Case Study: Security Convergence

What does it take to make security convergence happen? One secret is to sneak up on it, the way Constellation Energy did, by seeming to be doing something else entirely.

There's an easy banter between the three men and their new manager, and a vitality that feels more like an Internet startup than a century-plus-old energy company. Petruzzi's crew had already dug into lunch by the time he arrived from headquarters with a reporter in tow. Dunlap makes a crack about Petruzzi still not letting him carry a gun. The conversation moves fluidly from network sensors to smart cards to concealed duress buttons that trigger alarms. Wasn't it always this way?

The convergence process didn't start as a big explicit projectand this is key. "We didn't have a name for it," Dunlap says. "We didn't call it 'convergence.' We just thought, wouldn't it be great if we could work together more closely for efficiency."

As at many companies that have brought together physical and information security, the evolution began with the investigations group. Because investigations were conducted by corporate security but often involved data stored on computers or passed through e-mail, there were frequent handoffs between corporate security and IT. At the same time, the IT department was growing its monitoring capabilities. Dunlap's staff might notice inappropriate behavior on the network and report it to investigations.

"There was never this, 'We're shoving this down your throat,'" Dunlap recalls. "It was more like, 'Hey, if you're doing that, you really should get these guys involved.'"

Meanwhile, there was increasing recognition that information security belonged under risk managementnot technology. This was driven partially by the risk-management approach that Collins was spearheading and partially by regulatory concerns.

"When you look at corporate security," Collins explains, "the evolution of it has to be with information technology security, because you won't address the whole security environment unless you're looking at it together. We also think that it's the right thing to do, because otherwise you have the IT department watching the IT security, and is that really good internal control?"

There were financial incentives too. Collins believed that combining physical and IT security would simply be more efficient and effective. For instance, he thought the company could save labor costs by merging network and physical access monitoring. Simply put, Constellation wouldn't need as many guards.

By summer 2004, executives started mapping out the split. IT systems maintenance would stay within the IT department, but IT security would keep track of any maintenance required from a security perspective. IT securityrenamed "information protection" to distinguish it from ITwould operate as a consultant to IT. "Gartner lite," Dunlap calls it, referring to the IT consultancy.