By John J. Strauchs, CPP
A survey of large corporations conducted by Strauchs LLC and Security Management demonstrates convergence between security and IT is neither swift nor smooth. (Online Exclusive)
“Convergence” is the current buzzword in professional security journals. It is so topical that several security groups and Web sites were recently formed to focus on this phenomenon, such as the Open Security Exchange (OSE). With developments such as this, a question remains: How far along the winding path of full integration have we traveled? Are we walking against the wind, or with it?
Earlier this year, Security Management and I conducted a questionnaire survey of large corporations. The objectives were to gauge how much the technologies of the security industry and the information technology sector have converged and to examine relationships between the two.
Responses to the questionnaire were received from 100 companies. That may seem like a fairly small sampling for analytic purposes, but data from a hundred large corporations might still be statistically more relevant than a hundred random companies, large and small. The respondents have average annual revenues of $3.8 billion (median = $1 billion) and employ an average of 11,000 people (median = 3,500) of whom about 207 (median = 48.5) work in the IT department and 341 (median = 35) in security, including contract employees. The average security department budget is around $5.8 million (median = $2 million).
The averages are probably skewed by the very large corporations. That’s why the median figures noted above are important.
With respect to the survey population, it is important to point out that any inferences about the state of technological convergence are likely to be valid only with respect to large corporations. Any conclusions drawn from the data may, or may not, accurately reflect IT and security convergence among all companies, particularly smaller ones.
According to Forrester Research, U.S. spending on merging physical and logical access control, across both the public and private sectors, went from $691 million in 2005 to $7 billion in 2008. Estimates of total spending on IT and security convergence couldn’t be found and perhaps don’t exist, but it does appear self-evident that the amount of convergence is significant.
The survey of large corporations revealed the following degree of melding of IT and security computerized systems.
♦ 37% have linked networks (in addition to CCTV) but are not fully integrated
♦ 33% are entirely independent of one another
♦ 20% share the IT network for CCTV but are otherwise separate systems
♦ 11% are totally or almost totally integrated
Security industry observers will probably find it surprising that 11 percent of large corporations may have integrated IT and security systems entirely or almost entirely. Moreover, that only about a third of these companies have systems that are not interconnected is equally remarkable considering that the security profession’s mantra for decades had been for security to always be a standalone system.
Another consideration in understanding integration is whether operating systems are compatible. IT departments reported their primary operating systems as the following:
♦ 96% Windows
♦ 04% Unix
♦ 00% Linux
Security departments, however, indicated:
♦ 93% Windows-based
♦ 02% Linux
♦ 01% Unix
♦ 04% Other (didn’t know)
We can’t infer too much from this information, but it may imply that since none of the reporting IT departments use Linux, whereas 2 percent of the security departments do, there could be potential compatibility issues. Any intelligent system can be made to communicate with any other intelligent system, but initial compatibility often determines whether integration is effort-less or complicated.
More significant perhaps, 70 percent of the security departments stated that their security systems management software was proprietary or somewhat proprietary. The remaining 30 percent indicated that their software was based on open protocols and open architecture. Critics of proprietary software assert that such products represent a marketing tactic to make it difficult for customers to switch to a competitor’s product, that they are locked to the manufacturer for life. On the other hand, others point out that such claims are exaggerated and that proprietary products perform as well as nonproprietary software products. Plainly, open protocol software is still in the minority.
In companies where integration is occurring, which departments does security share databases with? The survey reported the following:
♦ 40% IT
♦ 32% HR
♦ 24% No database sharing
♦ 04% Other
While 33 percent of the security departments stated that they are totally independent, only 24 percent reported that there is no database sharing, perhaps suggesting that some standalone departments are nevertheless sharing databases. Of related interest, the questionnaire asked whether IT departments had a security system that was independent of the security department’s system. About 24 percent of the respondents reported that their IT department had their own standalone security system, and of those, about 50 percent were not compatible with the security department’s system.
That lack of coordination likely creates security gaps or vulnerabilities. It may be expected that the convergence of IT and security would be driven, at least partially, by the renewed trend over the last decade toward building automation systems. Building automation systems (BAS) now control heating, ventilation, lighting, electric power, parking, telephony, elevators, and even multi-function office equipment, such as copy machines. We asked if facility security systems were integrated into a building automation system.
♦ 29% Yes
♦ 64% No
♦ 07% Not applicable or question not understood
As more companies report some level of integration than report being connected through their BAS, one can surmise that convergence is also occurring at large corporations that have not integrated security systems into their BAS.
This brings up the subject of smartcard technology and the important role it has played in convergence. In August 2004, President Bush issued Homeland Security Presidential Directive (HSPD) 12 to create a secure and standardized method of identification for federal employees and contractors. HSPD-12 resulted in the Federal Information Processing Standard (FIPS) 201. HSPD-12 was a great impetus toward the standardization of access control for governmental office buildings on smartcard technology. This quickly spilled over onto the private sector. Smartcard technology was an important factor in the movement toward technology convergence, albeit mostly driven by the IT industry.
