Unified Security: The Payoff…The Pain

Talk to Jim Mecsics about the benefits of a unified security operation, and you’ll first have to stomach a metaphor about belly buttons. At the end of the day, says Mecsics, if there’s a security problem, the CEO is going to jab Mecsics’ belly button, hold him accountable and say, “Fix it.”

His point: In a converged security organization, there’s only one button to pushexecutives don’t have to contemplate whether to call the corporate security director or head of IT security or the facilities manager when they have a security issue.

More on that later.

Mecsics arrived on the job at credit bureau Equifax in 2002 with a mandate to create a corporate security programto bring together previously disparate pieces of security, including physical and information security, under one roof.

It didn’t take long for the unified security reorganization to bear fruit. Some three months into his tenure, a large identity theft ring began hitting credit reporting agencies and was attempting to penetrate Equifax’s networks. Mecsics and his team went to workthey set up a plan, mapped out the bad guys’ architecture and worked closely with the FBI. Soon they pinpointed the intermediary company where the breach was taking place. (A former help desk employee at the intermediary company had stolen user codes and passwords and sold them to more than a dozen mostly Nigerian nationals in the New York City area.) At the end of 2002, the U.S. attorney’s office in New York arrested the culprits, putting a stop to what it said was the largest identity theft ring in the country (some 30,000 identities were stolen).

“That was a pure example of [the benefit of] us having everything under one umbrella,” says Mecsics. “I had the ability to bring the data and fraud folks and everyone else together and come up with a cohesive strategy,” he says.

Mecsics didn’t have to get authorization from people’s bosses to work on the converged effort. He had the authority, he acted, and the coordinated security groups worked to the company’s benefit. (Mecsics left Equifax last year and now works as a senior security analyst at SAIC, a research and engineering company.)

Improved collaboration among security functions is just one of the payoffs of convergence. Others include better alignment of security with business operations, establishing the CSO as a single point of contact for all security issues, the opportunity to cross-train employees, increased information-sharing that leads to more efficient problem solving and, if you’re trying to convince otherwise skeptical execs of why convergence is worth doing, you can pull out your trump card: cost savings.

What’s not to like about that? In this story, security executives at BWX Technologies (BWXT), EDS, Level3 Communications, Pemco Financial, Rohm and Haas, SAIC, Triwest Healthcare Alliance, United Rentals and Wells Fargo talk about why they’ve converged and the payoffs they’ve achieved from reorganizing their security departments to better meet the needs of their businesses.Payoff #1 A comprehensive security strategy better aligns security goals with

Most CSOs these days would agree that security should dance cheek to cheek with the needs of the business. In a post-9/11 world, companies that hold onto the traditional view of security as just another cost center are failing to recognize the importance of security to day-to-day business activities.

When Marshall Sanders, vice president of corporate security and CSO (and who served as the founding director of security for President Reagan’s strategic defense initiative program in the ’80s), joined Level3 Communications in 1999, he had a mandate: establish a comprehensive security architecture.

Sanders’ mission was made easier because senior executives at the company viewed security as a key enabler for the business. “We’re a network services providerwe’re all about network availability. If the network isn’t available due to a logical or physical incident, it’s a revenue-impacting event. So security was seen by our [company leaders] as an integral component of the business architecture,” he says.

A corporate risk management council, comprising Sanders and other senior executives, forms the basis for an integrated security governance structure and helps keep security top-of-mind at Level3 (see “Security Committee,” Page 28). “It’s critical to have top-down sponsorship,” Sanders says, adding that in his case, the CEO “realized security needed to be integrated into the architecture of the business.” The council, an audience for updates on physical and logical security, business continuity and disaster recovery exercises, is critical to driving this agenda, he says. “It can provide an enterprisewide perspective and accountability for managing the risks to the business; so then security becomes not just security’s problemit’s a business concern.”

