When companies decide to combine logical and physical security, one of the first challenges they face is finding a leader who has been exposed to both information security and physical security. Someone has to be put in place to create change. Who is this person? What is his skill set? Where can she be found? Does he or she actually exist?
I speak with both information security and physical security professionals every day, and when the conversation turns to who is best equipped to lead a converged security operation, I hear many opposing opinions. Usually, the opinion of the person to whom I'm speaking has a lot to do with his or her experience. Whose point of view is correct? I don't know for sure, but I can tell you about the conclusions reached by three companies that have recently contacted me for assistance in their search for a converged security leader. No opinions to share here, just facts.
Example 1: At one global company, the newly hired executive will have responsibility over information security, physical security, facilities security, business continuity, global supply chain security, brand and reputation protection, and all the facets of risk management that could be wrapped around the aforementioned topics. Nobody I spoke with possessed expertise in every topic. My client interviewed the top three CSO-tracked and top three CISO-tracked candidates I surfaced, each of whom had some exposure to each topic. After phone interviews, only the top three CISO-tracked professionals were invited in for face-to-face interviews. Each of these business-savvy professionals were technically sound, had significant exposure to physical-security issues and were each outstanding communicators and leaders.
Example 2: A 90-year-old global company that is used to dealing with physical security issues has recently experienced a change in its business model, causing the business to become more and more digitally driven. The company is creating a VP-level security role, and believes that 60 to 70 per cent of the new VP's responsibility will be the protection of electronic assets, while the remaining part of his or her job will be a mix of blended issues such as access controls and fraud detection/prevention, along with many purely physical issues. The search team has concluded that the most desirable candidate to address these needs will come from a strong information-security and risk-management background and will have some exposure to physical-security issues.
Example 3: Another global company recently discussed with me their plans to replace a retiring physical-security-focused CSO. Their intention is to hire someone with an 80 per cent information-security CISO skill set.
What does it mean?
In their own ways, each of these three companies came to the same conclusion. They have decided that 50 to 80 per cent of the skill set they need is an information-security skill set. They argue that an information-security-skilled executive should be able to bring the right blend of technical skills, business understanding and executive leadership to be successful in their newly created role. While this executive is not expected to be an expert in all physical security topics, he or she is expected to have enough exposure to the physical side to lead individuals on the team who possess physical security expertise.