology, his reputation, networking and a desire to help people to become Microsoft’s new CSO. Read about the Next Generation of White Hat Hackers, How to Evaluate Security's Role, and more.

View More Subscribe
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing