IT & Security Convergence Means That Departments Need to Cooperate
By Karen Kroll - August 2006 - Facilities Management
The word “convergence” may sound like nothing more than the latest security-industry buzzword. However, when it comes to protecting an organization’s assets, it is a concept facility executives would do well to become familiar with. That’s because effectively securing an organization today requires protecting both physical and information-based assets.
That’s what convergence is all about: the realization that traditional and IT security are interdependent, and that steps to address risks should address both areas — indeed, should cover the entire enterprise.
“I see convergence happening just about every place,” says Dave Cullinane, CPP, international president of Information Systems Security Association (ISSA). “It’s like a wave crashing over the ship’s bow.”
As security technology and processes come together, people in an organization inevitably are affected, as well. That can generate rifts between the employees who traditionally have been responsible for protecting a company’s physical assets and those who are in charge of protecting its information assets. “It can become a turf war,” says Sean A. Ahrens, CPP, senior security consultant with Schirmer Engineering. Either side may feel that the other is encroaching on its territory.
Information security typically rests within the IT department, while physical or traditional security is often a function of the facilities or real estate departments. However, as physical and information technology security policies, technology and people converge, many facilities executives should learn the range of risks their organization faces. They also should become adept at working with employees in other areas of their organization to find the best solutions to mitigate those risks.
A report, The Convergence of Enterprise Security Organizations, was commissioned by the Alliance for Enterprise Security Risk Management (AESRM) — a partnership of ASIS International, Information Systems Audit and Control Association (ISACA) and ISSA formed to address issues surrounding the convergence of traditional and logical security—and was prepared by the consulting firm of Booz Allen Hamilton. The report identifies five factors driving security convergence:
- The rapid expansion of the “enterprise ecosystem.” Many companies work closely with suppliers, outsourcing firms, and even customers, many of whom are located across the globe. For these partnerships to work, companies need to share information. As they do, security professionals need to determine how best to ensure that other outsiders don’t gain access to the data.
- A migration from physical assets to information and intangible assets. “It’s patently obvious that information is an asset to protect,” says Cullinane. The success of many companies is directly tied to such information as trade secrets and customer lists. Keeping this information protected is critical.
- New technologies that blur functional boundaries. Today, security isn’t either physical or information-based; it’s a combination of both. “If a laptop containing customer information is stolen, the company is faced with a theft of both physical and information assets,” says Cullinane. To help prevent this, companies should implement controls that will reduce the risk that someone can walk off with a laptop. Organizations should also outline policies governing the type of information that can be placed on a laptop and the way in which it should be safeguarded. “You can’t protect information without physical controls,” Cullinane says.
Security systems themselves also have become more technology-based, says Michael Cleveland, associate with RTKL Associates Inc. “The idea of having a video camera tied to a tape deck and a simple intrusion alarm is outdated.”
- New compliance and regulatory requirements. A series of regulations implemented in the past few years requires companies to guard the information they generate. In the health care field, for instance, HIPAA, or the Health Insurance Portability and Accountability Act of 1996, requires companies to guard patient records. This usually requires a combination of traditional and information security tools.
- Ongoing cost pressures. “The efficiencies that can result when physical and IT security share resources and work together are significant,” says Cullinane. For instance, a company that already has a physical security investigations unit can train its members to conduct cyber-investigations. The men and women in such a unit should know how to obtain search warrants and work within the legal system to investigate crimes like fraud and robberies. That same unit could help prevent crimes from being committed via the company’s information infrastructure.
Similarly, allocating information networks to multiple uses, such as physical and logical access control, is more cost-efficient than dedicating separate networks to each use. “Every time you have a security system with dedicated wiring, there are some additional costs,” says Lauris Freidenfelds, a vice president with SAKO.
What’s more, having a common system that allows access to both the facility and the computers often makes for a more integrated approach to security. If an employee is let go, that employee’s ability to access both the building and the computers can be terminated with a single action. If the functions reside within separate applications, chances are greater that some employees would not be erased from both databases.
Although it’s easy to see why there has been a convergence of physical and IT security, the shift rarely occurs without some turmoil. For example, employees in charge of protecting information technology may want to add physical security to their list of responsibilities. They reason that they already guard the company’s information assets, so it only makes sense for them protect the company’s physical assets, as well.
Those in charge of physical security may rightly question just how much an IT employee knows about minimizing the risk of workplace violence, developing relationships with local law enforcement officials or getting employees safely out of the building during an emergency.
People in one department may feel that they are being left out of key decisions. For instance, the IT administrator may get frustrated when a colleague in physical security orders computer servers to support a new closed camera television system without consulting IT, which then must break the bad news that the new servers won’t work on the corporate network.
