The challenge. Our example organization is an international company with more than 10,000 employees. Before it confronted the challenge of integrating all of its security operations, security within the company was disconnected; emergency management and physical security reported to corporate security, while information security and business continuity reported to information technology. As a result of this model, these functions did not have any formal processes for relaying information to one another.
This fragmentation led to problems. For example, when an employee’s laptop computer was stolen from her office, she was not sure which department to notify. The laptop was a physical asset, but because it came from the IT department, she was uncertain whether IT or the security staff should be notified. Ultimately, she only informed the IT department. And no one at IT involved the physical security unit.
Current-process model. The first step toward changing how incidents were handled was to clearly identify the existing holes in the company’s security system. To that end, physical, IT, and other security staff, working with business managers, began to develop an explicit model of how the company’s business processes functioned.
With this current-process model, the team diagrammed how the company managed security and emergency management, and it found that in many cases, specific security concerns were handled individually by each department and were never referred to the physical security department. The model also made it clear that strategic and governance functions could be improved by integrating like processes.
The team prepared biweekly reports to the sponsors to ensure that milestones were met and that deliverables were agreed to by all. Examples of deliverables that the group would generate included process maps, results from interviews, and best-practice information gathered from discussions with comparable companies and relevant associations.
To avoid that problem, the team decided to designate an owner for each security function—IT, emergency management, business continuity, and physical security—who would report to a newly appointed chief security officer, in what the company now calls end-to-end process ownership.
The future-process model started with companywide business protection as the ultimate goal, and the team identified the two main drivers of business protection as business security (physical, personnel, and information) and business continuity/emergency management. Certain components were shared across both of these drivers, such as communication, education, compliance assurance, policies and procedures, and strategic planning. For example, each security function mandates strategic planning to prepare for possible threats or security breaches.
However, the company also found that certain processes were function-specific. For example, access control and investigations were processes performed by business security, while system recovery was a niche that belonged only to business continuity (A chart illustrating this analysis can be viewed online at www.securitymanagement.com).
Benefits. With a CSO in charge of all security, and with a deeper understanding of which security functions were shared and which were not, the team was able to make an overall plan that would generate strategic advantages. It would do so by creating processes that worked across the components of security, continuity, and emergency management. This approach would allow better and more complete awareness of any security issues across the company. It would also eliminate confusion about which department handled each issue.
Real, tangible benefits were soon apparent. For example, while physical security was researching proximity cards to replace magnetic stripe cards for access control, information security was exploring biometric cards for access to computing resources. The fact that the two divisions now both reported to a single CSO and worked closely together meant that they were both aware early on of each other’s plans and of the potential benefits of combining their work on these projects.
Key steps. The process of converging security in this very large organization was not simple, but it does provide some pointers for other organizations that wish to follow suit. These steps include appointing a central security figure and mapping the company’s processes. Other steps are creating an effectiveness model to ensure that resources are being properly used, and ensuring that employees are educated about security.
The CSO must work with security staff to define and then assign ownership of each specific security responsibility. This step is critical because in an emergency situation, the key facilitators must be prepared to immediately fulfill their responsibilities, and on a day-to-day basis, employees must understand how they can contribute to the entire security process.
The mapping should also include a complete assessment of existing IT infrastructures to determine what components may be required to build and maintain a sustainable IT foundation that meets current needs as well as future technology expansion plans for physical and IT security. Developing this map requires a review of business processes and a detailed understanding of information access, workflow needs, budgets, timelines, and performance benchmarks.
The process begins by listing all of the security functions, such as investigations or crisis response, and mapping how organizational components like corporate security and human resources relate to the carrying out of security functions. The diagram should show whether or not the organizational component owns the process related to each function, is a cross-functional team member, or is not involved in the process. (See chart below for an example of this map.)
Companies that never map out departmental process responsibilities are likely to run into problems. For example, one company received a bomb threat directed at its data center. Its physical security protocol required immediate evacuation of the center, regardless of the threat’s legitimacy, but the information systems department was not consulted before the evacuation began.
While the threat was investigated, the data center was forced to close down, thus interrupting the important data flow for the company. The company could have avoided this situation by previously identifying its business units’ interdependencies and establishing protocols for responding to such threats without affecting data flow, particularly before the severity of the threat is evaluated.
One external factor that needs to be carefully considered is remote access. As partners play more critical roles in the supply chain, they are often provided with remote access to the company’s network to help ensure that the process runs efficiently. In large corporations, this can represent several thousand additional access privileges to nonemployees to facilitate transactions, deal with interruptions, and meet contractual commitments to the corporation. Unfortunately, access privileges are not always removed after employees leave or preferred suppliers change and no longer require remote access to the network.
However, an audit of network access determined that a large number of former contractors’ passwords and logical access controls had not been disabled. The supply management, physical security, and IT functions did not have an integrated approach to notifying each other of dismissals or changes in contractors, resulting in an enormous security vulnerability.
Education. Security programs are most effective when stakeholders are empowered to take an active role in risk mitigation and when they understand how important security is to the organization. After all, it makes little sense to invest in sophisticated access controls, passwords, or related technology if employees can be easily duped into allowing others to circumvent or have access to these controls. Thus, education and awareness programs are important elements of the long-term success of an enterprise security program.
Education is equally important for communicating to employees and senior management the value and benefits of ongoing enterprise security activities, including measurable return on investment (ROI). Thus, the organization’s employee awareness program becomes the essential final step of enterprise security implementation.
One company that the authors know of tracks traffic at its corporate security intranet site, which allows the company to recognize what materials employees are looking at on the intranet, and thus helps to identify the most effective means of relaying information on the site.
While a survey is not typically considered an educational tool, in this case it did increase awareness about the protection of proprietary information. It also provided the company valuable information about how best to ensure this awareness.
For example, a digital video surveillance system has an obvious security use—providing visual awareness of people and property for asset-protection purposes in retail environments—but it can also be used by sales or marketing departments to evaluate how passersby respond to visual displays. Similarly, a biometric hand reader that can provide secure access control to a manufacturing plant can also operate as a time and attendance device for payroll purposes. It might also serve as the access control device to the computer network.
The benefits of integrated security are considerable. A higher level of security for business processes and transactions across the organization minimizes exposure to risk, decreases security threats, and improves compliance with industry and government regulations. Converged security functions allow for faster, more responsive collaboration between the organization and remote business partners, suppliers, and customers, ensuring a higher level of business continuity. A single budget for security reduces friction among departments with regard to funding sources for purchasing shared resources. And a single point of contact for ensuring that the enterprise is secure reduces the possibility that a department or security component will be overlooked.
Link to chart here: