Physical and IT Security Convergence: The Basics

Here's the definition of convergence and an explanation of the desired payoffs and unexpected pitfalls that can obstruct efforts to merge physical security and cyber security.

1 2 3 Page 2
Page 2 of 3

Now the regional agent, trained in external and internal investigations and physical security, can run the case from Boise solo, giving security more bang for its buck and improving response time. Cross-training has also made his agents more aware of areas that weren't previously part of their job descriptions. In the past, the physical security folks thought a lot about homeland security but not investigative issues; investigators, conversely, were less observant about homeland security. Now the security organization is more cohesive, with different divisions pursuing similar goals. "The cross-training is an awakening of what they ought to be looking at internationally, nationally and locally," says Wipprecht.

Triwest's Pontrelli and Pemco's Telders cross-train their physical and infosec staff. "It's mostly a people cost savings," says Telders. "I can take someone trained in CPR and have them do e-mail filtering and password accounts. I can cross-train staffs so they can cover each other, so my staffing costs are down. People assigned to projects can get cross-trained on the job," he says. Pontrelli also likes the fact that cross-training gives his team members greater career opportunities.

- You save the company money.

You've probably already picked up on this thread. Pontrelli mentions lower staffing costs. Wipprecht mentions lower travel costs. Sanders mentions reduced duplication of efforts and fewer time-wasting turf battles.

There's also savings to be wrung from technology convergence. Security Manager Eduard Telders put smiles on the suits at Pemco Insurance by replacing proprietary systems with a centralized, IP-based security management system for both field offices and headquarters that encompasses closed-circuit TV, door controls, access card controls, sensors, alarm monitoring and panic buttons. The system has obviated the need for local security guards; instead, guards monitor the system 24/7 from a central location. Burglar alarm monitoring is also done from that location, so outside contracts with third parties have, for the most part, become unnecessary. And video recording takes place on server disks, not on local digital video recorders. "If a DVR goes out, it could cost five grand," he notes. "If a disk goes out, it costs $150."

Telders says the system saved Pemco on the order of $2 million in the first year. (Most came from eliminating the guards; bringing burglary and security monitoring services in-house saved more.) The company can also use the surveillance cameras in the various locations to hold teleconferences at no additional cost. And Pemco has tied building control systems such as HVAC and lighting into the centralized system, which allows the real estate staff to remotely manage some building systems, largely freeing them from having to install their own network or wiring.

Likewise, at Intel, Alan Rude did a lengthy ROI study on switching to digital surveillance recording. In the process, he not only saved lots of money, he also wound up connecting much more closely with the IT department.

Stephen Baird, vice president of corporate security at United Rentals, North America's largest equipment rental company, is also using CCTV improvements to reduce costs. Baird joined the company last July and has become the single point of contact for security. (Previously the top security role wasn't as clearly defined.) He reports to the company's president and CFO. Since coming on board, he's been working on upgrading the company's digital CCTV systems to make them motion-based. That will save his staff major chunks of time when conducting investigations-using the old system, watching the DVR could take hours; now it takes minutes. He plans on rolling it out in the company's corporate facilities first and hopes to roll it out in stores eventually. He's also looking to save money by standardizing DVRs across the company and by buying those DVRs in bulk.

Another technology Baird is exploring is global positioning systems, or GPS, which the company was prototyping before he arrived. One application would involve putting GPS systems on large pieces of equipment, such as light towers. United Rentals has more than 600 types of equipment, including 4,200 light towers. GPS systems would allow security to track where the tower is, how long it's been there and even if it was turned on. And, of course, it would function much like a LoJack auto antitheft device (a tool they've also used) to make sure customers aren't walking-or driving-away with equipment. And lest one think that light towers, backhoes and skid steer loaders don't disappear, guess again. "We've had theft of everything," says Baird. But rolling out a GPS system won't happen automatically-as with any big project, Baird will first assess the risks and the costs before he and his fellow execs give a thumbs-up or thumbs-down.

Give me some more specific scenarios where this is necessary and worth the effort involved (because I suspect that effort will be big).

- Investigations.

Jim Mecsics arrived on the job at credit bureau Equifax in 2002 with a mandate to create a corporate security program-to bring together disparate pieces of security, including physical and information security, under one roof. It didn't take long for the reorganization to bear fruit. Some three months into his tenure, a large identity theft ring began hitting credit reporting agencies and was attempting to penetrate Equifax's networks. Mecsics and his team went to work-they set up a plan, mapped out the bad guys' architecture and worked closely with the FBI. Soon they pinpointed the intermediary company where the breach was taking place. (A former help desk employee at the intermediary company had stolen user codes and passwords and sold them to more than a dozen mostly Nigerian nationals in the New York City area.) At the end of 2002, the U.S. attorney's office in New York arrested the culprits, putting a stop to what it said was the largest identity theft ring in the country (some 30,000 identities were stolen). "That was a pure example of [the benefit of] us having everything under one umbrella," says Mecsics. "I had the ability to bring the data and fraud folks and everyone else together and come up with a cohesive strategy," he says. Mecsics didn't have to get authorization from people's bosses to work on the converged effort. He had the authority, he acted, and the coordinated security groups worked to the company's benefit.

- Terminations (and, conversely, new hires).

