Unified Security: The Payoff...The Pain

The benefits of running a unified security operation are real. CSOs say they can lead their functions to be more effective and save money at the same time. But getting there is tough.

1 2 Page 2
Page 2 of 2

Bob Pembleton has also been experienc-ing the benefits of closer collaboration. The 30-year security veteran (he previously held positions at IBM and MCI) arrived at EDS in 2001 as director of global security operations and became leader of a fragmented security department. "I couldn't get a clear picture of a program for the whole enterprise," he says.

To improve efficiency, strategy and communication, he led the consolidation of the department, which was completed a year ago. (Pembleton is now chief security and privacy officer, a title he took on in January.) The four functional groupsinformation security, physical security, compliance and privacywhich previously reported to different parts of the organization, now reside in Pembleton's security and privacy department. Now security can look at regulations such as the Health Insurance Portability and Accountability Act and Sarbanes-Oxley, for example, and address them with a centralized focus, not a haphazard one.

One project his team completed last year was reducing the 125 or so websites that had references to some type of privacy or security down to one portal for all internal security. "That was to improve efficiency in the company and improve communication to the company and clients," he says.

Pembleton is also replacing customized solutions with standardized ones. For example, he's consolidated security monitoring and access control to regional data centers so that policies, while managed locally, are set at a central location. (That took place prior to the security department reorganization.) Next up: centralized user authentication.Payoff #4 Convergence gives you a more versatile staffAlthough the unified security theme resonates today at Wells Fargo, it wasn't long ago that the message was a little more garbled. Previously, external and internal investigations operated separately. Each had its own manager. That led to inefficiencies, where two separate teams could be investigating the same case. And if the case happened to be in Boise, Idaho, Wipprecht spent money to send somebody from the corporate office in San Francisco to work with the regional agent.

That changed in February 2004, when Wipprecht brought external and internal investigations into his new, converged organization and began cross-training most of his agents.

Now the regional agent, trained in external and internal investigations and physical security, can run the case from Boise solo, giving security more bang for its buck and improving response time. Cross-training has also made his agents more aware of areas that weren't previously part of their job descriptions. In the past, the physical security folks thought a lot about homeland security but not investigative issues; investigators, conversely, were less observant about homeland security. Now the security organization is more cohesive, with different divisions pursuing similar goals. "The cross-training is an awakening of what they ought to be looking at internationally, nationally and locally," says Wipprecht.

Triwest's Pontrelli and Pemco's Telders cross-train their physical and infosec staff. "It's mostly a people cost savings," says Telders. "I can take someone trained in CPR and have them do e-mail filtering and password accounts. I can cross-train staffs so they can cover each other, so my staffing costs are down. People assigned to projects can get cross-trained on the job," he says. Pontrelli also likes the fact that cross-training gives his team members greater career opportunities.Payoff #5 You save the company moneyOK, you'd like to be converged, you've talked up the benefits of single points of contact and holistic strategies and aligning security operations with business goalsand you've met with glassy eyes, thinly disguised yawns and general apathy from senior execs. Now's the time to pull out your trump card: Cost savings. Dollar signs. Cold, hard cash.

One area that's generating savings is technology convergence, the intersection of physical and information security. That's what Telders at Pemco Insurance has found.

Telders has put smiles on the suits at Pemco by replacing proprietary systems with a centralized, IP-based security management system for both field offices and headquarters that encompasses closed-circuit TV, door controls, access card controls, sensors, alarm monitoring and panic buttons. The system has obviated the need for local security guards; instead, guards monitor the system 24/7 from a central location. Burglar alarm monitoring is also done from that location, so outside contracts with third parties have, for the most part, become unnecessary. And video recording takes place on server disks, not on local digital video recorders. "If a DVR goes out, it could cost five grand. If a disk goes out, it costs $150," he notes.

Telders says the system saved Pemco on the order of $2 million in the first year. (Most came from eliminating the guards; bringing burglary and security monitoring services in-house saved more.) The company can also use the surveillance cameras in the various locations to hold teleconferences at no additional cost. And Pemco has tied building control systems such as HVAC and lighting into the centralized system, which allows the real estate staff to remotely manage some building systems, largely freeing them from having to install their own network or wiring.

Stephen Baird, vice president of corporate security at United Rentals, North America's largest equipment rental company, is similarly using CCTV improvements to reduce costs. Baird joined the company last July and has become the single point of contact for security. (Previously the top security role wasn't as clearly defined.) He reports to the company's president and CFO. Since coming on board, he's been working on upgrading the company's digital CCTV systems to make them motion-based. That will save his staff major chunks of time when conducting investigationsusing the old system, watching the DVR could take hours; now it takes minutes. He plans on rolling it out in the company's corporate facilities first and hopes to roll it out in stores eventually. He's also looking to save money by standardizing DVRs across the company and by buying those DVRs in bulk.

Another technology Baird is exploring is global positioning systems, or GPS, which the company was prototyping before he arrived. One application would involve putting GPS systems on large pieces of equipment, such as light towers. United Rentals has more than 600 types of equipment, including 4,200 light towers. GPS systems would allow security to track where the tower is, how long it's been there and even if it was turned on. And, of course, it would function much like a LoJack auto antitheft device (a tool they've also used) to make sure customers aren't walkingor drivingaway with equipment. And lest one think that light towers, backhoes and skid steer loaders don't disappear, guess again. "We've had theft of everything," says Baird. But rolling out a GPS system won't happen automaticallyas with any big project, Baird will first assess the risks and the costs before he and his fellow execs give a thumbs-up or thumbs-down.

So there: We've laid out five ways convergence can make your security department faster, stronger and more efficient, and rack up cost savings to boot. Converging can also turn the various security staffers scattered around a company doing their own physical or logical or investigative thing into a more cohesive team, focused on a central mission.

Is it for everybody? No. Is it painless? Of course not. But if you've done the due diligence and believe that convergence can enhance your security posture and bring more value to the business, the CSOs in this story will tell you that you can converge and not just survive, but prosper.

Mecsics, who served in the Air Force for 27 years in various security capacities, recounts how he used to get his troops thinking as one. "I used to show the guys a jet. I said, our job is to make sure that jet can take off and come back. No matter what your job is, your main mission is to make that happen."

Next: Turn the page to learn how CSOs work to overcome the real and persistent challenges involved in forming and leading a unified security department.

Copyright © 2005 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Make your voice heard. Share your experience in CSO's Security Priorities Study.