Call it convergence, call it holistic security management. By any name, it's the subject of much talk these days. Here's the definition of convergence and an explanation of the desired payoffs and unexpected pitfalls that can obstruct efforts to merge physical security and IT security.
- What do you mean by "convergence"?
- Let's cut to the chase. How will convergence benefit my organization specifically?
- Give me some more specific scenarios where this is necessary and worth the effort involved (because I suspect that effort will be big).
- What are the roadblocks and potholes we need to plan to avoid on our way to convergence?
- Given that most security personnel are from one background but not the other, how can such a person manage both functions?
- If we don't choose to combine operational groups, can we still get some of the benefits?
- We've seen more and more convergence articles and presentations in the media and at trade shows. Why all the buzz at this point in time?
Updated views about convergence and ERM
- 09/07/2010 Risk's rewards: How to organize for ERM
- 09/07/2010 ERM: Get started in six steps
- 05/01/2010 Cooperating on ERM/convergence projects
- 03/01/2010 Convergence: The semantics trap
- 06/03/2008 A checklist for converged access ctonrol
What do you mean by "convergence"?
Here's what it is: Formal cooperation between previously disjointed security functions.
When we say 'cooperation', we're talking about a concerted and results-oriented effort to work together. Timothy Williams, CSO at Nortel Networks, notes that cooperation involves process and accountability, not just a "let's have lunch once in a while" kind of loosey-goosey connection.
And here's an important note about what convergence is NOT: Merging the information security group and the corporate or physical security group on your organizational chart.
That's a definition that focuses on form instead of function, and as such, is the source of much of the pushback on security convergence. Yes, merged org charts are one very legitimate way to ensure cooperation and accountability, but many organizations may find valid reasons to not rejigger their reporting lines, and still achieve the cost efficiencies and security improvements that come through convergence.
It should also be said that there's more a type of security management that is more holistic than simply information security and physical security. And there are risk management disciplines that benefit from cooperation and coordination. Those are such things as loss prevention, fraud prevention, business continuity planning, legal/regulatory compliance, insurance, and others. Forging connections with those functions is part of convergence too.
Let's cut to the chase. How will convergence benefit my organization specifically?
Following are key payoff points, gleaned from interviews with security executives at BWX Technologies (BWXT), EDS, Level3 Communications, Pemco Financial, Rohm and Haas, SAIC, Triwest Healthcare Alliance, United Rentals and Wells Fargo, all of which have recast security in some way or another to foster better synchronization and collaboration.
- A comprehensive security strategy better aligns security goals with corporate goals.
Most CSOs these days would agree that security should dance cheek to cheek with the needs of the business. In a post-9/11 world, companies that hold the traditional view of security as just another cost centerfail to recognize the importance of security to day-to-day business activities.
When Marshall Sanders, vice president of corporate security and CSO ( who served as the founding director of security for President Reagan's strategic defense initiative program in the '80s), joined Level3 Communications in 1999, he had a mandate: establish a comprehensive security architecture.
Sanders' mission was made easier because senior executives at the company viewed security as a key enabler for the business. "We're a network services provider-we're all about network availability," says Sanders. "If the network isn't available due to a logical or physical incident, it's a revenue-impacting event. So security was seen by our [company leaders] as an integral component of the business architecture."
A corporate risk management council, comprising Sanders and other senior executives, forms the basis for an integrated security governance structure and helps keep security top-of-mind at Level3. "It's critical to have top-down sponsorship," Sanders says, adding that in his case, the CEO "realized security needed to be integrated into the architecture of the business." The council, an audience for updates on physical and logical security, business continuity and disaster recovery exercises, is critical to driving this agenda, he says. "It can provide an enterprisewide perspective and accountability for managing the risks to the business; so then security becomes not just security's problem-it's a business concern."
Sanders defines convergence as the integration of logical security, information security, physical and personnel security; business continuity; disaster recovery; and safety risk management. (Logical security focuses on the tools in a network computing environment; information security focuses on the flow of information across both the logical and physical environment.) Cost savings is one of the important payoffs in this holistic security strategy. Because there's always some duplication in a stove-piped security organization-in overhead and programs, for example-it's more cost-effective to manage an integrated one. Not only that-duplication can lead to unproductive turf battles among security groups for resources, he adds.
- The CSO can be a single point of contact.
Bringing together different security silos into one big, happy family and running the combined organization can be a lot easier when one person sits at the top.
When there's a single point of contact, the CFO or COO can pick up the phone and speed-dial the CSO instead of having to pull out an org chart to figure out whom to call with a security question.
John Pontrelli, vice president and CSO at Triwest Healthcare Alliance, a Department of Defense contractor that manages a health-care program in the western United States for military personnel and their families, wouldn't have left his previous job at W.L. Gore & Associates to come to Triwest unless he had that kind of accountability.
To Pontrelli, convergence means one person is responsible for security, just as a CFO holds the reins over all things financial.
