96 ◾ Security Strategy: From Requirements to Reality
not only streamlines the investigative process but provides a much broader understanding of the
situation as a whole. It also provides a response that assures the evidence required to discipline or
prosecute the individual or individuals involved is properly collected and preserved.
User Experience
One of the biggest wins for security convergence is the improvements it makes to the end-user expe-
rience. A positive user experience is critical to the health of a corporate security culture. Security
convergence helps this eff ort because it provides a single view of security, a single point of contact,
a common information portal, and a consolidated response. In addition, initiatives like One Badge
simplify the end-user access experience, enhancing the image and value of security services.
Regulatory Compliance
Convergence improves compliance from two perspectives. e fi rst is the need to comply with
specifi c IT and physical security requirements; the second is to prove compliance with those
requirements. Having both disciplines working together on compliance solutions results in more
comprehensive and cost-eff ective solutions. Physical controls can be incorporated to compensate
for software weakness; conversely, IT systems can be used to enhance or overcome physical security
weaknesses. Proof of compliance is aided by the ability to combine information from physical and
logical security sources. Suppose, for example, that someone was accused of unauthorized access to
a patient’s record from a particular location. e combination of video surveillance information,
security offi cer observations, facility access logs, and IT access logs makes it possible to positively
refute or confi rm the claim. In many organizations today, this kind of evidence gathering would
take days; in a converged environment, it can be done in a few hours at the most.
Another key value is the ability to prove regulatory compliance. A number of regulatory
restrictions (like the earlier HIPAA example) are in place regarding access to specifi c types
of information (e.g., the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, International Traffi c
in Arms Regulations). Consolidated access and identity management greatly simplifi es the
compliance reporting process and in some instances may reduce the scope of some compli-
ance audits.
Legal compliance is another win. Corporate security is accustomed to dealing with govern-
ment and law enforcement entities, so they are better equipped to handle subpoenas, court
orders, discovery requests, international investigations, and so on. In contrast, IT organiza-
tions are ill prepared to handle these types of queries, although they are most likely the ones
to supply the required information. Convergence improves both the timeliness and quality of
the response.
Improved Business Continuity Planning
When business continuity planning (BCP), physical security, and IT security are completely sepa-
rate functions, trying to determine which assets are critical and require the best protection is an
eff ort in futility. Each group provides a diff erent answer, but in the converged model everyone has
a view of the entire risk spectrum, so they can better position their assets in the overall recovery
plan. In BCP and DRP (disaster recovery planning), security is the fi rst logical function that
has to be restored. No one can gain access to network or host resources without security services
being operational. Physical security can provide important logistical and security support for these
TAF-K11348-10-0301-C006.indd 96TAF-K11348-10-0301-C006.indd 96 8/18/10 9:28:12 PM8/18/10 9:28:12 PM
Gates, Geeks, and Guards (Security Convergence) ◾ 97
eff orts; they become the “eyes and ears” of the organization as equipment, personnel, and/or media
are moved to alternative computing facilities.
Other Improvements
Not all the benefi ts of security convergence are related to security. Several other business processes
benefi t from these convergence technologies, including operations and telecommunications. Video
surveillance cameras can be used for teleconferencing; they can also be used to monitor produc-
tion and shipping operations. For example, a shipping manager could monitor a critical shipment
to make sure it got out on time or intervene if it didn’t look like it would. For some industries the
ability to include video images into a transaction record is also valuable.
e benefi ts of converging physical and logical security are compelling, especially for larger
organizations. In tough economic times, the cost savings alone are worth the eff ort; combined
with the improvements to security and long-term gains in business productivity, it’s easy to under-
stand why a majority of medium and large businesses have active security convergence projects of
one type or another—projects that are not without their own challenges.
Convergence Challenges
e ability of smart card systems to address both physical and logical (information
systems) security means that unprecedented levels of cooperation may be required….
Nearly all federal offi cials we interviewed noted that (changing) existing security prac-
tices and procedures within their agencies…to integrate them across the agency was a
formidable challenge.
Joel C. Willemssen
Director, U.S. General Accounting Offi ce
Although the benefi ts of converging are substantial, some industry pundits believe that converging
these two similar but parallel universes is simply not practical. Some say the focus should be on
collaborative processes, while others advocate organizational change. e authors are in the latter
camp: ere needs to be a single vision, a common strategy, and a single command structure.
