Unified operations centers

An operations center is a structured environment that serves as the primary workspace for monitoring, directing and coordinating operations activities, including identifying and responding to situations that require specific and immediate non-routine attention. There are many types of operations centers, and most are familiar with these three types: Security Operations Center (SOC), Network Operations Center (NOC) and Emergency Operations Center (EOC).

Traditionally, organizations have separate operations centers for each type. This was a natural occurrence, as in the past, most information displays and some communications capabilities were hard-wired and inflexible - resulting in the dedication of physical space to particular functions.

Thus, two negative effects of multiple operations centers have been largely unavoidable: the duplication of physical and electronic supporting infrastructure, and the isolation of information between siloed operations centers.

However, today, computer-based information and communications capabilities provide real-time flexibility. Any information or communication can be routed anywhere, and rules-based systems can automate initial routing and handling for time-critical evaluation and response. The factors that have necessitated infrastructure duplication and functional isolation for operations centers in the past no longer exist. It is now possible to have unified operations centers, where two or more operations functions are combined.

Panduit World Headquarters

One leading corporation is intimately familiar with operations center infrastructure: Panduit (www.Panduit.com). Founded in 1955 in Chicago, Illinois, Panduit now has more than 3,000 employees in office, manufacturing and distribution facilities across the globe.

When Panduit's expanding business called for the construction of a new World Headquarters building, its executives realized that they had an opportunity to eliminate the typical duplication and isolation of separate operations centers, by combining their SOC and NOC into a single workspace that they dubbed the U-OC2 - a dual-function Unified Operations Center (Security/Safety Operations and Network Operations).

"The concept of unified operations was instinctive thinking for us - a natural extension of the Unified Physical Infrastructure (UPI) approach that shapes our product design and development work, and also defined the design for our new headquarters facility," says Jeffrey Woodward, Senior Manager, Global EHS & Security at Panduit.

UPI is an architecture that integrates hardware and software products with design principles to create an integrated infrastructure that aligns and harmonizes critical building systems - power, communication, computing, security and control (such as lighting, HVAC, and factory automation). These are collectively referred to as physical infrastructure systems under the UPI approach, because all are equally required to optimize the specific operational environments of a given building or facility.

The convergence of applications and communications onto a unified IP-based network infrastructure is a common trend among physical infrastructure systems. This means, among other things, that their data can be shared across the spectrum of applications for improved operational awareness and response. The objectives are efficiency and operational cost-savings, as well as higher levels of system and organizational performance.

For example, lighting and air conditioning can follow building occupancy, as well as the arming and disarming of alarm zones. Phones, network switches and other electronic devices can be automatically powered down or put into their hibernation state, to reduce power consumption when their use is not needed. Emergency responses can be tailored in real-time based on building occupancy and building physical conditions. (See "Connected Buildings and Security Systems" - page 22 - for two videos that present more detail on the operational and technological context for security in connected buildings, and how this impacts the value that security technologies can provide to the business.)

Unifying Operations

"It makes sense to co-locate the security, safety, network and communications operations functions, as there are many situations - emergency and non-emergency - that warrant close coordination and information sharing," explains Marc Naese, Panduit's Director of IT Infrastructure and Operations. Thus, the SOC and NOC functions were combined into a single operations room, with a door to the adjacent EOC room.

James Connor, CEO of security technology and operations consultancy N2N Secure (www.N2NSecure.com), worked with Panduit to help qualify technologies for deployment in the new facility and as the lead consultant for the design of the security systems and new security operations model. "We know that information technology and physical security technology are both advancing very rapidly," Connor says. "Operations center design is now very different than in previous years. Technology infrastructure has to take into account the arrival of new products and system capabilities every year. The fast pace of organizational change also requires flexibility in the deployment of network and security technologies."

The functions of an operations center room no longer need to be filled with purpose-built "ops center" equipment. Information and control functions are "electronicized" through information systems and network technologies, enabling computer workstations and video displays to provide a wide variety of human interaction, as seen in Figure 1 (above).

Design Approach

With IP-based monitoring, information, communications and control systems in place in facilities, a multi-function operations center can provide monitoring, coordination, evaluation and response functions based on how the center is staffed and how intelligent rules-based systems are deployed to support detection, evaluation, response and escalation. When a maintenance operator logs onto a workstation, maintenance applications and functions can be called up automatically. Some stations can be dedicated to a specific function simply by staff assignment. Other workstations can provide ad hoc functions based on situational needs. With this kind of flexibility, where does design start and where does it end?

"Vision and executive sponsorship, and C-suite buy-in, were very important to us at the earliest stage of conception," Woodward says. The operations center initiative was a part of Panduit's larger "Connected Building Team," the concept team for the project. "Basically, everyone within Panduit had a stake in what that building was going to be and how it would operate. Alignment with corporate governance and regulatory requirements was important."

