Case Study: Security Convergence

What does it take to make security convergence happen? One secret is to sneak up on it, the way Constellation Energy did, by seeming to be doing something else entirely.

Along the way, those involved with the project are facing political, logistical and cultural challenges, with little to guide them. "I have not seen a repeatable organizational model for a completely converged, centrally managed security operation [that includes] physical and IT security," Forrester analyst Steve Hunt warns. (After this story was reported, Hunt resigned from Forrester to launch 4AInternational, a security consultancy that will focus on convergence strategies.) But he's delighted that companies such as Constellation are trying. "With good management, anything is possible. There's a chance they could succeed and save a lot of money and be much better than they ever were before at mapping security to actual business value."

What's more, if Constellation has its way, it could even be mapping out how the next generation of security will look.The New GuardAt Constellation, the dramatic transformation to bring together information security and physical security can be traced straight to the topto Mayo Shattuck III, who took over as chief executive just weeks after the terrorist attacks of Sept. 11, 2001.

Shattuck could hardly have chosen a more tumultuous time to leave his post as president of Alex Brown, a Baltimore-based unit of Deutsche Bank, to take the reins at Constellation, then a $3.9 billion energy generator and distributor. The energy industry had already been battered by the California energy crisis and concerns about terrorist attacks on the power grid. It was about to absorb another blow, with the collapse of Enron. And Constellation itself was in turmoil. On the heels of a failed attempt to merge with Potomac Electric Power, Constellation had just scrapped a plan to split into two companies: a regulated power distribution business and a nonregulated production and trading business. The company paid $355 million to Goldman Sachs, its investment partner, to get out of the deal.

It was time for a regime change. It was time to focus on risk.

"Coming from the banking world, I was struck by the lack of centralized risk management on day one," Shattuck says. "It was probably the afternoon of day one that I decided that immediately I needed to mirror the way in which a universal bank [approaches] risk."

As Shattuck remade his senior management team, one of the most prominent new players to emerge was John Collins, a longtime finance employee who became the company's first chief risk officer (CRO).

"Originally we looked primarily at the financial risksthe risks around our marketing and trading operations, the risks around our loan-servicing business, commodity price movements," Collins says. "At the same time, my vision was always to also incorporate operational risk. Both security and business continuity planning seemed to be in places in the organization where they weren't really getting enough high-profile attention."