According to a report from the ASIS Foundation, only 5% of organizations have converged cybersecurity and physical security in a single department, and almost half separate physical and cybersecurity into two departments.
By thinking of physical and cybersecurity as two separate entities, one aspect inevitably gets undermined and in turn, both aspects become weaker. For example, you can deploy the best data security solution on your laptop to protect your information, but if you print a document and throw it away without shredding it, the organization is at risk.
We spoke to John Scimone, who currently serves as Dell’s Chief Security Officer, where he leads the company’s global corporate security program and the full spectrum of strategy, planning and operations to aid Dell’s businesses.
Prior to Dell, Scimone served as the Global Chief Information Security Officer for Sony Group, where he was responsible for building Sony’s first global information security and privacy organization, playing a leading role in the company’s response to the infamous North Korean cyberattack. He also served Director of Security Operations for the Secretary of Defense’s communications office where he led the facility, personnel and cybersecurity programs, and as a Senior Security Advisor with the Joint Task Force for Global Network Operations (now US Cyber Command).
Scimone, who runs a converged organization, combining physical and cybersecurity, speaks to how he has personally navigated a culture of convergence and digital transformation at Dell.
Security magazine: What is your title and background?
Scimone: I serve as the Chief Security Officer and Senior Vice President at Dell Technologies where I lead our Security and Resiliency Organization. In this role, I oversee physical security, cybersecurity, product security and enterprise resiliency programs. Prior to Dell, I served as the global CISO of the Sony Group family of companies. I have also held a number of security-related roles within the U.S. Department of Defense. The first converged program I led was when I was head of physical security and cybersecurity for the Secretary of Defense Communications Office in the Pentagon.
Security magazine: As CSO of Dell Technologies, you run a converged organization combining physical and cybersecurity. Was this inherited from the previous CSO, or did you lead this change?
Scimone: When I joined Dell in 2017, they’d had a converged organization for a number of years that included physical security and cybersecurity under one roof. I built upon this model after coming on board. The first step I took was integrating a global product security function into the organization, which also took global responsibility for corporate application security, so all of the company’s software development was being secured by a single team of deep experts. I also created a converged governance, risk and compliance (GRC) function, to ensure our various specialized teams would take a common approach to identifying, measuring, and articulating risks for the company. Other converged elements of the organization that I either created or combined included a global project management office (PMO), a training and awareness team, and a metrics and analytics organization. Finally, I created and embedded Business Unit Security teams within our core Dell business units and functions, such as our Infrastructure Solutions Group, Services and our manufacturing and logistics organization. These teams provide embedded, dedicated, full-time security experts that bring unmatched value to proactively identify risks and opportunities that might otherwise be difficult to identify by a solely centralized security organization.
Security magazine: What are the benefits of converged security?
Scimone: Converged security organizations recognize benefits in both efficiency and effectiveness, regardless of size or industry.
From an efficiency perspective, combining teams with common functions (e.g. project management, employee training, risk management, etc.) provides for opportunities to streamline processes and reduce resources. Beyond efficiency gains in the security team itself though, the broader productivity of the organization can be improved as employees are only having to engage with a single security team and enroll in a single annual training course that converges the most important topics both physical and digital.
From an effectiveness perspective, bringing multi-discipline skillsets to solve problems and manage risks positions companies better to deal with a threat and vulnerability landscape that is itself increasingly converging. We see cyber-attacks being perpetrated via physical means, and vice versa. Vulnerabilities in cyber systems increasingly can result in physical world effects, and vice versa. To artificially treat these realms separately when the risks being faced are themselves increasingly converged is like watching two sports teams play against one another, with one side that has a unified game plan under a single coach, and the other that is being coached and managed separately.
This is especially beneficial for senior business leaders as a converged organization provides them with a holistic risk view so that they can articulate investment priorities and complex risk scenarios in a simple and unified way.
Security magazine: Are there disadvantages to this converged security model?
Scimone: Issues may arise if a CSO does not have a deep understanding of the full breadth of portfolio responsibilities, or if they struggle to aggressively prioritize within their broad portfolio resulting in dilution of focus on key risk areas. Security leaders must prioritize incessantly within their own organizations, and remain attuned to which functions within the converged portfolio need to be prioritized to align with business priorities. In the simplest example, a medical device company is likely to make product security their number one priority while a luxury retailer would prioritize physical security. Converged CSOs must prioritize incessantly to avoid the additional responsibilities distracting from or diluting their focus.
Security magazine: How have you navigated a culture of convergence and digital transformation at Dell?
Scimone: Dell Technologies has a long-standing culture of being bold in its willingness to constantly change and reinvent itself to adapt to our customers’ needs. This kind of attitude is essential to making big organizational changes like converging physical security and cybersecurity organizations, but also to capitalizing on the digital transformation opportunities that exist (both within our organization and those that we counsel and assist our customers with implementing). Every team member in our converged organization knows that our culture values innovation, experimentation and bringing forth bold, new ideas. One of the most satisfying parts of watching our converged organization progress has been seeing my talented team members jump back and forth between different facets of security, applying their unique skillsets against the breadth of mission areas we focus on. In particular, seeing our cyber-savvy practitioners start merging and partnering in the physical security space excites me as I believe physical security is on the precipice of digital transformation.
Security magazine: What has been the most difficult challenge with leading a culture of convergence?
Scimone: It takes the right type of team member to succeed in a converged organization. They need to be open minded, curious and willing to learn every day. That said, one of the most significant challenges, if not the most significant challenge, in leading a modern-day security program is competing for talent. We’ve created an inclusive and collaborative organization where team members can expand their skillsets and cross train, which serves as a differentiator in our overall talent strategy and helps us attract those types of team members.
Security magazine: What advice do you have for other CISOs/CSOs that wish to lead a similar model at their organizations?
Scimone: To transition into leading a converged multi-discipline organization you have to be willing to be uncomfortable. Many CISOs are intimidated by the notion of holding the responsibility to protect the lives of their employees against violent acts, and many CSOs worry about ever having to explain complex cyber topics in the board room. Recognize that leading a converged organization is less about subject matter expertise, and more about an ability to create a collaborative and innovative culture and team, that you can energize and align against key business priorities, and hiring strong team players to offset your own subject matter gaps. Also, I often see organizations struggling to achieve convergence as they don’t know where to start. The secret is to just start somewhere; it really doesn’t matter what the first step is – whether it be physical and cyber, cyber and product, or any other convergence opportunity – just take that first step and the rest will get easier from there!