Case Study: Security Convergence

What does it take to make security convergence happen? One secret is to sneak up on it, the way Constellation Energy did, by seeming to be doing something else entirely.

April 15, 2005 — CSO — At first glance, the security operations center for Constellation Energy Group is exactly what you'd expect from a high-tech Fortune 500 energy company. At the front of a windowless room twenty-some miles from the company's Baltimore headquarters, video monitors display office hallways, a trading floor, electrical substations and entrances to power plants. One screen is permanently tuned to CNN, which seems to be corporate America's ubiquitous intelligence source. Another shows a map of the world. Security operators are busy tracking and responding to events at facilities around the world. A smoke alarm goes off here, a door is held open too long there. The usual.

But that's not all that's being monitored.

The director of enterprise security checks his BlackBerry and then speaks in a low voice to the supervisor of the "information protection" unit, previously known as information technology security. The former is a onetime Marine, with closely cropped hair and a dark suit and tie, whose background is in corporate security and executive protection. The latter sports a well-groomed mass of curly locks, a soul patch beneath his lower lip, no necktie, and a handkerchief jutting out his jacket pocket. Until recently, he reported to the IT department rather than corporate security. Only a few feet from where security operators are monitoring gates and guards, these two very different men are assessing the security announcements from Microsoft on this "patch Tuesday." The particular workstation they stand in front of displays not a video feed but a security-incident management system that draws together information about the company's firewalls, intrusion-detection systems and other network operations.

Welcome to a converged security operations centera work in progress.

"We haven't made a full determination yet on how this is going to be integrated," says John Petruzzi, the former Marine who is director of enterprise security, as he surveys the room. Right now, two workstations are used to monitor physical systems, and a separate workstation is used to monitor logical or information systems. But Petruzzi thinks that may change within the year.

"We're leaning to the fact that we can get it to a point where the console operator will be integrated," he says. "I think we're almost there." That would mean that each security operator would monitor all kinds of security incidents, both physical and virtual.

Call it integration; call it convergence; call it holistic security. Whatever its name, it is budding in this room and others like it across the country. In 2006, according to Forrester Research, North American companies will spend $1.7 billion on projects that combine traditional physical security and IT securitymore than five times as much as they spent in 2004. And Constellation has undertaken the most ambitious type of convergence project of all: the wholesale integration of the two departments.