Security convergence has a number of similarities to the numeric controls (NC) machinery
integration. When numeric controls were fi rst introduced into machine shops, there were two
very distinct camps: On one side were the union machinists working hard to protect their jobs,
and on the other side there were the “college boys”—the NC programmers, engineers, and
computer-aided engineering (CAE) operators trying to replace those jobs with automation.
Cooperation was the equivalent of committing treason. Amidst all the turf wars and politics,
the business objectives somehow got overlooked. Eventually, NC technology became the stan-
dard and the business goals for increased productivity and effi ciency were realized, but the
transition would have been much smoother for everyone involved if the focus had been on the
business. At the shop where Bill worked, some machinists found new roles in the integrated
environment, others remained in their existing roles, and still others found opportunities else-
where. ose who took the opportunity to acquire new skills were the ones who fared the best.
e corporate security realm is undergoing the same type transition: PC- and network-based
technologies are going to become the standard. e question that arises is, “Can we do a better
job on the transition?”
TAF-K11348-10-0301-C006.indd 97TAF-K11348-10-0301-C006.indd 97 8/18/10 9:28:12 PM8/18/10 9:28:12 PM
98 ◾ Security Strategy: From Requirements to Reality
Focusing on the business and its objectives for convergence is
the best way to deal with turf issues; the eff ort must include any
new stakeholders too. eir objectives may not be security
related, but they are still business related and so deserve consid-
eration. Culture clash is another major challenge. Corporate
security personnel have law enforcement backgrounds, whereas IT security personnel have techni-
cal backgrounds. e skill sets, mind-sets, processes, and even the terminology are very diff erent
for the two groups. While IT people love to experiment with new technologies, corporate security
prefers to stick with what is proven and reliable, which makes sense when you think about it. If
your facility access system fails, all movement within the facility ceases. ink about what that
would mean in an airport.
Processes are also diff erent; corporate security focuses on loss prevention and safety, IT on data
loss. e IT people come to the table with threat models and risk analysis, whereas corporate secu-
rity personnel come armed with hardware, site plans, and building blueprints. Although the new
technologies are producing intersection points in these processes, a concerted training eff ort and a
smart command structure are needed for successful integration. e integration will produce new
roles requiring new skills. Not only is a common management structure needed, but that manage-
ment needs to have the skills required to eff ectively handle both disciplines. One of the issues that
will need to be dealt with is compensation. e pay disparity between corporate security positions
and IT security is substantial. Melding and upgrading skill sets is going to require rethinking
some compensation models, but career and compensation advancement can also be a major sell-
ing point for convergence. ese are not the only challenges companies will face, but they are the
most common ones. Companies would do well to include strategies for dealing with them when
planning for security convergence.
Success Factors
A successful security convergence project consists of some pretty standard factors including
executive sponsorship, buy-in from the management of the organizations being converged, thor-
ough planning, good communications, and ongoing training. Executive sponsorship cuts down
on the politics and turf war aspects of things and makes it much easier to get buy-in from the
managers involved. Memos are nice, but getting a face-to-face meeting with the executive spon-
sor and the group manager is more eff ective. A successful convergence project is going to take
a lot of planning; most managers who have gone through the process recommend small incre-
mental steps starting with the “big wins.” at is, things that can be accomplished in relatively
short time frames and demonstrate real business value should be tackled fi rst—for example,
establishing a common help desk function for both groups and creating a single portal for secu-
rity information, request forms, and so forth. Planning must include defi ning personnel roles
for the new organization and the skill sets expected. is exercise will help solidify the training
curriculum and training plans. One of those roles will be the chief security executive, the person
ultimately responsible for enterprise security in all its forms. Organizations that perform similar
functions but have separate reporting structures create unnecessary business risk, and some of
those risks are substantial. A few years ago Bill performed a security assessment for a large com-
munications company that had a development division and a production operations group with
a separate reporting structure. All the company’s applications were designed, developed, staged,
tested, and secured by the development division. Once the application was approved for release,
Focusing on the business will bridge all those
gaps [turf-wars] naturally.
John Fenske
CSO, Johnson Controls
TAF-K11348-10-0301-C006.indd 98TAF-K11348-10-0301-C006.indd 98 8/18/10 9:28:12 PM8/18/10 9:28:12 PM
Gates, Geeks, and Guards (Security Convergence) ◾ 99
it was handed off to the operations group for production implementation. Critical to the success
of this process and its applicable security functionality was keeping these two environments
(staging and production) in sync with each other, which everyone assumed was absolutely the
case—except that wasn’t the case: In the process of implementing new systems, the production
group made all sorts of confi guration changes, many of which aff ected security. When the fi nal
report was issued, the development group screamed “bloody murder,” but it mostly fell on deaf
ears. e production group had a fl awless uptime record, and they had no intention of risking
it by implementing the development confi gurations. What’s interesting is that the two groups
had a record of exemplary cooperation, but getting this issue resolved required the involvement
of two senior managers, two vice presidents, two senior vice presidents, and the chief operating
offi cer. Where security is involved, you simply can’t tolerate this level of stovepiped operations;
too much is at risk.
