The Scorecard for Critical Communications presented at The Great Conversation in Security
The following is a summary provided, with permission from The Great Conversation, to the followers of Vingtor-Stentofon:
The Great Conversation is an executive leadership forum for risk, resilience and security professionals. By sharing best practices, innovations in leadership, and emerging technology, attendees leave armed to accelerate the value of their people, processes and programs. The Great Conversation is organized through knowledge tracks that help source leaders who can advance the learnings of the community. The tracks are:
- Leadership: Strategy, Innovation and Change
- Organizational Strength
- Enterprise Security Risk Management (ESRM)
The following is a review of each track. Attendees will be receiving updates to each of these as they come in from the executive community or from ongoing interviews by The Great Conversation in Security team.
Mike Mason, CSO of Verizon asked, “Do you know who you are?” and challenged attendees to explore ways to see themselves clearly so they can become inspirational leaders who truly care and build a legacy of value.
Microsoft’s CSO Mike Howard pressed further, asking the question, “Are you selfless?” and spoke about his personal leadership philosophy around guiding Microsoft’s security program. He showed attendees how being selfless helped him break down silos of communication that were hampering success with the industry and programs.
CEOs invest thousands of dollars attempting to create an engaged workforce and culture of leadership. They believe this will help them innovate and adapt to change. Kimo Quaintance of the George C. Marshall European Center for Security Studies, shared his perspective on how disruptions inform our way of thinking about a culture of innovation and change. Then Wendi Walsh, Principal in the Enterprise Security Risk Group (eSRG) of ASG, provided a roadmap for introducing change into the organization.
Enterprise Security Risk Management (ESRM)
Kip Boyle, of Cyber Risk Opportunities, introduced the NIST Cyber Security Framework (CSF) and suggested that many of the terms used were transferrable to physical security. He then suggested a method for measuring an as-is state by incorporating into the CSF the impact of risk on people, process, technology, and management. It resulted in a fairly intuitive and persistent “dashboard” for business and risk leaders.
Jeff Slotnick, CSO of OR3M, walked through the process for Risk, Threat, and Vulnerability Assessments and compared today’s process with a process governed by information management tools and governance. By collecting the right data and then having the ability to repurpose it to guide future workflow and risk mitigation efforts, we now have the ability to scale this practice to effect change efforts and quantify value to the business.
Michael Hamilton, former CISO for the City of Seattle and current CEO of Critical Informatics, hypothesized that we have data around behaviors collected from physical and logical devices and can begin to leverage it to understand people, processes, and tool behavior as well as risk. Insider threats are a leading concern of CSOs and their teams. Hamilton works with an integrator and some product technology companies to initiate a proof of concept and lets the data from this exercise guide future understanding and action.
This is where theory met reality. We asked a number of product technology vendors to provide a future roadmap and case studies for their categories and present them for critical examination to the Great Conversation community. We also asked security leaders to provide their input into these roadmaps and scorecards, and, when relevant, share their learnings on their implementations.
- Ron Virden, President and General Manager of Lenel joined with Jasvir Gill, CEO of Alert Enterprise, to cast a vison of how we can collect, manage, report and drive actionable response from the unification of identity management and access control. Shannon Dunaway, Access Control Manager of one of the largest utilities in the United States, AEP, then provided how they are deploying many of these ideas within their program.
- Mark Duato, Vice President, Integration Solutions, ASSA ABLOY, provided a roadmap of the opening and then was joined by the Corporate Security Director of Micron Technology, Joe Mueller; the Director of Security of the Bellevue School District, Mike Dorman; and Jeff Slotnick, CSO of OR3M, to discuss how opening strategies are addressing risk, resilience, and security on campuses.
- Ed Bacco, CSO of ASG and the leader of their Enterprise Security Risk Group (eSRG), moderated the Roadmap for Identity. He was joined by HID’s Technology Advisor, Nathan Cummings, and two security executives: Wendi Reiter, Director of Security for the Port of Seattle and Amit Bhardwaj, the CISO of Clorox. This was a synergistic presentation to the Future of Access Control addressing many of the same subjects. The thread we pulled between all of these is the absolute necessity for interoperability.
Through our interviews we know that security executives rarely have access to a scorecard they can use to validate their technology vendors. We chose vendors from diverse technology categories to present their perspective on how they would define the scorecard without stepping over into a product pitch for their company. They knew in advance that their ability to shed true insights would be monitored and measured by their CSO moderators and the executive community. By and large, the feedback we received was that the exercise shed insight and challenged assumptions making it a great conversation. The following categories were represented with the high level learnings we captured for each:
- Access Control (Enterprise and the Cloud)
- This is now about information management and intelligence which is impacting the authentication device (mobile vs. card), the use of identity, and the executive dashboard and reporting.
- Critical Communications
- To hear and be heard is critical at the time of need. You may have sound but not intelligibility: that is, you cannot hear because of the ambient noise or the inefficiencies of the technology. Lesson: Test for your true measure of intelligibility; then interoperability and then availability, reliability, sustainability and maintainability.
- Video Management Systems
- VMS systems must have a check list of features and functions. But their true measure of performance is in their ecosystem. What would the iPhone be without the Apple Store? Solutions come from a wide spectrum of vendors willing to explore new applications off this platform.
- Video Surveillance
- The quality of the image dictates its use, forensically and for other applications.
- The Opening
- Assess, Apply, Focus on TCO, Drive Sustainability, Interoperate, Leverage the Consultant/Integrator Ecosystem
- Interoperability and customization ensure integration into the program
- IP-Based Power
- This mature industry has a new face lift and it is called real-time performance monitoring of your power.
- Performance Monitoring and Management
- It is time for your security devices and software to be as reliable as your critical business applications. IT calls that .99999 reliability and availability. It became evident this had not risen to the level of urgency for most programs. We will track this to see if this changes. After all, security is a critical part of the organization.
- Leveraging the Supply Chain reduces risk, expands potential value, optimizes time to value (Optimization). A Global Network of SMEs ensures education on product, vendor, and service provider vetting.
One attendee (a CSO) said this about the Scorecard Session:
The biggest learning point for me was to ensure we are always focused on asking the right questions prior to adopting new technologies or any new way of doing business. The “scorecards” for vendors is a great idea…let’s better define what we want to learn before they come for a visit.
The Great Conversation in Security is the forum for executive level insights into the business drivers of the industry. The speakers and thought leaders invested their time and resources to share their wisdom from their successes and failures. The industry’s value and contribution stands on the shoulders of those who share transparently to grow others.