Among security management professionals with 30 or more years in the field the continuing fragmentation of the security industry is cause for concern. Today we have “Cloud, IT, Cyber, Physical” and other variants within the security industry. This fragmentation continues into our corporations with widespread disagreement on the terms CSO and CISO (respectively, Chief Security Officer and Chief Information Security Officer).
Quite possibly, from a leadership perspective, our own industry has over-complicated the management “command and control” structure within security. In the process, have we left our companies, institutions, and organizations weaker and more vulnerable?
In the last 15 years have we had many voices at the table of redefining security leadership–with no clear consensus achieved. HR consultants, Risk Management, IT, Legal, Executives, and competing professional trade groups have all weighed in on what now constitutes “the New Security Management/Leadership.” Granted, maybe it is a work in progress, but maybe they are getting it wrong.
Few would dispute that organizations face more threats than ever before, and that the technology of the last 25 years has dramatically changed our daily lives–our work and personal lives.
Yet, how did we get away from a top security professional reporting directly to the CEO, who ran a security program that adjusted to meet the needs of the business and emerging threats?
Where the wheels fell off is debatable, yet many would agree that the move from Data Processing to IT Departments began to cause the biggest split within security as we know it–and one that we have not yet recovered from at the leadership level.
Veteran security professionals bear responsibility for the fragmentation we have today. Many did not keep up with those changing needs of their business, nor did they sharpen their skills and their staffing to keep pace.
Consider for a moment that veteran security professionals were pretty great at keeping abreast of other corporate changes and challenges. They honed skill sets well outside of the old-school “guards and gates” mentality. They managed programs to keep traveling employees safe, began to investigate complicated supply chain fraud, heightened executive protection details/skills, developed security incident reporting systems, investigated often complicated internal financial schemes, and much more as business changed with the times.
Yet, when it came to IT, and more specifically, IT Security, too many security veterans did not act, and did not continue to drive the security changes necessary to keep corporate security initiatives within one leadership role responsible for that continuing “command and control.”
IT professionals, often with no understanding of the larger context of security in a corporate entity, began to feel pressure from breaches, weaknesses, and poor design within their departments–and reacted. They developed specific security protocols and actions to address their “corner of the world” within the corporation. And, as that “corner of the world” has grown with never-ending technological advancements (and threats) they have continued to develop their own security programs.
Which leads us to two groups of professionals still working within silos when it comes to corporate security–IT in their world, and Corporate Security in every world except IT. While specialization is necessary and understood, we–as a security industry–need to better define that very top security executive and have all security issues roll-up to that key position. That executive, whether they come from the long history of corporate security professionals, or from the IT department, really needs to drop all sense of division and silos and see that the entire organization is served by security.