Basics

Physical and IT Security Convergence: The Basics

Here's the definition of convergence and an explanation of the desired payoffs and unexpected pitfalls that can obstruct efforts to merge physical security and cyber security.

Page 4

- Executive buy-in.

You can propose the most wonderful, cost-saving, mega-ROI convergence project in the universe, but if the CEO doesn't feel as warm and cuddly about it as you do, your proposal will stay just that-a proposal. One way to get the green light for your initiative is to demonstrate smaller-scale successes first.

At EDS, Pembleton wanted to consolidate data security management (which includes policies, standards, education and security compliance monitoring) from multiple local sites, with multiple standards and approaches, into a centralized site. "We had conversations about what we were trying to do, then did a couple of sites to prove the concept," he says. "The centralization proved so efficient that the senior leadership raised the question, 'Wouldn't it be more efficient to put all four lines in the same security organization?'" Ultimately, the success of the consolidation project helped pave the way for Pembleton to converge the privacy group and the physical, logical and information groups under one umbrella.

Communication is also critical-if you don't get buy-in initially, communicate with the leaders who are feeling the impact of whatever change you're trying to make, says Pembleton. "Try to put yourself in the other person's position, and ask yourself, What would I want to know if someone from headquarters showed up and wanted to change the way I deliver security services?" he says.

Another way to sell a convergence project, advises Steve Hunt, a former vice president and research director at Forrester Research, is to package it with something that executives can more easily understand. He cites, as an example, trying to build a better security architecture using public-key infrastructure (PKI)-a major undertaking. Executives might view it as an expensive investment that doesn't return immediate value to the company. Implementing PKI would require every business unit to conform their applications to the system, and users would have to change their behavior. Trying to sell that kind of project is a lot of work, says Hunt.

A better way to sell it is to package it with a one-card system that controls both cyber and physical access. Moving to one card will save money and increase operational efficiency. "Everybody gets a digital smart card-a big step toward PKI-and you can help sell it by saying the card would contain a smart chip that contains all of a user's passwords. Users would get behind the idea, and it would be only a small step toward moving to full-fledged PKI," says Hunt. "A convergence project will fail if it can't demonstrate business value. Some convergence projects have to be made more relevant to the business," he says.

- Cultural differences.

It's no secret that, in many companies, corporate security people are from Venus and IT security people are from Mars. So CSOs with a bent toward convergence need to be aware of the cultural differences-and not just between physical and information, but among all security-related departments-and have a plan to deal with them. Cross-training is one effective way to make people more understanding of their fellow employees. Pontrelli at Triwest and Telders at Pemco both cross-train their physical and information security staffers.

- Organizational structure.

As part of the convergence process at Wells Fargo, in which external and internal investigations were brought under the corporate security umbrella, Wipprecht took a long, hard look at the structure of his department. His guiding question became, Do we have the right people with the right expertise in the right jobs in the right locations?

"With 300 people, it becomes a significant issue evaluating where your needs are," he says of his security organization. After spending several months studying case metrics, such as volume of work and number of phone calls, Wipprecht found that there were some redundant management positions. That led the company to offer retirement packages to some of the agents and management team members (he declined to say how many).

During the review process, Wipprecht also sought the input of his staff. "You have to communicate. You redefine the new organization, set goals, then go to the agent level for their input. We want participatory management. The responses I got really helped formulate what our organization was going to be today," he says.

Wipprecht also says training is key to a successful, converged department. "We as a management team have an obligation to have the best and the brightest," he says. "To do that, we need to provide the training they need to maintain an expert level. If they're the best they can be, that can only assist you in the field as agents communicate with customers, the FBI, Secret Service, whatever. It saves time and money."

- Information sharing.

Think about information-sharing between the FBI and CIA. Or the FBI and CIA and NSA. Or FBI and CIA and NSA and DoD. You get the drift: Getting security folks to share information can be as hard as telling your boss his putt isn't a gimme.

Security pros "are not accustomed to talking a lot; they're trained to protect information," says Richard Loving, CSO and director of administration at BWX Technologies (BWXT), a manager of nuclear plants and other high-security facilities.

Loving says communication across his organization was the biggest challenge he dealt with when he centralized security, which had been the domain of each individual nuclear facility. To get over that hurdle, Loving has emphasized to facility security managers that working together is in the best interests of the company and that headquarters is trying to enhance-not control-their local operations.

He also advises showing employees the successes of their collaboration. "One time you may be sharing, the next time you may be on the receiving end," says Loving. For BWXT, the benefits of information-sharing came after the Department of Energy ordered all its facilities to improve security of controlled removable electronic media (CREM). Loving and his colleagues coordinated a group response across BWXT facilities rather than having each plant act on its own to comply.

This kind of sharing won't come easily; it's an evolution, Loving says. "It really is getting people to open up and share and recognize that there will ultimately be benefits, whether in operations, security or safety."