The survey found that 49 percent of the companies surveyed were using smartcards—a surprisingly high figure. Of those with smartcard technology, 64 percent were using it for facility access control, 4 percent for IT access control, and 21 percent for both. Further, it was reported that 56 percent of the smartcard systems were being managed by the security department, 22 percent by the IT department, and in 22 percent of the cases management was shared by both departments.
Another key facet of this investigation was to try to understand relationships between security and IT. Are we dealing with J. Edgar Hoover and Bill Gates trying to share a cubicle? The survey posed a straightforward question. The relationship between the departments is best described as which of the following? The responses were:
♦ 16% Highly effective
♦ 72% Cooperative
♦ 02% Competitive
♦ 10% Difficult
About 12 percent of the large corporations reported that relationships were either competitive or difficult.
The question of interdepartmental relations was approached from another angle to see if the results would be different. The questionnaire asked how often the department heads met. The following results suggest how much the two groups fear integration.
♦ 37% Rarely
♦ 33% Frequently
♦ 21% Often
♦ 08% Never
It is difficult to reconcile the fact that 45 percent never or rarely meet with the survey response that 72 percent of the departments claim to have a “cooperative” relationship. How cooperative can it really be if they only meet rarely, if at all? The survey probed the relationship issue one more way: “Are there, or have there recently been, conflicts resulting from requests by the security department for access to IT LANS/WANS or requests for more bandwidth than the IT department has been willing or able to provide?” Almost third of the respondents reported problems.
♦ 31% Yes
♦ 60% No
♦ 09% Not applicable
Status and Turf Issues
Another measure of cooperation can be gleaned from examining those elements that can potentially foment enmity, namely inequities in pay and authority. Any student of organizational dynamics or social psychology will recognize these classic “hot button” issues.
While the survey did not gather information about average salaries for both departments, Thomas Hoffman, a reporter for Computerworld, has reported that IT department heads earn about twice as much as security managers. The implications of this disparity are palpable. The questionnaire did, however, address the second element, status. The gap in status between IT and security is more than 300 percent.
♦ 53% of the respondents reported that IT has a higher rank or status in their com-pany,
♦ 31% stated that the department heads are equal in rank
♦ 16% said that security has a higher rank or status.
In corporations, status is often determined by who someone reports to. The higher up in the hierarchy that the reporting occurs, the higher the status of the subordinate. The results for IT department heads are the following. They report to:
♦ 27% CEO
♦ 26% CFO
♦ 18% COO
♦ 11% Vice President
♦ 04% HR
♦ 04% General Manager
♦ 02% President
♦ 08% Other (legal, facilities, CTO, CIO)
Security department heads report as follows.
♦ 18% CEO
♦ 12% COO
♦ 12% Legal
♦ 12% Facilities/Engineering
♦ 10% CFO
♦ 09% HR
♦ 06% Vice President
♦ 21% Other
In large corporations, about 73 percent of IT department heads report to top level management, whereas only 40 percent of security department heads do. A lot can also be learned by the titles that are bestowed on company leaders. The heads of IT departments have the following titles.
♦ 31% Manager
♦ 26% Director
♦ 12% CISO
♦ 12% CIO
♦ 08% CTO
♦ 08% Vice President
♦ 04% CSO
Security heads, on the other hand, have these titles.
♦ 57% Director
♦ 20% Manager
♦ 11% CSO
♦ 08% Vice president
♦ 01% Assistant vice president
♦ 02% Other
What can we interpret from this data? The inferences are debatable depending on one’s understanding of the intrinsic status implications of a title. Not everyone would agree that the title “manager” is generally perceived to have lesser rank than “director” or that the prefix “chief” connotes a top level leadership position. For the sake of the argument that these statements are true, 36 percent of IT heads have top management titles, but only 11 percent of security heads do—a difference of over 300 percent. This, of course, also bolsters the commentary about disparity in salaries.
Some of the leading security systems and software were created ten to fifteen years ago at a time when the Internet was in its early ascendancy and few used the term “hacker.” Security software wasn’t designed with firewalls or any other countermeasure because they weren’t needed.
Security departments were asked if they believed that the following statement were true or mostly true. The results are eye-opening.
♦ 49% indicated that their systems are periodically examined by the IT department in search of vulnerabilities. That is a low percentage for today’s cyberthreat environment.
♦ 43% reported that their systems were developed by the vendor to be protected against IT attacks. The converse is startling. About 57% were not designed with cyberattack countermeasures.
♦ 43% stated that they use equipment that monitors if ports are being attacked or scanned. The majority do not.
The survey also queried whether security department systems would be vulnerable if the company IT network was infected with a virus.