Pontrelli lists numerous benefits, such as the ability to see where the organization is going. "If I didn't have the visibility of where the organization was going, where the C-[level] folks were going, the new technologies coming, it would be hard to put together a business plan to the requirements of the organization," Pontrelli says. "Because I have such access and visibility to the C-level leadership, they know what I'm doing. It's not a mystery. They know my resources, what's being spent."
This status helps to prioritize risk and create a comprehensive security business plan. Having a single point of contact also makes it easier for the CEO, board of directors, contractors, external business partners and employees to know that they can call Pontrelli if they have any questions or problems. Pontrelli, who reports to the COO, says he wouldn't work at a place "that doesn't have a CSO reporting at the C-level with visibility and accountability at that level."
At Wells Fargo, CSO Bill Wipprecht likes the fact that other execs know they can pick up the phone and call him with any security questions. Wipprecht runs five divisions-internal investigations, external investigations, physical security, enterprise services and the uniformed services division-and has almost 300 full-time employees. (He does not manage infosec, though his department is the investigative arm of that unit.) He describes security as having a single voice with a single message, and that singularity translates into the way he handles customer service. "Our rule is, if you call anybody in corporate security on any issue, we don't tell them to call Fred in the other group; we dial the number for them. They don't know they're talking to the wrong division-it's an invisible transfer to the customer," he says.
Still, it's the top of the food chain that derives the greatest value. Constellation Energy's CEO, Mayo A. Shattuck III, describes integrated security management as part of a top-down approach to getting a handle on an organization's exposure to risk. That's why his security department is responsible for all kinds of security, and reports into the company's Chief Risk Officer.
- Information-sharing among disparate security functions increases.
Bringing team members into a more cohesive organization with one strategic mission and consistent goals will encourage collaboration and help break down some of the walls that can exist between people who previously had prime allegiance to their individual security function.
Richard Loving is reaping the benefits of a more collaborative environment at BWX Technologies, which manages and operates nuclear and national security facilities. Loving, a 25-year veteran at BWXT, wears two hats: He's CSO (a title he picked up last June) and director of administration. For years, the company, which runs or helps run facilities for the U.S. government in nine states, organized its facility teams as self-contained units. That often meant that people in different locations were working on the same problem. Security directors at the plants acted independently to ensure the safety at their own sites, but there was little collaboration.. Loving and other execs decided last summer that BWXT needed a centralized focus for security, one that would improve information-sharing and get rid of the stove-piped structure. Loving began to coordinate security at the units.
The results were immediate. Last July, the Department of Energy ordered a stand-down (tk??what??)of all DoE operations that used controlled removable electronic media after two Zip disks containing classified materials were reported missing at the Los Alamos National Laboratory. DoE facilities were not allowed to resume operations until new security procedures were put in place.
"In the past, each site would have recieved guidance from the government, then they'd go off and put protections in place," says Loving. "We were able to bring an expert from each site together to talk about the changes in regulations, how they were going to protect media and share that information back and forth so that as one site found a new and different way to control something, they would share that information the same day," says Loving. (In January, the Energy Department released a report announcing that the two missing disks never actually existed.)
Another payoff Loving cites involved changes in a physical protection hardware system. Blueprints of the system were obtained from one site and shared with others. "That saved significant costs," he says.
Bob Pembleton has also been experiencing the benefits of closer collaboration. The 30-year security veteran (he held positions at IBM and MCI) arrived at EDS in 2001 as director of global security operations and became leader of a fragmented security department. "I couldn't get a clear picture of a program for the whole enterprise," he says.
To improve efficiency, strategy and communication, he led the consolidation of the department, which was completed a year ago. (Pembleton is now chief security and privacy officer, a title he took on in January.) The four functional groups-information security, physical security, compliance and privacy-which previously reported to different parts of the organization, now reside in Pembleton's security and privacy department. Now security can look at regulations such as the Health Insurance Portability and Accountability Act and Sarbanes-Oxley, for example, and address them with a centralized focus, not a haphazard one.
One project his team completed last year was reducing the 125 or so websites that had references to some type of privacy or security down to one portal for all internal security. Pembleton says the move improved efficiency and communication to the company and clients," he says.
Pembleton is also replacing customized solutions with standardized ones. For example, he's consolidated security monitoring and access control to regional data centers so that policies, while managed locally, are set at a central location. (That took place prior to the security department reorganization.) Next up: centralized user authentication.
- Convergence gives you a more versatile staff.
Although the unified security theme resonates today at Wells Fargo, it wasn't long ago that the message was a little more garbled. Previously, external and internal investigations operated separately. Each had its own manager. That led to inefficiencies, which sometimes allowedtwo separate teams to investigate the same case. And if the case happened to be in Boise, Idaho, Wipprecht spent money to send somebody from the corporate office in San Francisco to work with the regional agent.
That changed in February 2004, when Wipprecht brought external and internal investigations into his new, converged organization and began cross-training most of his agents.