Sanders defines unified security or convergence as the integration of logical, information, physical and personnel security; business continuity; disaster recovery; and safety risk management. (Logical security focuses on the tools in a network computing environment; information security focuses on the flow of information across both the logical and physical environment.) Cost savings is one of the important payoffs in this holistic security strategy. Because there’s always some duplication in a stovepiped security organizationin overhead and programs, for exampleit’s more cost-effective to manage an integrated one. Not only thatduplication can lead to unproductive turf battles among security groups for resources, he adds.

Does every company need to converge to effectively integrate security with the overall goals of the business? Not necessarily. Some companiesfor example, small organizations that may not need a CSOoperate fine with separate information and physical organizations, says Ed Telders, CSO at Pemco Insurance. In others, Telders notes, the lack of effective convergence is a problem. “I tell people to do a risk assessment of the organization, do a cost-benefit of having two groups versus one, and make decisions based on business, not politics or anything else,” he says.Payoff #2 The CSO can be a single point of contactBringing together different security silos into one big, happy family and running the combined organization can be a lot easier when one person sits at the top, or, as Mecsics says above, can function as the security belly button.

When there’s a single point of contact, the CFO or COO can pick up the phone and speed-dial the CSO instead of having to pull out an org chart to figure out whom to call with a security question.

John Pontrelli, vice president and CSO at Triwest Healthcare Alliance, a Department of Defense contractor that manages a health-care program in the western United States for military personnel and their families, wouldn’t have left his previous job at W.L. Gore & Associates to come to Triwest unless he had that kind of accountability.

To Pontrelli, convergence means one person is responsible for security, just as a CFO holds the reins over all things financial.

He lists numerous benefits, including having visibility into where the organization is going. “If I didn’t have the visibility of where the organization was going, where the C-[level] folks were going, the new technologies coming, it would be hard to put together a business plan to the requirements of the organization,” Pontrelli says. “Because I have such access and visibility to the C-level leadership, they know what I’m doing. It’s not a mystery. They know my resources, what’s being spent.”

This status gives him a greater ability to prioritize risk and create a comprehensive security business plan. Having a single point of contact also makes it easier for the CEO, board of directors, contractors, external business partners and employees to know that they can call Pontrelli if they have any questions or problems. Pontrelli, who reports to the COO, says he wouldn’t work at a place “that doesn’t have a CSO reporting at the C-level with visibility and accountability at that level.”

At Wells Fargo, CSO Bill Wipprecht also likes the fact that other execs know they can pick up the phone and call him with any security questions. Wipprecht runs five divisionsinternal investigations, external investigations, physical security, enterprise services and the uniformed services divisionand has almost 300 full-time employees. (He does not manage infosec, though his department is the investigative arm of that unit.) He describes security as having a single voice with a single message, and that translates into the way he handles customer service. “Our rule is, if you call anybody in corporate security on any issue, we don’t tell them to call Fred in the other group; we dial the number for them. They don’t know they’re talking to the wrong divisionit’s an invisible transfer to the customer,” he says.Payoff #3 Information-sharing among disparate security functions increasesFor all the benefits of convergence, one of the biggest ones is that the level of cooperation and sharing of information among employees should increase. Will sharing happen overnight? Of course not. (See “The Pain,” Page 29, for some of the obstacles that need to be overcome.) But bringing team members into a more cohesive organization with one strategic mission and consistent goals will encourage collaboration and help break down some of the walls that can exist among people who previously had prime allegiance to their individual security function.

Richard Loving is reaping the benefits of a more collaborative environment at BWX Technologies, which manages and operates nuclear and national security facilities. Loving, a 25-year veteran at BWXT, wears two hats: He’s CSO (a title he picked up last June) and director of administration. For years, the company, which runs or helps run facilities for the U.S. government in nine states, organized its facility teams as self-contained units. That often meant that people in different locations were working on the same problem. Security directors at the plants acted independently to ensure the safety at their own sites, but there was little collaboration among them. Loving and other execs decided last summer that BWXT needed a centralized focus for security, one that would improve information-sharing and get rid of the stovepiped structure. Loving began to coordinate security at the units.

The results were immediate. Last July the Department of Energy ordered a stand-down of all DoE operations that used controlled removable electronic media after two Zip disks containing classified materials were reported missing at the Los Alamos National Laboratory. DoE facilities were not allowed to resume operations until new security procedures were put in place.

