At the time, the two groups had different reporting structures and budgets, and there were many task duplications. Tyson developed a plan that created substantial cost and time savings by combining the risk assessments and audits that had been performed separately for physical and IT threats.
Additionally, by combining the reporting functions of the physical security manager and the IT security manager, who both then reported to the director of business support operations, time could be saved and value increased. Most important, the process yielded the added insights of a holistic security viewpoint.
As a result of his pitch being accepted, Tyson was able to develop an enterprise security team that could supply policies and guidelines to operational teams. Almost immediately, the benefits began rolling in—among them a more than 50 percent reduction in desktop policy violations, the use of existing storage area network architecture to store security-related digital video feeds, and the use of existing fiber-based local area network (LAN) with virtual LAN technology to transmit feeds from 700 citywide CCTV cameras with almost no overhead costs.
“In Vancouver, we were also able, through a small amount of training, to make laptop theft virtually disappear just by getting the physical security staff to be aware of the information-theft risks,” he says. “The physical security staff spread the message about laptop security, because they were out there interacting all day.”
There were many detractors to convergence, says Tyson, “because it was scary to both sides.” The main concern was “Who was going to end up in charge?”
That issue remains one of the key stumbling blocks at companies that have not yet converged. “No one sees it for what it is: a way to mitigate risk by working together. And there are many different kinds of models that don’t include one group eating up the other one,” Tyson adds.
Among the lessons Tyson learned while heading the convergence effort at the City of Vancouver was to realize that the two groups might not really understand each other’s culture, functions, goals, or capabilities. Both groups tend to use jargon that isolates them from outsiders. A careful explanation of how the two units can fit together, spoken in a common language, can greatly ease tensions and fears.
“I really think it’s a general fear of the unknown,” Tyson says. “If you don’t know anything about computers, it’s natural that you would be nervous about getting into a situation where you don’t understand the underlying technology and are left at a disadvantage.”
The answer is to learn about the issues on the other side of the security fence, at least so that you can comfortably discuss them with the real experts.
Companies are increasingly seeing the advantages of convergence, notes Tyson. During the last three years, as big companies have seen the real benefits of convergence through benchmarking done by AESRM and ASIS, among others, “we’ve seen a massive growth and adoption rate,” he says.
Total convergence doesn’t work in every case, however. “So people like me have started advocating that companies take as much of convergence that works for them,” says Tyson.
It’s also clearly not just about bringing together the two groups dealing with physical and logical security. About a year ago, Tyson notes, “we started to see an expanding understanding that convergence itself is really just a piece of the overall pie of enterprise security risk management. Companies have to manage all of these risks across the enterprise—not just the physical and IT elements. So that’s where it’s headed today…. It’s the endgame, for sure.”
Tyson notes that there are also social trends affecting the convergence process. “Our security staff are aging. Many are Baby Boomers, and as these people retire, the next group—the Gen-Xers and Gen-Ys are historically much more technologically savvy,” he says.
As a result, Tyson goes on to explain, “I’ve seen a number of younger professionals, and some whom I’ve personally mentored, who have taken the time to educate themselves in both areas, as I did. They are five years from being equally qualified in both sides of the divide,” he says.
“I started in physical security in the early 1980s and I went through all of the different disciplines—executive protection, alarm systems, investigations—but I made the switch in 1999 to IT security.”
Tyson says he is aware of the increasing demand for IT security education, not only from security professionals but also from technology vendors and installers. “We see the installers saying, ‘We need to know more. How do these technologies we install affect a network’s security? What should we be telling our customers about how to protect it?’ We’re going to see a real growth in education processes.”
Network with IT
“If you think about the electronic age we live in, 90 percent of the corporation’s assets are sitting there on the Internet someplace,” says O’Hara, whose firm has assisted others in the throes of convergence. One trend that O’Hara—like Tyson—has noticed is an increasing number of traditional security practitioners educating themselves in IT security.
“The younger generation of security managers is striving to understand IT security,” he says. These professionals are “looking for education, looking for benchmarking.”
Many are exploring certification options, including the American National Standards Institute and International Standards Organization accredited Certified Information Systems Security Professional designation from (ISC)2 and others.
O’Hara also notes that memoranda of understanding (MOUs) are now complete between ASIS and three of the leading IT security associations—the Information Systems Security Association, the Open Security Exchange, and the Internet Security Alliance. O’Hara states that the MOUs have “been on the worktable for about five years.”
According to O’Hara, there will be an emphasis on providing increased joint educational opportunities for the members of all four associations. “We will have an MOU to cooperate and cross-educate. Perhaps some programs or sessions at the ASIS Annual Seminar and Exhibits will be led by these other groups that will allow our members to take advantage of their expertise on the IT side, at the same time allowing their members the advantage of attending our educational sessions,” he states.
O’Hara’s advice: “Reach out to your peers. Get invited to IT security meetings and try to participate as much as you can. Try to find out as much as you can from your cohorts on the other side. Understand that you both have risks, learn more about what their risks are, and share your risks with them. Look for some common ground, and through this, provide a better protection environment for the organization.”
Ann Longmore-Etheridge is an associate editor of Security Management.