Common language: IT and corporate security cooperation makes progress

It’s an old story: Different risk management functions operating in separate boxes, each oblivious to the other’s existence. Security experts have been talking about the need for corporate and IT security to come together for what seems like an eternity. But real cooperation has emerged only in fits and starts.

At long last, we’re starting to see evidence that the walls are coming down, albeit slowly, one brick at a time. Here are four companies that are making it happen.

The Long Struggle

Let’s begin with a short history of the problem.

In the past, physical and IT security shops have had trouble working together. They were created as two separate departments, with different people, cultures and ways of thinking. By sharing skills, technology, processes and best practices, the two disciplines could more effectively defend against threats and deliver the kind of holistic security that organizations need. But change has come at a glacial pace.

Corporate security professionals have become reliant on information security tools and techniques such as identity management, log monitoring and analytics, says David Melnick, principal in the security, privacy and data protection practice at consultancy Deloitte.

[Also learn about Physical security information management (PSIM)]

“We increasingly live in a world where neither [physical nor information security] can be effective without the ability to integrate with and rely on the other,” Melnick says.

Similarly, IT security pros have become more aware of the human and physical dimensions of protecting data.

The most powerful collaborations between the two disciplines take place during the response to an incident, Melnick says. Physical security “has strong practices and focus on the key issues that emerge when you have to respond to an event [for example, forensic investigation and interviewing], while information security and technology offer increasingly effective sources of intelligence and evidence around the event,” he says. “While some events take place largely in cyberspace and others in the physical world, both require collaboration for the most effective response.”

At ADP and Elsewhere, CSOs Bridge The Gap

The first example of genuine progress comes from Automatic Data Processing (ADP), a provider of outsourcing services for human resources, payroll and other business processes. The company finally became a “fully converged security organization” two years ago, says Roland Cloutier, vice president and CSO (and a CSO Compass Award honoree in 2010).

By creating the office of the CSO and aligning operational security, risk and privacy-service delivery teams, ADP has created a global platform for efficiently and effectively monitoring and delivering key security elements in business operations and product delivery.

Units within the organization are either considered service delivery, client management or platform support, Cloutier says, and all report to a senior leader who has responsibility for all security, risk and privacy functions at the company.

Service delivery includes programs such as information security, risk management, the company’s Critical Incident Response Center, public safety and client security. Client management is responsible for ensuring that the services are delivered into each division and business unit and that functional business requirements are covered by the services offered by the central delivery teams. And the platform-support teams provide consistent internal operations support while preventing stovepiped processes, overlapping technologies and fiscal mismanagement.

“By consolidating these functions, operating on a shared services platform, enabling cross-discipline metrics, and getting functional leaders at the same table, we are able to better evaluate our security posture, better leverage our technology and capital investments, make better global and enterprise risk decisions, and more effectively make decisions and execute our strategy and daily operations,” Cloutier says.

The reality is that both physical and cyber issues have huge effects on any corporation, Cloutier says.

“From intellectual property protection to cyber intrusions, privacy, protected data assurance, client funds protection, product security, and workforce safety, all impact business operations, client management and satisfaction, brand, and shareholder investment,” he explains.

By merging security programs and developing cross-discipline metrics and governance functions, companies have a better quantitative and qualitative view of the efficacy of their security investments, Cloutier says.

[Read more about how CSOs can create business value]

He prefers not think of the success of the converged program just in terms of threat avoidance, but rather as a cross-disciplinary “ecosystem approach” to the prevention, detection, deterrence and management of key security, risk and privacy operations.

With this approach, “security executives now have a much better way to make risk-based decisions on the entire spectrum of critical security issues against a business, and migrate shared resources and funds to the area most critical at the time of need,” Cloutier says.

Heartland’s Struggle

At Heartland Payment Systems, a provider of payment-processing, payroll and other services, CSO John South has struggled to marry physical and IT security to better protect the firm’s enterprise and merchant customers. It’s become an important piece of the puzzle as Heartland has fought to regain its footing following a massive security breach four years ago.

“With combined [physical and digital] monitoring, we can shorten the reaction time between an attempted breach and our response.”

John South, CSO, Heartland Payment Systems

Back then, a group of hackers successfully broke into Heartland’s network, stealing data from more than 100 million credit and debit cards on the company’s network, which handles card processing for restaurants, retailers and other merchants. (Read a detailed account in APT in action: Inside the Heartland breach.)

“With Heartland facilities located in several locations across the country, it is important to have a consolidated approach to our physical security,” South says. “Physical security is a part of many of our IT compliance obligations,” such as the Payment Card Industry Data Security Standard. “So it is important that it is integrated into the IT audits and policies established to protect the company,” he says.

Each quarter, the firm’s IT auditors review the physical security controls already in place. “This includes site reviews and some components of physical security that are basic to a secure facility, such as examining the completeness of visitor records,” South says.

The most important factor driving the collaboration between physical and cyber security is the need for quick and reliable access to information about the state of physical security in Heartland’s various facilities, South says. “It is important to monitor the safety and security of our employees and our facilities both during working hours as well as during off-hours when someone might be looking for a way to break in,” he says.