“In the past, each site would have gotten guidance from the government, then they’d go off and put protections in place. We were able to bring an expert from each site together to talk about the changes in regulations, how they were going to protect media and share that information back and forth so that as one site found a new and different way to control something, they would share that information the same day,” says Loving. (In January, the Energy Department released a report announcing that the two missing disks never actually existed.)

Another payoff Loving cites involved changes in a physical protection hardware system. Blueprints of the system were obtained from one site and shared with others. “That saved significant costs,” he says.

CSOs (and CIOs) who work in certain manufacturing industries have been dealing with a different kind of stovepiped structure for years that, after 9/11, has started to get more scrutiny from the federal government. Many critical infrastructure industries, such as chemical, petroleum and nuclear, employ process control systems. Those systems are used for a wide variety of tasksfor example, they turn valves on or off and measure temperatures and pressures in reactors. What’s come to light in recent years, as they’ve become increasingly connected to other company networks and the Internet, is how vulnerable these systems are to cyberattack because the security of these process control networks has been an afterthought. Contributing to the vulnerabilities is that these networks are generally managed by process control engineers, whose job has been to make sure the systems run day and night, not to worry about hackers or other cybercriminals.

For Keith Antonides, corporate information security director at Rohm and Haas, a large specialty chemical manufacturing company, convergence has meant establishing a closer working relationship with the process control engineers. In the past, the engineers did what they had been doing for years, namely, taking care of the systems themselves. “When I joined the company six years ago, it was hands off, you have no authority here. After 9/11, they were asking for my input. It was a major shift,” he says. Antonides boned up on process control networks, and now he works in tandem with the engineers to do cybersecurity vulnerability assessments at the plants.

Bob Pembleton has also been experienc-ing the benefits of closer collaboration. The 30-year security veteran (he previously held positions at IBM and MCI) arrived at EDS in 2001 as director of global security operations and became leader of a fragmented security department. “I couldn’t get a clear picture of a program for the whole enterprise,” he says.

To improve efficiency, strategy and communication, he led the consolidation of the department, which was completed a year ago. (Pembleton is now chief security and privacy officer, a title he took on in January.) The four functional groupsinformation security, physical security, compliance and privacywhich previously reported to different parts of the organization, now reside in Pembleton’s security and privacy department. Now security can look at regulations such as the Health Insurance Portability and Accountability Act and Sarbanes-Oxley, for example, and address them with a centralized focus, not a haphazard one.

One project his team completed last year was reducing the 125 or so websites that had references to some type of privacy or security down to one portal for all internal security. “That was to improve efficiency in the company and improve communication to the company and clients,” he says.

Pembleton is also replacing customized solutions with standardized ones. For example, he’s consolidated security monitoring and access control to regional data centers so that policies, while managed locally, are set at a central location. (That took place prior to the security department reorganization.) Next up: centralized user authentication.Payoff #4 Convergence gives you a more versatile staffAlthough the unified security theme resonates today at Wells Fargo, it wasn’t long ago that the message was a little more garbled. Previously, external and internal investigations operated separately. Each had its own manager. That led to inefficiencies, where two separate teams could be investigating the same case. And if the case happened to be in Boise, Idaho, Wipprecht spent money to send somebody from the corporate office in San Francisco to work with the regional agent.

That changed in February 2004, when Wipprecht brought external and internal investigations into his new, converged organization and began cross-training most of his agents.

Now the regional agent, trained in external and internal investigations and physical security, can run the case from Boise solo, giving security more bang for its buck and improving response time. Cross-training has also made his agents more aware of areas that weren’t previously part of their job descriptions. In the past, the physical security folks thought a lot about homeland security but not investigative issues; investigators, conversely, were less observant about homeland security. Now the security organization is more cohesive, with different divisions pursuing similar goals. “The cross-training is an awakening of what they ought to be looking at internationally, nationally and locally,” says Wipprecht.