An alignment of policies and procedures will also need to take place in order to establish a
unifi ed operations model. Organization should consider establishing a security operations center
(SOC) consisting of facility and data security professionals. is ensures a single response to an
incident and the application of the best resources to process and resolve it. e other big benefi t
comes from the sharing of expertise between team members, which produces a better rounded and
more eff ective staff .
ere are a number of things to look out for during your convergence eff ort. First is the
increase in security risks when physical security systems are attached to the business network.
Cisco learned the lesson the hard way when a virus on the network took all their Windows-based
video servers offl ine. e company had no video surveillance for a day and only partial coverage
for another two days. Fortunately, the outage didn’t result in any major losses, but it did result
in a project to ensure it didn’t happen again. Another issue is bandwidth utilization, which is
actually a twofold issue. First there’s the risk of impacting business systems with video and access
control traffi c. Second is the risk of insuffi cient bandwidth to adequately manage responses in an
emergency situation. Coordinating a response to a major incident can generate hundreds of pages,
text, instant messages, and e-mail messages, as well as a very large amount of voice/radio traffi c.
Business networks are not typically designed to handle this type of spike in network traffi c, nor
are they designed to give this traffi c preference over other activities. Which brings us to the fi nal
lesson learned: the importance of involving IT network and systems engineering in the planning,
design, and purchase decisions for facility security systems. Future planning is critical. Everyone
involved needs to understand what the requirements, costs, and impacts are going to be, or risk
losing some critical security functionality down the road.
Conclusion
e most successful security convergence eff orts depend on good preparation, sponsorship,
and planning. Training is key to bridging the cultural and procedural diff erences between the
groups. e goal should be to cross train staff to improve incident coverage, reduce operat-
ing overhead, and increase staff versatility. e new organization should make every eff ort to
improve the end-user experience through unifi ed leadership, operations, information, and sup-
port. e best approach is an incremental integration that focuses on “big wins” and projects
such as One Badge that simplify user access. e long-term goal is to achieve a consistent view
of enterprise security risk through the integration of logical and physical security into a single
unifi ed entity.
TAF-K11348-10-0301-C006.indd 99TAF-K11348-10-0301-C006.indd 99 8/18/10 9:28:12 PM8/18/10 9:28:12 PM
100 ◾ Security Strategy: From Requirements to Reality
You have to understand that security isn’t just physical security or logical security, it
includes the human element and all three elements must be addressed. is must be
understood outside the security and IT departments in order for an organization to
be eff ectively proactive about security, which is the only way success in security will
be achieved.
Stan Gatewood
Chief Information Assurance Offi cer,
University of Southern California
SIDEBAR: BOOZE ALLEN HAMILTON MODEL OF SECURITY TRANSFORMATION
A 2005 Alliance for Enterprise Security Risk Management report titled “Security Convergence: Current Corporate
Practices and Future Trends” traces the convergence of security functions at multiple levels in Enterprise Risk
Management in people, process, and strategy. Included in this driving shift are a change in thinking and operating
from a functional, technical orientation toward an adaptive approach to risk management. In this model as well,
there is a shift from
A stovepiped security functional view to an enterprise view•
Behind-the-curtains governance to active governance board involvement•
Techno-speak to a creation of common language with peers•
Techno-speak to a common language executives can understand•
Functionally defi ned roles and responsibilities to multiple competencies•
Command-and-control leadership to empowering and enabling leadership•
Functional knowledge to a broad business understanding•
In other words, security, just like quality and productivity, is now everyone’s business.
Companies that are moving in this direction are already taking steps to place security at the
core of their business. Creating an enterprisewide corporate risk management council to help
integrate security governance structure is one such example. Once you begin to take a long view
of enterprisewide security and accountability for managing enterprise risks, your organization is
well on its way to moving from risk being security’s problem to risk being a legitimate business
concern.
TAF-K11348-10-0301-C006.indd 100TAF-K11348-10-0301-C006.indd 100 8/18/10 9:28:12 PM8/18/10 9:28:12 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.