Case Study: Security Convergence

What does it take to make security convergence happen? One secret is to sneak up on it, the way Constellation Energy did, by seeming to be doing something else entirely.

Here's how things would play out. If a change needed to be made to a firewall, the information protection group would make a request, and the IT infrastructure department would carry it out. If there was unusual activity on a port, information protection wouldn't disable it; they would call the network technicians. If a system needed to be patched, information protection would do the research and testing and then put the word out.

Complicated? Yes. But it made sense.

"We said, 'OK, this is a segregation of duties,'" says Perlman, the CIO. "You [security] are a consumer of the tools. We [IT] deploy the tools. Checks and balances."

Gradually, as the IT security function came together and started to operate more smoothly, its staff began working more closely with security, writ large. On Oct. 1, 2004, IT security employees officially started working for corporate security. The switch was thrown.Power ShiftAs CIO, Perlman stood to lose the most. After all, she was giving up employees and budget, and therefore power. But if this bothers her, she doesn't let on during a meeting with a reporter in her office on the top floor of Constellation's headquarters. Her lament instead? Now that IT isn't directly involved with investigations, she says with a laugh, "I don't get the dirt anymore. That's what I miss."

In truth, Perlman didn't lose much more than a few headaches. Only 12 IT employees and a handful of contractors made the move to corporate securityhardly denting her staff of 550 full-time employees and 150 contractors. The only part of her budget that has been moved, at least so far, is for security salaries and consultants. IT still controls the budget for everything from antivirus software contracts to smart cards, charging back costs to the business units. And not knowing "the dirt" anymore means that Perlman doesn't have to drop everything to deal with an investigation.

It also helps that she trusts Petruzzi. "If you don't trust the person you're giving the group to, forget it; it will never work," Perlman says. "While we were cleaning up our own shop, we were working on building trust with each other's groups."

Not that everything is perfect. Perlman and Petruzzi are still finessing the line between operations and security. They're also talking about moving more of the budget over to security for the next fiscal year. And the two don't always agree. Far from it. For instance, they're still trying to work out the best way for traveling employees to sign onto e-mail. Right now, employees use SecurID tokens from RSA, in addition to passwords. Perlman feels that the tokens are an expensive bother (one that her department must pay for and support) and would like to phase them out. Petruzzi's team thinks otherwise.