With consolidated monitoring, the company has the ability to respond quickly to emergencies as they occur. “It’s the real-time access to physical security information that strengthens our approach to security,” South says.

A close collaboration between physical and cyber security could help prevent a physical attack or breach that might be coupled with a cyber component, either as a part of the attack itself or to obfuscate the physical penetration of the company, South says. “With combined monitoring, we can shorten the reaction time between an attempted breach and our response,” he says.

Cybersecurity Becomes a Physical Challenge

Another company aiming to link physical and IT security is YRC Worldwide, a holding company that oversees shipping businesses such as YRC Freight and Reddaway.

“The number of successful hacks into corporations around the world is the force that is driving our physical and IT security organizations to partner closely and work as one,” says George Kather, CIO of YRC Worldwide.

“Cyberattacks have shifted from the harmless antics of bored teenagers to professional hackers sponsored by foreign entities that can bring corporations down.”

Part of what’s made the collaboration so successful is the absence of the turf battles that go on at some organizations, CSO Butch Day says. “It’s amicable, a great working relationship.”

Kather works closely with CSO Butch Day, who’s in charge of physical security initiatives at YRC. The company has created a cyberattack section in its Crisis Response and Communications Plan. The plan dictates what actions to take if the company experiences an attack, such as what to shut down to prevent any damage from spreading (led by IT security); who to notify, including partners, law enforcement agencies and customers (led by physical security); and what to communicate (led by physical security).

The physical and IT security teams also partner on internal security concerns, Day says, such as guarding against an attack from within by a disgruntled employee. In early 2012, YRC deployed an intrusion-prevention system (IPS) that not only lets the company know if it’s under attack externally but also helps it detect improper use of its computer and network-based assets.

“If management identifies an employee [who] is acting suspiciously, the physical security team will be engaged to investigate,” Day says. “As part of that investigation, the physical security team can request IT support to review the employee’s computer, Web and phone logs to affirm or disprove the suspicious activity” by using tools such as IPS.

Day’s team has a large contingency of former law-enforcement officials who have a variety of specialties in security and investigations. They often work in conjunction with the IT security group.

“When they identify something, we look at all the evidence they compiled and take it from there,” Day says. “Our CEO has made it clear that anytime we need anything, we can draw on [IT] resources, and it’s worked very well.”

Part of what’s made the collaboration so successful is the absence of the turf battles that go on at some organizations, Day says. “It’s amicable, a great working relationship,” he says.

One of the recent initiatives undertaken by the groups is a move to IP video surveillance technology, and the physical security group is working with IT to choose and implement video equipment.

Airport Trades Silos for Teamwork

Los Angeles World Airports (LAWA) also aims for close cooperation between the law enforcement and security group and the IT organization.

Physical security systems that use IT components (access control devices, closed-circuit TV, radios, and so on) are primarily used by law enforcement and are managed by the Information Management and Technology Group (IMTG), says Dominic Nessi, deputy executive director and CIO.

[Take a peek inside LAWA’s disaster recovery exercises]

“[Usage] policy is established by law enforcement and IMTG sees them as the stakeholder and decision-maker,” Nessi says. “IMTG keeps abreast of technology advancements and works with the law enforcement organization to determine whether or not they would be of value to LAWA.”

Over the past five years, law enforcement and IMTG have worked together to plan and implement a number of technology improvements, including a new digital trunked radio system, mobile data computers in vehicles, and a new 911 call system.

Ongoing projects include a nearly completed replacement of the physical access control system at Los Angeles International Airport (LAX) and a major replacement of LAX’s CCTV and video-storage system.

“In all of these initiatives, law enforcement has been the project sponsor with IMTG being the delivery mechanism,” Nessi says.

LAWA has implemented an internal network upon which security systems, airport systems and back-office systems ride, Nessi says. “Though they are one physical network, they are logically separate to provide each with the appropriate cybersecurity measures,” he says.

“The primary factor driving this scenario is efficiency in the delivery approach. One network uses less physical infrastructure, is more cost-effective to operate and maintain, and requires only one network-management staff.”

To increase collaboration between physical and IT security, some enterprises might need to reorganize their security operations.

[Learn how companies are Organizing for enterprise risk management]

“Strategic organizational design questions often become the brick wall that stops the convergence conversation,” says Melnick of Deloitte.

“Partly this is because most organizations still bury information security within IT much like how traditional security lives within HR, finance or operations.”

The answer might lie in combining these organizations, partly “to elevate the reporting relationship of the resulting integrated capability, as either one on their own [has] trouble making it to the C-suite level,” Melnick says.

The value of integration is becoming increasingly clear, Melnick says, but the organizational design questions are not as clear.

“Ultimately, some combination of responsibilities will need to be brought together to elevate the capability to the C-suite, and this will likely require the partnering with compliance, risk-management, privacy or other functional areas—depending on the industry and organization—before we have true convergence,” he says.