Basics

Physical and IT Security Convergence: The Basics

Here's the definition of convergence and an explanation of the desired payoffs and unexpected pitfalls that can obstruct efforts to merge physical security and cyber security.

Call it convergence, call it holistic security management. By any name, it's the subject of much talk these days. Here's the definition of convergence and an explanation of the desired payoffs and unexpected pitfalls that can obstruct efforts to merge physical security and IT security.

What do you mean by "convergence"?

Here's what it is: Formal cooperation between previously disjointed security functions.

When we say 'cooperation', we're talking about a concerted and results-oriented effort to work together. Timothy Williams, CSO at Nortel Networks, notes that cooperation involves process and accountability, not just a "let's have lunch once in a while" kind of loosey-goosey connection.

And here's an important note about what convergence is NOT: Merging the information security group and the corporate or physical security group on your organizational chart.

That's a definition that focuses on form instead of function, and as such, is the source of much of the pushback on security convergence. Yes, merged org charts are one very legitimate way to ensure cooperation and accountability, but many organizations may find valid reasons to not rejigger their reporting lines, and still achieve the cost efficiencies and security improvements that come through convergence.

It should also be said that there's more a type of security management that is more holistic than simply information security and physical security. And there are risk management disciplines that benefit from cooperation and coordination. Those are such things as loss prevention, fraud prevention, business continuity planning, legal/regulatory compliance, insurance, and others. Forging connections with those functions is part of convergence too.

Let's cut to the chase. How will convergence benefit my organization specifically?

Following are key payoff points, gleaned from interviews with security executives at BWX Technologies (BWXT), EDS, Level3 Communications, Pemco Financial, Rohm and Haas, SAIC, Triwest Healthcare Alliance, United Rentals and Wells Fargo, all of which have recast security in some way or another to foster better synchronization and collaboration.

- A comprehensive security strategy better aligns security goals with corporate goals.

Most CSOs these days would agree that security should dance cheek to cheek with the needs of the business. In a post-9/11 world, companies that hold the traditional view of security as just another cost centerfail to recognize the importance of security to day-to-day business activities.

When Marshall Sanders, vice president of corporate security and CSO ( who served as the founding director of security for President Reagan's strategic defense initiative program in the '80s), joined Level3 Communications in 1999, he had a mandate: establish a comprehensive security architecture.

Sanders' mission was made easier because senior executives at the company viewed security as a key enabler for the business. "We're a network services provider-we're all about network availability," says Sanders. "If the network isn't available due to a logical or physical incident, it's a revenue-impacting event. So security was seen by our [company leaders] as an integral component of the business architecture."

A corporate risk management council, comprising Sanders and other senior executives, forms the basis for an integrated security governance structure and helps keep security top-of-mind at Level3. "It's critical to have top-down sponsorship," Sanders says, adding that in his case, the CEO "realized security needed to be integrated into the architecture of the business." The council, an audience for updates on physical and logical security, business continuity and disaster recovery exercises, is critical to driving this agenda, he says. "It can provide an enterprisewide perspective and accountability for managing the risks to the business; so then security becomes not just security's problem-it's a business concern."

Sanders defines convergence as the integration of logical security, information security, physical and personnel security; business continuity; disaster recovery; and safety risk management. (Logical security focuses on the tools in a network computing environment; information security focuses on the flow of information across both the logical and physical environment.) Cost savings is one of the important payoffs in this holistic security strategy. Because there's always some duplication in a stove-piped security organization-in overhead and programs, for example-it's more cost-effective to manage an integrated one. Not only that-duplication can lead to unproductive turf battles among security groups for resources, he adds.

- The CSO can be a single point of contact.

Bringing together different security silos into one big, happy family and running the combined organization can be a lot easier when one person sits at the top.

When there's a single point of contact, the CFO or COO can pick up the phone and speed-dial the CSO instead of having to pull out an org chart to figure out whom to call with a security question.

John Pontrelli, vice president and CSO at Triwest Healthcare Alliance, a Department of Defense contractor that manages a health-care program in the western United States for military personnel and their families, wouldn't have left his previous job at W.L. Gore & Associates to come to Triwest unless he had that kind of accountability.

To Pontrelli, convergence means one person is responsible for security, just as a CFO holds the reins over all things financial.

Pontrelli lists numerous benefits, such as the ability to see where the organization is going. "If I didn't have the visibility of where the organization was going, where the C-[level] folks were going, the new technologies coming, it would be hard to put together a business plan to the requirements of the organization," Pontrelli says. "Because I have such access and visibility to the C-level leadership, they know what I'm doing. It's not a mystery. They know my resources, what's being spent."

This status helps to prioritize risk and create a comprehensive security business plan. Having a single point of contact also makes it easier for the CEO, board of directors, contractors, external business partners and employees to know that they can call Pontrelli if they have any questions or problems. Pontrelli, who reports to the COO, says he wouldn't work at a place "that doesn't have a CSO reporting at the C-level with visibility and accountability at that level."

At Wells Fargo, CSO Bill Wipprecht likes the fact that other execs know they can pick up the phone and call him with any security questions. Wipprecht runs five divisions-internal investigations, external investigations, physical security, enterprise services and the uniformed services division-and has almost 300 full-time employees. (He does not manage infosec, though his department is the investigative arm of that unit.) He describes security as having a single voice with a single message, and that singularity translates into the way he handles customer service. "Our rule is, if you call anybody in corporate security on any issue, we don't tell them to call Fred in the other group; we dial the number for them. They don't know they're talking to the wrong division-it's an invisible transfer to the customer," he says.

Still, it's the top of the food chain that derives the greatest value. Constellation Energy's CEO, Mayo A. Shattuck III, describes integrated security management as part of a top-down approach to getting a handle on an organization's exposure to risk. That's why his security department is responsible for all kinds of security, and reports into the company's Chief Risk Officer.