Case Study: Security Convergence

What does it take to make security convergence happen? One secret is to sneak up on it, the way Constellation Energy did, by seeming to be doing something else entirely.

"The question is, is the cost of that infrastructure worth it, or are there other measures we could take?" Perlman says. "That's where we're having an argument. [Petruzzi] thinks the other options that we're offering are not as secure, so we're trying to say, what's the risk?"

"We just don't see that your cost-avoidance by doing away with the RSA tokens is worth the risk," answers Petruzzi, whose information protection group put together a page-and-a-half-long report outlining arguments against the change. Gartner lite.

For the time being, the two have tabled the issue until they address a new identity access and management plan next quarter. In other words, they have agreed to disagree. Their relationship is solid enough that when Perlman's assistant can't find her, she looks in Petruzzi's office. The RSA tokens are still in use, and Perlman isn't unhappy, because no one has said "no" to her without offering options.

"If it gets to the point where somebody says, 'You can't do that,' and doesn't offer me options," that's when the new structure isn't working, Perlman says. "You have to be good collaborators. You have to understand this is a business problem we're trying to solve."The Future of SecurityFor Petruzzi, who has a degree in criminal justice, it's all part of the crash course he's been taking since joining Constellation. He's taken SANS Institute courses. He does outside reading. He peppers Dunlap with technical questions about solutions they are considering, making sure he has a sufficient understanding of the risks involved. And he's encouraging his staff members to do the same. In fact, he has told them that their performance will be evaluated, in part, on whether they make themselves into what he calls "the new breed of security specialists."

Training doesn't have to be complicated. It might consist of a few symposiums or on-the-job training with someone who has a different kind of security background. "It doesn't mean you have to be an expert," he says. "It means you need to be able to stand in court or in front of executives and state things clearly."

Those who have remained at Constellation through the turmoil of the past three years say they have embraced this new strategylargely because both IT and physical security staffs saw their positions as being elevated.

Woods, who runs the new integrated access management unit, remembers "the days when corporate security existed in a basement under the general services division. It was like the cleaning personnel and then security below them. We didn't have much authority." Now, corporate security has a clear line to the CEO.