Physical and IT Security Convergence: The Basics

Here's the definition of convergence and an explanation of the desired payoffs and unexpected pitfalls that can obstruct efforts to merge physical security and cyber security.

1 2 3 Page 3
Page 3 of 3

A better way to sell it is to package it with a one-card system that controls both cyber and physical access. Moving to one card will save money and increase operational efficiency. "Everybody gets a digital smart card-a big step toward PKI-and you can help sell it by saying the card would contain a smart chip that contains all of a user's passwords. Users would get behind the idea, and it would be only a small step toward moving to full-fledged PKI," says Hunt. "A convergence project will fail if it can't demonstrate business value. Some convergence projects have to be made more relevant to the business," he says.

- Cultural differences.

It's no secret that, in many companies, corporate security people are from Venus and IT security people are from Mars. So CSOs with a bent toward convergence need to be aware of the cultural differences-and not just between physical and information, but among all security-related departments-and have a plan to deal with them. Cross-training is one effective way to make people more understanding of their fellow employees. Pontrelli at Triwest and Telders at Pemco both cross-train their physical and information security staffers.

- Organizational structure.

As part of the convergence process at Wells Fargo, in which external and internal investigations were brought under the corporate security umbrella, Wipprecht took a long, hard look at the structure of his department. His guiding question became, Do we have the right people with the right expertise in the right jobs in the right locations?

"With 300 people, it becomes a significant issue evaluating where your needs are," he says of his security organization. After spending several months studying case metrics, such as volume of work and number of phone calls, Wipprecht found that there were some redundant management positions. That led the company to offer retirement packages to some of the agents and management team members (he declined to say how many).

During the review process, Wipprecht also sought the input of his staff. "You have to communicate. You redefine the new organization, set goals, then go to the agent level for their input. We want participatory management. The responses I got really helped formulate what our organization was going to be today," he says.

Wipprecht also says training is key to a successful, converged department. "We as a management team have an obligation to have the best and the brightest," he says. "To do that, we need to provide the training they need to maintain an expert level. If they're the best they can be, that can only assist you in the field as agents communicate with customers, the FBI, Secret Service, whatever. It saves time and money."

- Information sharing.

Think about information-sharing between the FBI and CIA. Or the FBI and CIA and NSA. Or FBI and CIA and NSA and DoD. You get the drift: Getting security folks to share information can be as hard as telling your boss his putt isn't a gimme.

Security pros "are not accustomed to talking a lot; they're trained to protect information," says Richard Loving, CSO and director of administration at BWX Technologies (BWXT), a manager of nuclear plants and other high-security facilities.

Loving says communication across his organization was the biggest challenge he dealt with when he centralized security, which had been the domain of each individual nuclear facility. To get over that hurdle, Loving has emphasized to facility security managers that working together is in the best interests of the company and that headquarters is trying to enhance-not control-their local operations.

He also advises showing employees the successes of their collaboration. "One time you may be sharing, the next time you may be on the receiving end," says Loving. For BWXT, the benefits of information-sharing came after the Department of Energy ordered all its facilities to improve security of controlled removable electronic media (CREM). Loving and his colleagues coordinated a group response across BWXT facilities rather than having each plant act on its own to comply.

This kind of sharing won't come easily; it's an evolution, Loving says. "It really is getting people to open up and share and recognize that there will ultimately be benefits, whether in operations, security or safety."

Given that most security personnel are from one background but not the other, how is such a person going to have the credibility and expertise to manage both functions?

First, CSOs leading formally converged programs stress that the leader doesn't have to be an expert in every sub-field of security. That's what you hire smart infosec and physical security specialists for.

Second, a small but growing number of academic programs (at Northeastern and Carnegie Mellon, for example) are available to help round out your background. John Petruzzi, an ex-Marine now leading security at Constellation Energy, took SANS Institute classes to get up to speed on information security. It can be done.

Third, other companies get around this by not putting a single individual in charge. Having all security functions report equally into a Chief Risk Officer or a department of risk mitigation is one possible solution. The aim is to achieve cooperation without making one group feel that they've been put under the thumb of another. (See next question.)

If we don't choose to combine operational groups, can we still get some of the benefits?

Steve Hunt, the former Forrester Research analyst (and CPP) who founded consultancy 4A International, believes convergence is better handled on a project-by-project basis. "You might have two employees, both with the company for 10 years, and [the infosecurity person] gets paid twice as much as the [corporate security person]. That makes for a natural cultural segmentation in the department," says Hunt. "My argument is, let's keep talking about converging the departments, but what's the hurry? The business doesn't care who people report to as long as value is delivered."

We've seen more and more convergence articles and presentations in the media and at trade shows. Why all the buzz at this point in time?

Here are five current trends knocking down the walls between traditional security stovepipes.

1. Technology convergence. Corporate security services—video surveillance, access control, fraud detection and access control, for example—are increasingly database-driven and network-delivered. In other words, IT is ever more tightly woven together with physical security.

2. Vendor convergence. Not so long ago, infosec vendors protected networks, and physical security vendors protected bricks and mortar, and the two never met. Now a growing roster of security companies operate in both spaces, as well as in other risk-related areas. Brink's, the armored car company, offers managed network security services. Unisys, the former mainframe purveyor, has a consulting business in supply chain security. Software giant Computer Associates is mixing with smart-card vendors like HID in the Open Security Exchange consortium, developing a network-and-building-access standard called PhysBits. Kroll, historically a physical security services provider, owns digital forensics unit Ontrack Data Recovery.

Bill Hancock, CSO and vice president of global security solutions at Savvis, points out that this is a rudimentary form of convergence. Nevertheless, Hancock expects vendors to continue to merge and meld these distinct product lines into more tightly integrated offerings. And aside from these well-known companies with roots in one discipline or the other, a growing fleet of smaller vendors now present all kinds of interesting examples of cross-functional services. Green-Tech Assets is an interesting illustration, offering a computer-disposal service that blends physical, digital, legal and insurance safeguards against potential liabilities created by inadvertently dumping hard drives and other technology assets containing sensitive financial or customer records.

3. Community convergence. Security is an association-driven world, and for years the associations gave little acknowledgement of each other's existence. That changed in a big way in 2004 and 2005, notably with a statement of solidarity from CISSP promulgator (ISC)2 (in the infosec corner), CPP certifier ASIS International (from the corporate security side) and IS audit association ISACA. Observers such as Williams (who is active in ASIS) anticipate ever more concrete cooperation between these communities over the near term.

4. Threat convergence. Hancock, among other experts, has been sounding the klaxons about the idea of blended threats (combined physical and logical attacks) for some years. The most likely scenario is a physical attack (such as 9/11) with its effect multiplied by concurrent digital denial-of-service attacks aimed at telecommunications or other infrastructure. This scenario becomes more likely as digital controls become more and more prevalent for physical systems. Hancock tells of a company that extolled its foresight in implementing a door-lock system at headquarters requiring verification of digital certificates to allow employees to enter. Hired as a consultant, Hancock used his laptop to launch a "mini-DDoS" attack against the server that handled the verification. Throughout the building, the door locks stopped working.

5. Educational convergence. This trend is just picking up steam, but universities such as Carnegie Mellon and Northeastern have launched programs aimed at equipping students with a portfolio of knowledge and skills in both corporate and information security.

I've also seen some companies who've tried a single security department and then moved away from it.

There will be ebbs and flows, but according to the State of the CSO survey conducted every spring, the overall trend toward consolidated departments, specifically, has been upward for at least the last three years.

This primer was compiled from articles published in CSO magazine. Contributing writers include Scott Berinato, Kathleen Carr, Todd Datz, Simone Kaplan, and Sarah Scalet. Send feedback to CSO Editor Derek Slater at

Copyright © 2005 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
Microsoft's very bad year for security: A timeline