Carmichael himself, whose background was heavily in technology, decided if he was going to talk the talk, he better walk the walk. He volunteered at the Colorado Springs Police Department to help "round out physical side" of his knowledge base.
For Wolfgang Ziegler, many years spent as both a cop, and later as a police detective, gave him a comprehensive background in physical security. As he saw the security field becoming increasingly technical, he went for a CISSP where, in his words, he was the "only non-fulltime IT person in the class."
Now, as CSO of Alliance Group Research (AGR) , security consultancy, he counsels clients on threat and risk assessment on both the physical and IT side of things. Based in Houston, AGR has a significant number of clients in the oil and gas industry.
"I often tell them you could have best firewalls and security there is. But if your server room is protected by nothing but a proximity card, your firewalls are meaningless."
Seek team-building opportunities
Advising clients on a holistic approach to security means handling the tension that comes up when different departments work together. Ziegler refers to these personalities as the bad guys, bytes and bean counters-and they often couldn't be farther apart when it comes to seeing eye-to-eye.
"They just want to pound each other," said Ziegler. "That's where the CSO is going to be put to the test. That person needs people skills, management skills. How can that person compromise, read people, reward each and manage effectively but still make decisions that need to be made that affect the bottom line?"
For Carmichael, the answer has been trying to foster an understanding and team atmosphere --even though animosity is inevitable.
"I haven't been in an environment where they've tried to integrate where there hasn't been resistance. But you have to overcome that with communication. Get the team together and say We are all in risk management. What can you add?'"
Carmichael recalls one meeting that involved department heads from physical security, security engineering and compliance. Each person, said Carmichael, had a distinct style of communication and it was like watching them all have separate conversations.
Then the head of physical security said: "You have it so easy: username and password. You have no idea how difficult access control is with badges. People forget them, use other people's badge, they find other ways in, bypassing the controls in every building," according to Carmichael's recounting of the scene.
"The pause was palpable," said Carmichael, until the security engineering head jumped in with the difficulties of the username and password environment: the weaknesses, people forget them, use others and find other ways in. And then the compliance head chimed in about password controls and how people bypass them.
"Suddenly, there was a commonality in the room: the concept that people, assets, the company, need to be protected, even when they work against the system," said Carmichael. "That we are a team. We struggle with the same types of issues from different perspectives."