The rift can be exacerbated by the relative political standings of the two groups within the company. IT departments in many organizations have more experience asking for and often receiving funding for new investments than do their colleagues in the physical security arena. The IT department also may claim, with some justification, that protecting information has become more important in many organizations than protecting a specific piece of property, says Ray O’Hara, CPP, a senior vice president with Vance.
In addition, some physical security employees are not well-versed in information technology, and may hesitate to ask questions, Freidenfelds says. As a result, “you get missteps and people distrusting each other.”
Working through the politics that can arise from convergence can be done in any number of ways, says Cleveland. “There doesn’t seem to be a set way to deal with it; it’s case by case.”
A handful of larger organizations have created a CSO, or chief security officer, position. “Ideally, we would see the functions of physical security, investigations and IT security complement each other and roll into the function of the chief security officer,” says Ahrens.
The CSO should be independent of the various security groups. That means the CSO should be able to listen dispassionately to arguments for funding and projects from each area, and then make decisions that offer the greatest benefit to the overall organization. “Successful programs have an enlightened manager at the apex where the physical security and IT silos meet,” Freidenfelds says. “They promulgate the requirement that both sides must get along, work together and use a team approach to security.”
The CSO doesn’t need to be an expert in either technology or in physical security, but should know enough about the various functions that he or she can competently evaluate what both groups are saying and get them to work together. “The person has to be positioned in such a way as to make the hands shake,” says Freidenfelds.
Smaller- and mid-sized companies often won’t have the resources to staff a new, executive-level position. Communication between the various security areas becomes key. “The issue is to ensure that the various functions look at the overall risk to the enterprise, and the inter-dependent risks,” says Tim Williams, CPP, vice president, corporate and systems security, Nortel.
To facilitate discussion, the company can form an enterprise risk council including employees from each area of security. The council provides a forum in which everyone can offer thoughts on security projects, investments and policies, says O’Hara. “There are a lot of people who have responsibility for the company’s assets,” he says. “These people have to talk together.”
Some security departments bring in their own IT support staff; that’s often the case when the corporate IT staff lacks experience with security devices, Cleveland says. If the security staff is responsible for the equipment and its performance, dedicated IT support may be warranted.
In some cases, bringing in a consultant can help break down walls between groups of employees. Often, it’s easier for an outsider, rather than someone from within an organization, to get the individuals from various security groups to come together and discuss their differences.
The idea is to have a unified security strategy, Williams says. Everyone needs to know the risks the organization is exposed to and then understand their role in helping to develop the tactics and tools the company will use to minimize exposure.
Getting there may require an organization chart that strays a bit from the tried-and-true. Williams, for instance, reports to the senior vice president of compliance, with a dotted-line reporting relationship to the chief information officer. At the same time, the director of information systems security reports to Williams on a dotted-line basis.
The directive for all departments to work together should come from the executive level, Cleveland says.
Facilities Executives’ Role
The convergence of physical and IT security has several implications for facilities executives. For starters, they need to “jump into the fray,” says O’Hara, and navigate the political battles that can erupt when different departments, such as security, facilities and IT, find their areas of responsibility overlapping.
Facility executives should also be thinking about how technology can help protect the assets of the organization, Freidenfelds says. Traditionally, many companies have resolved security challenges by adding staff, such as security guards. Given the ability of technology to help secure buildings and equipment cost-effectively, facilities executives now need to determine whether it’s best to address risks with people, policies, technology or some combination of these three.
Finally, the facilities executive needs a deep understanding of the organization’s mission. In fact, this usually is more important than an understanding of technology, says Williams. “Security requires people who understand business and know how security affects the company.”
When properly managed, the converging roles of physical and IT security should allow organizations to better anticipate and respond to future emergencies. One example: Should avian flu become an epidemic within the U.S., both IT and physical security know-how will be needed to avert total business shutdowns. If the flu hits, different groups of employees may need to be segregated from each other and some offices or departments closed down — typically, the realm of physical security. At the same time, employees may need access to the corporate network in order to work from home. Making this happen is a role that IT security typically oversees. “It’s an example of the union that needs to be there for the corporation to function, and to roll out an effective, complementary security program,” says Ahrens.
What is Convergence?
Convergence refers to “the identification of security risks and interdependencies between business functions and processes within the enterprise and the development of managed business process solutions to address those risks and interdependencies,” according to ASIS International.
A Convergence Resource
One resource to which facilities executives dealing with convergence can turn is the Alliance for Enterprise Security Risk Management (AESRM). AESRM came into existence directly as a result of the convergence of traditional and IT security. The Alliance was created in February 2005, through the joint efforts of ASIS International, ISACA and ISSA.
Karen Kroll, a contributing editor for Building Operating Management, is a freelance writer who has written extensively about real estate and facility issues.