Basics

Physical and IT Security Convergence: The Basics

Here's the definition of convergence and an explanation of the desired payoffs and unexpected pitfalls that can obstruct efforts to merge physical security and cyber security.

Page 2

- Information-sharing among disparate security functions increases.

Bringing team members into a more cohesive organization with one strategic mission and consistent goals will encourage collaboration and help break down some of the walls that can exist between people who previously had prime allegiance to their individual security function.

Richard Loving is reaping the benefits of a more collaborative environment at BWX Technologies, which manages and operates nuclear and national security facilities. Loving, a 25-year veteran at BWXT, wears two hats: He's CSO (a title he picked up last June) and director of administration. For years, the company, which runs or helps run facilities for the U.S. government in nine states, organized its facility teams as self-contained units. That often meant that people in different locations were working on the same problem. Security directors at the plants acted independently to ensure the safety at their own sites, but there was little collaboration.. Loving and other execs decided last summer that BWXT needed a centralized focus for security, one that would improve information-sharing and get rid of the stove-piped structure. Loving began to coordinate security at the units.

The results were immediate. Last July, the Department of Energy ordered a stand-down (tk??what??)of all DoE operations that used controlled removable electronic media after two Zip disks containing classified materials were reported missing at the Los Alamos National Laboratory. DoE facilities were not allowed to resume operations until new security procedures were put in place.

"In the past, each site would have recieved guidance from the government, then they'd go off and put protections in place," says Loving. "We were able to bring an expert from each site together to talk about the changes in regulations, how they were going to protect media and share that information back and forth so that as one site found a new and different way to control something, they would share that information the same day," says Loving. (In January, the Energy Department released a report announcing that the two missing disks never actually existed.)

Another payoff Loving cites involved changes in a physical protection hardware system. Blueprints of the system were obtained from one site and shared with others. "That saved significant costs," he says.

Bob Pembleton has also been experiencing the benefits of closer collaboration. The 30-year security veteran (he held positions at IBM and MCI) arrived at EDS in 2001 as director of global security operations and became leader of a fragmented security department. "I couldn't get a clear picture of a program for the whole enterprise," he says.

To improve efficiency, strategy and communication, he led the consolidation of the department, which was completed a year ago. (Pembleton is now chief security and privacy officer, a title he took on in January.) The four functional groups-information security, physical security, compliance and privacy-which previously reported to different parts of the organization, now reside in Pembleton's security and privacy department. Now security can look at regulations such as the Health Insurance Portability and Accountability Act and Sarbanes-Oxley, for example, and address them with a centralized focus, not a haphazard one.

One project his team completed last year was reducing the 125 or so websites that had references to some type of privacy or security down to one portal for all internal security. Pembleton says the move improved efficiency and communication to the company and clients," he says.

Pembleton is also replacing customized solutions with standardized ones. For example, he's consolidated security monitoring and access control to regional data centers so that policies, while managed locally, are set at a central location. (That took place prior to the security department reorganization.) Next up: centralized user authentication.

- Convergence gives you a more versatile staff.

Although the unified security theme resonates today at Wells Fargo, it wasn't long ago that the message was a little more garbled. Previously, external and internal investigations operated separately. Each had its own manager. That led to inefficiencies, which sometimes allowedtwo separate teams to investigate the same case. And if the case happened to be in Boise, Idaho, Wipprecht spent money to send somebody from the corporate office in San Francisco to work with the regional agent.

That changed in February 2004, when Wipprecht brought external and internal investigations into his new, converged organization and began cross-training most of his agents.

Now the regional agent, trained in external and internal investigations and physical security, can run the case from Boise solo, giving security more bang for its buck and improving response time. Cross-training has also made his agents more aware of areas that weren't previously part of their job descriptions. In the past, the physical security folks thought a lot about homeland security but not investigative issues; investigators, conversely, were less observant about homeland security. Now the security organization is more cohesive, with different divisions pursuing similar goals. "The cross-training is an awakening of what they ought to be looking at internationally, nationally and locally," says Wipprecht.

Triwest's Pontrelli and Pemco's Telders cross-train their physical and infosec staff. "It's mostly a people cost savings," says Telders. "I can take someone trained in CPR and have them do e-mail filtering and password accounts. I can cross-train staffs so they can cover each other, so my staffing costs are down. People assigned to projects can get cross-trained on the job," he says. Pontrelli also likes the fact that cross-training gives his team members greater career opportunities.

- You save the company money.

You've probably already picked up on this thread. Pontrelli mentions lower staffing costs. Wipprecht mentions lower travel costs. Sanders mentions reduced duplication of efforts and fewer time-wasting turf battles.

There's also savings to be wrung from technology convergence. Security Manager Eduard Telders put smiles on the suits at Pemco Insurance by replacing proprietary systems with a centralized, IP-based security management system for both field offices and headquarters that encompasses closed-circuit TV, door controls, access card controls, sensors, alarm monitoring and panic buttons. The system has obviated the need for local security guards; instead, guards monitor the system 24/7 from a central location. Burglar alarm monitoring is also done from that location, so outside contracts with third parties have, for the most part, become unnecessary. And video recording takes place on server disks, not on local digital video recorders. "If a DVR goes out, it could cost five grand," he notes. "If a disk goes out, it costs $150."

Telders says the system saved Pemco on the order of $2 million in the first year. (Most came from eliminating the guards; bringing burglary and security monitoring services in-house saved more.) The company can also use the surveillance cameras in the various locations to hold teleconferences at no additional cost. And Pemco has tied building control systems such as HVAC and lighting into the centralized system, which allows the real estate staff to remotely manage some building systems, largely freeing them from having to install their own network or wiring.

Likewise, at Intel, Alan Rude did a lengthy ROI study on switching to digital surveillance recording. In the process, he not only saved lots of money, he also wound up connecting much more closely with the IT department.

Stephen Baird, vice president of corporate security at United Rentals, North America's largest equipment rental company, is also using CCTV improvements to reduce costs. Baird joined the company last July and has become the single point of contact for security. (Previously the top security role wasn't as clearly defined.) He reports to the company's president and CFO. Since coming on board, he's been working on upgrading the company's digital CCTV systems to make them motion-based. That will save his staff major chunks of time when conducting investigations-using the old system, watching the DVR could take hours; now it takes minutes. He plans on rolling it out in the company's corporate facilities first and hopes to roll it out in stores eventually. He's also looking to save money by standardizing DVRs across the company and by buying those DVRs in bulk.

Another technology Baird is exploring is global positioning systems, or GPS, which the company was prototyping before he arrived. One application would involve putting GPS systems on large pieces of equipment, such as light towers. United Rentals has more than 600 types of equipment, including 4,200 light towers. GPS systems would allow security to track where the tower is, how long it's been there and even if it was turned on. And, of course, it would function much like a LoJack auto antitheft device (a tool they've also used) to make sure customers aren't walking-or driving-away with equipment. And lest one think that light towers, backhoes and skid steer loaders don't disappear, guess again. "We've had theft of everything," says Baird. But rolling out a GPS system won't happen automatically-as with any big project, Baird will first assess the risks and the costs before he and his fellow execs give a thumbs-up or thumbs-down.