Also referred to as provisioning and deprovisioning. When your company brings new employees on board, they need all sorts of things, from network passwords to access cards to corporate credit cards. And then when they leave the company, the company needs to gets its belongings back and also shut off access to networks and buildings in a timely manner. Companies with a coordinated approach to provisioning and deprovisioning do those things efficiently. See BT's termination checklist, for example, at Those who do these things in a scattershot manner are more likely to leave the door open for ex-employees to abscond with materials or intellectual property.

Quick case study: Children's Hospital in Boston has a complicated workforce. It's a teaching hospital, so in addition to normal staff turnover, new physicians come and go "in waves," according to CISO Paul Scheib. Some doctors are actually employees of various foundations rather than of the hospital itself. To help keep pace with creating and managing new network accounts and assigning the right privileges, the hospital first implemented password-management software and later a more complete identity-management suite from Courion. While the impetus was on the hiring end of the employee lifecycle, Scheib says a big payoff is that access can be shut off in a more timely manner when an employee leaves the organization. And Scheib finds himself working closely with the hospital's physical security group to integrate door access badges into the identity management approach. In the past, Scheib notes, "we had our information and they had theirs"-there was very little sharing of information. "Now we're working on a metadirectory project and starting to map both physical and infosecurity data and to define roles that require physical access to high-security areas such as surgical suites." Children's Hospital has no organizational initiative dubbed "convergence"; it's just security people recognizing the efficiencies of working together.

- Business continuity.

Mike Hager, who helped get OppenheimerFunds up and running four hours after their offices and systems at the World Trade Center were destroyed on 9/11, puts it this way: "Some companies have people who do information security, and people who do physical security, and people who do business continuity. The three people may come up with three separate answers about what to protect. If you have a total protection program, you can save a lot of time, money and effort. It just simplifies the whole process and makes it more effective."

- Dealing with camera phones, USB tokens and other gadgets.

An employee (or visitor, or janitor for that matter) connects a thumb drive to his work PC, copies a database with juicy customer details, and walks out the door. Or he uses a camera phone to wirelessly e-mail a surreptitious snapshot of your company's R&D area. Are these digital threats? Or physical ones? Who cares! Again, good communication between the information security and physical security functions will help you craft intelligent policies and enforcement measures to stop this kind of incident.

- SCADA and process control systems.

At manufacturing companies and utilities, Supervisory Control and Data Acquisition (SCADA)systems sit directly at the intersection of the physical and digital worlds. They are used to electronically control and monitor the actual machines that mix chemicals, control temperatures, and so on. Typically, network security professionals don't know much (if anything) about securing SCADA, and process engineers don't know anything about information security.

For Keith Antonides, corporate information security director at Rohm and Haas, a large specialty chemical manufacturing company, convergence has meant establishing a closer working relationship with the process control engineers. In the past, the engineers took care of the systems themselves. "When I joined the company six years ago, it was hands off, you have no authority here," he says. "After 9/11, they were asking for my input. It was a major shift." Antonides boned up on process control networks, and now he works in tandem with the engineers to do cybersecurity vulnerability assessments at the plants.

What are the roadblocks and potholes we need to plan to avoid on our way to convergence?

- Turf battles.

Many employees, both managers or lower-level employees, will be unhappy with any change to their turf. They're not going to like whom they report to, whom they have to work with and the new projects they're assigned to. Egos will be bruised, if not battered.

When Mecsics consolidated security functions at Equifax, he had to deal with pushback from certain process owners. For example, the CIO was reluctant to turn over control of his systems to Mecsics. So Mecsics used a personal approach in which he listened to their concerns and tried to win their hearts and minds. "I said, 'I'm not going to do anything to hurt your system or inhibit your business processes. I'm here to protect you so our CEO isn't standing before a congressional committee someday explaining why credit reports are in front of some gym locker,'" he says. He used the same approach with HR, which, prior to his arrival, handled all company personnel issues. Mecsics convinced the HR leadership that the security organization should take over responsibility for developing background check policies. He also assuaged their fear that he was coming in there to steal people from their department.

- Executive buy-in.

You can propose the most wonderful, cost-saving, mega-ROI convergence project in the universe, but if the CEO doesn't feel as warm and cuddly about it as you do, your proposal will stay just that-a proposal. One way to get the green light for your initiative is to demonstrate smaller-scale successes first.

At EDS, Pembleton wanted to consolidate data security management (which includes policies, standards, education and security compliance monitoring) from multiple local sites, with multiple standards and approaches, into a centralized site. "We had conversations about what we were trying to do, then did a couple of sites to prove the concept," he says. "The centralization proved so efficient that the senior leadership raised the question, 'Wouldn't it be more efficient to put all four lines in the same security organization?'" Ultimately, the success of the consolidation project helped pave the way for Pembleton to converge the privacy group and the physical, logical and information groups under one umbrella.

Communication is also critical-if you don't get buy-in initially, communicate with the leaders who are feeling the impact of whatever change you're trying to make, says Pembleton. "Try to put yourself in the other person's position, and ask yourself, What would I want to know if someone from headquarters showed up and wanted to change the way I deliver security services?" he says.

Another way to sell a convergence project, advises Steve Hunt, a former vice president and research director at Forrester Research, is to package it with something that executives can more easily understand. He cites, as an example, trying to build a better security architecture using public-key infrastructure (PKI)-a major undertaking. Executives might view it as an expensive investment that doesn't return immediate value to the company. Implementing PKI would require every business unit to conform their applications to the system, and users would have to change their behavior. Trying to sell that kind of project is a lot of work, says Hunt.

1 2 3 Page 2
Page 2 of 3
7 hot cybersecurity trends (and 2 going cold)