♦ 40% said that they would be vulnerable.
♦ 40% thought they would not be vulnerable.
♦ 19% indicated they didn’t know.
Restated, 59 percent of the responding companies thought they would be either vulnerable if their network was penetrated, or they didn’t know. When asked if the security department had been infected with a virus in the past, 10 percent said yes.
Insights can be gained sometimes by analyzing the professional lexicon of IT and security practitioners. If a term is recognized and is common to a company, it may reflect current practices. A very savvy responder, nevertheless, might be familiar with a term regardless of whether it’s used internally. The percentages of respondents claiming to recognize the following acronyms and jargon as being pertinent to their operations are noted below.
75% ISO: This term stands for International Organization for Standardization. It is not an acronym. Rather, it is based on the Greek word, iso, meaning equal. This response suggests that a fairly high percentage of the surveyed companies comply with ISO standards. ISO covers a panoply of standards, including many for the IT/computer industries.
46% Six Sigma: Six Sigma is a coined name for a quality control process developed by Motorola in 1986 that emphasized discovering and reducing defects through a formal and highly structured process. It has since evolved into various forms that can be applied to almost anything. The IT community has adopted its concepts. Almost one-half of the respondents appear to be using a Six Sigma process, or at least they know what it means.
32% SCADA: This is the acronym for “supervisory control and data acquisition” and is associated with networked and automated systems that are capable of real-time monitoring and control. A third of reporting companies are familiar with the term.
26% PKI: PKI is the abbreviation for “public key infrastructure.” It is a type of encryption protocol to protect data transmitted over the Internet. Awareness of the term suggests familiarity with protection against cybercrimes. Only a quarter of the respondents knew this term.
25% ASP: ASP stands for “application service provider.” These are companies that provide security services over the Internet whereby their servers host application software that is used by a client on a subscription basis. Some also provide monitoring services.
16% HSPD-12: As discussed earlier, HSPD-12 is a presidential directive intended to secure and standardize methods of identification for federal employees and contractors. It is closely associated with smartcard technology. About 49% of the surveyed companies reported they were using smartcards, but, oddly, only 16% recognized the term.
12% PACS: Another abbreviation, this stands for “programmable automation controllers” and is a technical variant of “programmable logic controller.” It is less frequently used for security systems except in those instances, as one example, when a very large number of doors have to be controlled.
The following terms and acronyms relate to building automation systems and infrastructure. It is curious that 29 percent of the survey respondents reported that their security systems were part of a building automation system, but only 2 to 5 percent were familiar with the nomenclature associated with that technology. A term that should have been included in the questionnaire (but unfortunately wasn’t), LonWorks, might have been more recognizable because it is a very familiar technology (intelligent multiplexing) that is occasionally used for security systems to reduce the construction costs of conduit and wiring.
♦ 05% PHYSBITS, or Physical Security Bridge to IT Security, is an international standard and data model that is supported by the Open Security Exchange (OSE) and the Global Information Assurance Certification (GIAC) program. It is at the heart of physical and IT security convergence.
♦ 05% BACnet, Building Automation and Control Network, is a well-known and long-standing data communications protocol for building automation. It is an ISO standard.
♦ 02% oBIX, or Open Building Information Exchange, is another international standard related to convergence.
The last term is a nonsense word that was included as a test to see if any responders were spoofing the questionnaire. No one checked that box.
♦ 00% Klaatu, or a made-up alien word used in the 1951 science fiction classic, The Day the Earth Stood Still.
The final part of the questionnaire asked about cross-training. About 23 percent of the companies reported that formal training in physical security was available for IT employees and 34 percent stated that formal training in computer technology was available for security employees. It is not known if the training was available “in-house” or through local community colleges.
What is to be done
Many of the survey results forecast gloom for the security industry, but there is time to change the outcome. Security professionals must press for greater involvement in convergence and standards. More colleges need to offer security management degrees and, more importantly, understand that criminal justice and public safety are not synonymous with security management. Colleges should offer doctorate programs.
In this same regard, all security professionals need to educate themselves about computer technology. Professional security associations need to listen less to lawyers and shift from passively supporting nonutilitarian guidelines to actively participating in the standards writing process. American security professionals also have to accept the reality that the European Union is going to play a role in the development of security standards for convergence.
All of these things can happen if we want. Like it or not, the world as we know it is going to change. By 2020, many of the things we take for granted will be extinct, such as print newspapers, iPods, most desk-top computers, supermarket check-out lines, car keys, and a legion of other obsolete technologies. The security industry must do whatever it takes to ensure that its profession doesn’t become aged and unfit. The comet is approaching, but there’s time to deflect it.
John J. Strauchs, CPP, is the senior principal of Strauchs LLC, a security consulting and design firm located in Virginia. Praise and censure welcomed at “John’s Blog”: www.strauchs-llc.com .
© Strauchs LLC