Triwest’s Pontrelli and Pemco’s Telders cross-train their physical and infosec staff. “It’s mostly a people cost savings,” says Telders. “I can take someone trained in CPR and have them do e-mail filtering and password accounts. I can cross-train staffs so they can cover each other, so my staffing costs are down. People assigned to projects can get cross-trained on the job,” he says. Pontrelli also likes the fact that cross-training gives his team members greater career opportunities.Payoff #5 You save the company moneyOK, you’d like to be converged, you’ve talked up the benefits of single points of contact and holistic strategies and aligning security operations with business goalsand you’ve met with glassy eyes, thinly disguised yawns and general apathy from senior execs. Now’s the time to pull out your trump card: Cost savings. Dollar signs. Cold, hard cash.

One area that’s generating savings is technology convergence, the intersection of physical and information security. That’s what Telders at Pemco Insurance has found.

Telders has put smiles on the suits at Pemco by replacing proprietary systems with a centralized, IP-based security management system for both field offices and headquarters that encompasses closed-circuit TV, door controls, access card controls, sensors, alarm monitoring and panic buttons. The system has obviated the need for local security guards; instead, guards monitor the system 24/7 from a central location. Burglar alarm monitoring is also done from that location, so outside contracts with third parties have, for the most part, become unnecessary. And video recording takes place on server disks, not on local digital video recorders. “If a DVR goes out, it could cost five grand. If a disk goes out, it costs $150,” he notes.

Telders says the system saved Pemco on the order of $2 million in the first year. (Most came from eliminating the guards; bringing burglary and security monitoring services in-house saved more.) The company can also use the surveillance cameras in the various locations to hold teleconferences at no additional cost. And Pemco has tied building control systems such as HVAC and lighting into the centralized system, which allows the real estate staff to remotely manage some building systems, largely freeing them from having to install their own network or wiring.

Stephen Baird, vice president of corporate security at United Rentals, North America’s largest equipment rental company, is similarly using CCTV improvements to reduce costs. Baird joined the company last July and has become the single point of contact for security. (Previously the top security role wasn’t as clearly defined.) He reports to the company’s president and CFO. Since coming on board, he’s been working on upgrading the company’s digital CCTV systems to make them motion-based. That will save his staff major chunks of time when conducting investigationsusing the old system, watching the DVR could take hours; now it takes minutes. He plans on rolling it out in the company’s corporate facilities first and hopes to roll it out in stores eventually. He’s also looking to save money by standardizing DVRs across the company and by buying those DVRs in bulk.

Another technology Baird is exploring is global positioning systems, or GPS, which the company was prototyping before he arrived. One application would involve putting GPS systems on large pieces of equipment, such as light towers. United Rentals has more than 600 types of equipment, including 4,200 light towers. GPS systems would allow security to track where the tower is, how long it’s been there and even if it was turned on. And, of course, it would function much like a LoJack auto antitheft device (a tool they’ve also used) to make sure customers aren’t walkingor drivingaway with equipment. And lest one think that light towers, backhoes and skid steer loaders don’t disappear, guess again. “We’ve had theft of everything,” says Baird. But rolling out a GPS system won’t happen automaticallyas with any big project, Baird will first assess the risks and the costs before he and his fellow execs give a thumbs-up or thumbs-down.

So there: We’ve laid out five ways convergence can make your security department faster, stronger and more efficient, and rack up cost savings to boot. Converging can also turn the various security staffers scattered around a company doing their own physical or logical or investigative thing into a more cohesive team, focused on a central mission.

Is it for everybody? No. Is it painless? Of course not. But if you’ve done the due diligence and believe that convergence can enhance your security posture and bring more value to the business, the CSOs in this story will tell you that you can converge and not just survive, but prosper.

Mecsics, who served in the Air Force for 27 years in various security capacities, recounts how he used to get his troops thinking as one. “I used to show the guys a jet. I said, our job is to make sure that jet can take off and come back. No matter what your job is, your main mission is to make that happen.”

Next: Turn the page to learn how CSOs work to overcome the real and persistent challenges involved in forming and leading a unified security department.