To Converge Or Not?

Apr 1, 2007 12:00 PM

Corporate Security's View:

“This is the guy who can bring the company to its knees. He has access and he is in a position to know where the internal controls are effective and ineffective, and he has both desire and opportunity.”

IT Security's View:

“Not likely here. This is why we have documented risk assessments, separation of duties, multi-layered access privileges based on clear need, anomaly monitoring and a host of other controls.”

The Converged View:

“We approach risk assessment as a team. Security is an integrated, cross functional responsibility, shared with our business unit partners. We ask ‘what if’ and collectively recognize that our controls need to be interconnected, that effective logical security cannot exist without effective physical and operational security. We don't think about a converged approach to managing risk; we're more interested in being enablers of business strategy.”

MEMO TO THE CORNER OFFICER

What We Communicate To Management: “We want to keep you aware of the risks we see confronting business processes, where we have gaps in our protection that could impact shareholder value and what we need to do together to better manage these risks.”

SOURCE: George Campbell, who retired in 2002 as the chief security officer (CSO) at Fidelity Investments, the largest mutual fund company in the United States. As a founding CSO Emeritus/Faculty of the Security Executive Council, he serves as a content expert for council product/content development. This article is presented in cooperation with the Security Executive Council (http://www.csoexecutivecouncil.com)

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue