Three industry giants share their thoughts and advice on the convergence of traditional physical/operational security with IT security.
Everyone agrees—at least in theory—on the goal: IT security and physical/operational security should work together toward the collective objective of reducing risk to the organization. Agreeing on where you want to end up, however, doesn’t always make it easier to get there, as security professionals traveling the rocky road to convergence can attest.
To appreciate the progress made, it helps to put where we are today in perspective. The state of convergence of physical and information security “might be likened to the early days of flight,” wrote ASIS International Treasurer Raymond T. O’Hara, CPP, and Adel Melek, partner and global leader for Deloitte & Touche, LLP, Canada’s Security and Privacy Services, in the 2007 Alliance for Enterprise Security Risk Management (AESRM) and Deloitte white paper, The Convergence of Physical and Information Security in the Context of Enterprise Risk Management.
Today, some companies have progressed past “ambitious attempts at convergence by daredevil visionaries,” as Melek and O’Hara called them, into an enterprise risk management (ERM) strategy that is not the forced result of economic contraction but the outgrowth of expanded education and the recognition of mutual benefit.
Three of convergence’s early visionaries currently sit on the ASIS Board: Timothy L. Williams, CPP, who is director of global security for Caterpillar of Peoria, Illinois; O’Hara, who is senior vice president, consulting and investigations, for Andrews International of Palm Desert, California; and Dave N. Tyson, CPP, senior director of information security operations for eBay, Inc., of San Jose, California. Williams is currently chairman of the board.
Security Management asked each of these men for their thoughts on the evolution of convergence and for their advice to practitioners on both sides of the divide.
Williams, who helped to popularize the use of the term convergence as it applies to combining IT and operational security—has been advocating the process for years.
“What we see in corporations…is that there are many different company verticals that don’t talk to each other,” he says. This might occur because each unit reports to a different division head. It also might occur because of internal replications, such as having different groups in charge of IT security, operational security, facilities security, regulatory compliance, investigations, business continuity, and hazard or insurable risk management.
Whatever the reason, the lack of communication among these various units can lead to a lack of security cohesion, which means that risks go unaddressed. “These internal risks can become profound in a company that isn’t keeping an eye on them,” Williams states.
For example, at one corporation, operational security investigated an attack on a company server that had delayed the annual audit, but that group did not discuss its findings with IT. “They didn’t exchange information properly, and the result was a continuing risk exposure. If there had been better coordination and communication, the weaknesses could have been resolved faster and more effectively,” he says.
Among the successful ways that Williams has seen convergence undertaken is by placing both traditional and IT security under a single leader who can be chosen from either group. He has also seen the maintenance of security functions as independent lines of responsibility, but with both reporting to a single executive manager outside of either group. In this way, budgetary separation is preserved, but the executive manager combines input from both groups and presents it to executive management.
Corporations can achieve the desired results through a variety of structures. While with Nortel, Williams recalls, “I observed great collaboration between the chief security officer (CSO), who reported to the general counsel, but who also had a dotted-line responsibility to the chief information officer (CIO) for Internet security and follow-ups on investigations. In that case, security didn’t run network security, per se, but it did set the policy and responded to the issues when they occurred.”
Another way is to keep the various functions independent while providing a mechanism by which they can create a unified vision and work toward common goals. To this end, Williams says that some companies are setting up internal security councils. Caterpillar, his current employer, has created such a group, which includes “all the groups that have enterprise security risk pieces.”
At press time, the new council had not yet begun to meet, but of the work ahead, says Williams, “We’re going to…make sure we understand where processes overlap between us to make sure there is no ambiguity.”
The security council is a subcommittee of the enterprise compliance council. “This gives us some leverage to raise issues when we need to with the compliance council, which reports to the executive management and audit committee of the board of directors.”
Williams says that everyone involved in the council understands that the benefits are likely to go beyond reducing risk. Fusing business processes can simplify and strengthen them while also making them more efficient and less costly. As a generic example of the latter, Williams mentions running CCTV systems and access controls over a company’s network. If everyone from operational and physical security is involved up front, the process is streamlined, problems are minimized, and costly mistakes are avoided.
“This has to be plotted out with the right people around the table, because doing this will use a lot of bandwidth and may create unforeseen problems if it’s not worked out with those who know the network best,” he states.
One possible benefit of the current economic downturn is that it may lead to an upturn in convergence, given the potential for cost savings. Savvy security professionals will embrace this trend and work to facilitate the transition.
“Unfortunately, the economy has contracted way beyond our imaginings as of late, and I think we’ll see more and more forced convergences,” says Williams. “[T]hose individuals who can think more on an enterprise level than a functional level and who can see how to prevent risk on an enterprise level will be the leaders after this [economic downturn]. Those who try to hunker down and get by, and to retain what they can of the processes, and not collaborate—I don’t think they’re going to fare very well.”
Across the Enterprise
Tyson literally wrote the book on convergence—or at least a book on convergence: the 2007 volume Security Convergence: Managing Enterprise Security Risk.
“Physical and IT security groups grew up as silos with nothing to do with each other,” says Tyson. In the last twenty-odd years, however, business assets have drifted from being largely stored in a warehouse, or displayed in a store, to much of the value being stored online or on computers. This evolution has changed the business requirements for security.
In the early days of data asset expansion, traditional security practitioners were more than happy to leave the job of digital data protection to the IT staff. Traditional security professionals “were very good at protecting assets and people and at investigating fraud, but [IT security] was completely foreign to them,” notes Tyson.
In reality, both groups were doing many of the same functions. Determining who needed access to information was the same as determining who needed access to a building, he says. In the last decade, many companies began to notice the cost of these duplicate security infrastructures.
“It’s expensive to have two groups that are both managing what is basically access control,” says Tyson, “and if both physical and IT security go to the chief financial officer (CFO) asking for $1 million—one for a new camera system and the other for a firewall—how does the CFO choose which request will provide the greatest benefit to the organization?”
Someone has to have the big picture. But in many cases, “silo mentalities prevented anyone from having an idea of the total risk to the organization,” he says.
“I was head of information technology security at the City of Vancouver, British Columbia, Canada, when it was awarded the Winter Olympics for 2010,” says Tyson. “It was known that budgets were going to be tight and resources were going to be scarce, and the only way that I could see it would work was to merge the two groups and manage them as one,” Tyson recalls.
“I made a case to the executive management team to bring the teams together, saying, ‘I’ll tell you what I’m going to do, I’m going to use less money and need 50 percent less of your time, and I’m going to give you real risk mitigation if you let me do this.’ They were very supportive of that kind of a concept.”
At the time, the two groups had different reporting structures and budgets, and there were many task duplications. Tyson developed a plan that created substantial cost and time savings by combining the risk assessments and audits that had been performed separately for physical and IT threats.
Additionally, by combining the reporting functions of the physical security manager and the IT security manager, who both then reported to the director of business support operations, time could be saved and value increased. Most important, the process yielded the added insights of a holistic security viewpoint.
As a result of his pitch being accepted, Tyson was able to develop an enterprise security team that could supply policies and guidelines to operational teams. Almost immediately, the benefits began rolling in—among them a more than 50 percent reduction in desktop policy violations, the use of existing storage area network architecture to store security-related digital video feeds, and the use of existing fiber-based local area network (LAN) with virtual LAN technology to transmit feeds from 700 citywide CCTV cameras with almost no overhead costs.
“In Vancouver, we were also able, through a small amount of training, to make laptop theft virtually disappear just by getting the physical security staff to be aware of the information-theft risks,” he says. “The physical security staff spread the message about laptop security, because they were out there interacting all day.”
There were many detractors to convergence, says Tyson, “because it was scary to both sides.” The main concern was “Who was going to end up in charge?”
