Case Study: Security Convergence

What does it take to make security convergence happen? One secret is to sneak up on it, the way Constellation Energy did, by seeming to be doing something else entirely.

In late 2002, Collins officially expanded his purview. He took control of the company's business continuity and corporate security operations, which had been part of the general services department. But information security wasn't ready to make the move just yet.

That's because Beth Perlman, the company's first-ever CIO, was still trying to get a handle on the piecemeal systems that had grown out of decades of the business lines operating independently. "When I came here, you could not tell that all the divisions were part of the same company," says Perlman, who was hired in April 2002. "If I wanted to access our HR system, I had to go through firewalls. We did not have one IT security department; we had many IT security departments. The first step of convergence was formulating one IT security group. The last thing I wanted to do was just dump something that didn't work."

By this point, though, the players were all in place. Brandon Dunlap, supervisor of the information protection unit under the risk-management organization, had been hired to manage IT security. And Shattuck himself had brought aboard Petruzzi, who had worked in executive protection at Alex Brown. Shattuck trusted Petruzzi, who had accompanied him on trips to South America to coordinate his protection, and thought that Constellation would be a good spot for Petruzzi to build and broaden his career.

As it turned out, Petruzzi, now just 34, would broaden a lot more than his own career.Not Just Another Project"We started [at Constellation] within, what, two weeks of each other, and started meeting almost regularly right after that," Dunlap says to Petruzzi, as Petruzzi settles into a chair in a conference room next door to the security operations center. Petruzzi has asked his three direct reports to gather here on this January afternoon to talk about how the convergence process is playing out.

There's Dunlap, with his cultivated eccentricity and deep technical know-how. (He's on the faculty of the Institute for Applied Network Security.) There's Frank Woods, a 25-year Constellation veteran who used to be supervisor of the security operations center but is now supervisor of a new access- management unit, which will handle all requests for logical and physical access companywide. Finally, there's Dave Feeney, the newly promoted supervisor of the security operations center, whose emphasis has been on making sure the operators hired to work in the center have plenty of tech savvy.

(Petruzzi's direct manager, Jack Ryan, declined to be interviewed for this story. Ryan, a 21-year Constellation employee who is head of corporate security, indicated through corporate communications that "all bases have been covered" by this story's other sources.)