We launched CSO Magazine in the Fall of 2002. Security was becoming a more important consideration for the corporate world, and so more companies were elevating their security leadership into more influential positions. Managers became directors, directors became VPs, the CSO and CISO titles started appearing more frequently. Succeeding at higher levels in the corporate world requires a different skill set, or rather an additional skill set. The MBA started to become as pertinent to the job as the ever-popular CPP and CISSP. We had watched the same progression among CIOs over the preceding years, as the strategic impact of IT rose and thus CIOs grew in prominence and in business savvy, so we had some experience providing the necessary types of information for a new executive audience.
Right off the bat one of the most interesting things going on was the idea that information security and physical security (more broadly known as “corporate” security, since it encompasses a lot more than door locks and video cameras). We wrote about this concept in the first issue of the magazine.
Then, through conversations with CSOs and simply through thought and discussion, we realized that this was the logical place for security to go at the management level. If you think about the big-picture threats facing businesses and the security problems they need to solve – business continuity, intellectual property protection, as two examples – you pretty quickly realize that you need policies, procedures, tools that cover both the digital and physical worlds. Sensitive corporate information can be hacked off the network or found in a printer tray or a dumpster.
Historically infosecurity and corporate security were managed by completely different groups/people. And covered by completely different magazines. But the only way a company can make sure there aren’t holes in its protective net is through communication and cooperation of these groups/people. But when we launched CSO and made this convergence one of the cornerstones of the magazine, we got pooh-poohed quite a bit. A good number of other magazines and analyst firms said the “convergence” of physical & info security was either a fiction or a fad.
That was 02. By late 06, it became hard to find a skeptic. If you simply do a Google blog search on “convergence of physical and IT security”, you’ll see how much traction the idea has now. Looks like Cisco’s purchase of video surveillance Sypixx was an event that finally turned the light on for some folks.
For CSO, a good while ago we stopped writing about it on the level of “oh gee, what is this strange new concept”. If you just got to that point, you’re several years late. Frequently if you’re going to write accurately and usefully about a security subject you have to incorporate both digital and physical ideas, systems, threats. (Examples: Google. Access control. Data centers.) That’s just the way the world is shaped these days. Things once separate are now all mashed up. (Insert link to my blog. Oh, you’re already there.)