That issue remains one of the key stumbling blocks at companies that have not yet converged. “No one sees it for what it is: a way to mitigate risk by working together. And there are many different kinds of models that don’t include one group eating up the other one,” Tyson adds.
Among the lessons Tyson learned while heading the convergence effort at the City of Vancouver was to realize that the two groups might not really understand each other’s culture, functions, goals, or capabilities. Both groups tend to use jargon that isolates them from outsiders. A careful explanation of how the two units can fit together, spoken in a common language, can greatly ease tensions and fears.
“I really think it’s a general fear of the unknown,” Tyson says. “If you don’t know anything about computers, it’s natural that you would be nervous about getting into a situation where you don’t understand the underlying technology and are left at a disadvantage.”
The answer is to learn about the issues on the other side of the security fence, at least so that you can comfortably discuss them with the real experts.
Companies are increasingly seeing the advantages of convergence, notes Tyson. During the last three years, as big companies have seen the real benefits of convergence through benchmarking done by AESRM and ASIS, among others, “we’ve seen a massive growth and adoption rate,” he says.
Total convergence doesn’t work in every case, however. “So people like me have started advocating that companies take as much of convergence that works for them,” says Tyson.
It’s also clearly not just about bringing together the two groups dealing with physical and logical security. About a year ago, Tyson notes, “we started to see an expanding understanding that convergence itself is really just a piece of the overall pie of enterprise security risk management. Companies have to manage all of these risks across the enterprise—not just the physical and IT elements. So that’s where it’s headed today…. It’s the endgame, for sure.”
Tyson notes that there are also social trends affecting the convergence process. “Our security staff are aging. Many are Baby Boomers, and as these people retire, the next group—the Gen-Xers and Gen-Ys are historically much more technologically savvy,” he says.
As a result, Tyson goes on to explain, “I’ve seen a number of younger professionals, and some whom I’ve personally mentored, who have taken the time to educate themselves in both areas, as I did. They are five years from being equally qualified in both sides of the divide,” he says.
“I started in physical security in the early 1980s and I went through all of the different disciplines—executive protection, alarm systems, investigations—but I made the switch in 1999 to IT security.”
Tyson says he is aware of the increasing demand for IT security education, not only from security professionals but also from technology vendors and installers. “We see the installers saying, ‘We need to know more. How do these technologies we install affect a network’s security? What should we be telling our customers about how to protect it?’ We’re going to see a real growth in education processes.”
Network with IT
“If you think about the electronic age we live in, 90 percent of the corporation’s assets are sitting there on the Internet someplace,” says O’Hara, whose firm has assisted others in the throes of convergence. One trend that O’Hara—like Tyson—has noticed is an increasing number of traditional security practitioners educating themselves in IT security.
“The younger generation of security managers is striving to understand IT security,” he says. These professionals are “looking for education, looking for benchmarking.”
Many are exploring certification options, including the American National Standards Institute and International Standards Organization accredited Certified Information Systems Security Professional designation from (ISC)2 and others.
O’Hara also notes that memoranda of understanding (MOUs) are now complete between ASIS and three of the leading IT security associations—the Information Systems Security Association, the Open Security Exchange, and the Internet Security Alliance. O’Hara states that the MOUs have “been on the worktable for about five years.”
According to O’Hara, there will be an emphasis on providing increased joint educational opportunities for the members of all four associations. “We will have an MOU to cooperate and cross-educate. Perhaps some programs or sessions at the ASIS Annual Seminar and Exhibits will be led by these other groups that will allow our members to take advantage of their expertise on the IT side, at the same time allowing their members the advantage of attending our educational sessions,” he states.
O’Hara’s advice: “Reach out to your peers. Get invited to IT security meetings and try to participate as much as you can. Try to find out as much as you can from your cohorts on the other side. Understand that you both have risks, learn more about what their risks are, and share your risks with them. Look for some common ground, and through this, provide a better protection environment for the organization.”
Ann Longmore-Etheridge is an associate editor of Security Management.