"We also asked, 'What do you want to have happen when someone accesses the building?' That could mean turning on lighting in your office, air conditioning and your VoIP phone and network data port. We identified the ROI in each case, and related things back to risk management. This helped us make very acceptable business cases."

Another example of accounting for stakeholder interests is the establishment of service level agreements (SLAs) between Security and stakeholder groups. For example, an SLA regarding security video data would specify the length of retention for recorded video data, as well as the procedure for data destruction, and would also address access to data.

Pilot projects were used to evaluate technology. Evaluation criteria included business values beyond security, such as partnership and marketing value. For example, Cisco is a very strong business partner with Panduit, so whether or not a security product carried the Cisco brand was an evaluation factor.

Woodward also discusses the strategic elements of the vision: World-class facilities, innovation, collaboration and sustainability. "Our corporate vision includes providing world-class facilities for our employees. Innovation is a key strategy for our company and for many companies, as is having collaborative environments that help foster it," he says. "Panduit facilities are designed to reduce their environmental impact, and so our building initiatives had to reflect that."

Decision Methodology

Panduit defined a decision making process, to ensure that stakeholder interests were fairly represented. Figure 2 (page 22) shows the decision methodology developed by Intelligent Buildings Inc. (www.IntelligentBuildings.com) included in that process and used to evaluate elements of the building initiative, including security technology.

There are three rating scales to the method - Essential, Business Case and Strategy - and each are rated 1 through 10. Panduit established a go/no-go scoring level of 15. If an item's total score for all three scales hit 15 or higher, the item was included in the building plan. If not, it was dropped. Items like physical access control were given an Essential rating of 10. (Additional details on EBS scoring are available online in the expanded version of this article.)

Key Success Points

Woodward and Naese summarized the key points for a successful building project:

1. Start as early as possible.
2. Ensure that all stakeholders are represented on concept teams, so that nothing is forgotten.
3. Revise the conventional construction process - typically, IT comes in last; now, IT and the infrastructure elements must be addressed very early.
4. Account for legacy technologies by envisioning their future migration to IP networks, but including their conventional cable runs in the existing cabling pathways and patch panels. That way, when the business climate dictates the need to migrate, all required physical infrastructure elements are already deployed as part of the common infrastructure.
5. Realize that early design decisions heavily influence success.
6. Be sure to look well past "Day 1" to what you want the building to be 10 or 15 years from now. It can be easier to build some things in the infrastructure up-front, rather than pay for changes done later.

Return on Investment

"The payback for the $615,000 incremental costs for our U-OC2 and EOC capabilities is 2.6 years, which fits our corporate guidelines," Woodward says. "For example, instead of using fencing around the building campus as we have done with all of our other facilities, we're using video analytics with roof-mounted cameras. This is a significant cost savings, as well as a visual enhancement to the property."

Adds Connor: "Unified physical infrastructure allowed for several additional ROI enhancements, which resulted in a positive ROI in both hard equipment and soft operations cost reductions." (Additional details on ROI are available online in the expanded version of this article.)

Driving Interoperability

Networked technologies provide opportunities for systems interaction that expand the ROI for security technologies and other technologies.

For example, a system can push video and alarm messages out to receptionist phones, when appropriate. Visitor management systems can alert a receptionist when an escorted visitor's sponsor has left the building and not returned yet. Conversely, when a receptionist has momentarily stepped away from the reception desk, phone and video displays can instruct a visitor to call the U-OC2, so that staff can respond appropriately.

"This kind of interoperability is driven by how you and the stakeholders want the building to work, and what kind of environment and experience you want for your facilities," Woodward says.

Connected Buildings and Security Systems

When a multi-story building is under construction, passers-by see steel framework, concrete flooring, air ducts, pipes and cables - all of which eventually disappear when the outer skin goes on and the inside walls go up in the final phases of construction. When the building "comes to life" during occupancy, many building systems - including security systems - become active and start playing a role.

Because building systems are migrating onto a common network infrastructure, and are thus able to connect with one another to exchange information, it helps to envision the copper and fiber cable throughout as the building's nervous system, enabling its various management and control systems to optimize building functions. This is not just a poetic analogy, as can be seen from the two video links below.

Cisco, which created the second video, applied the unified operations center concept in creating its Global SFOC (Security and Facilities Operations Center). In discussing its ROI, Cisco's Deon Chatterton, Senior Manager of Integrated Building and Risk Technologies, pointed out that the return for an operations center with a combined function is higher than for two separate centers. Where a single-function operations center may not fully make its business case, consider a dual-function center.

It is worth taking 15 minutes to view these YouTube videos, and to note how many times security and security technology can be seen to play a role in both security and non-security building functions.

Panduit - Connected Buildings (2:33): http://tinyurl.com/Panduit-cb
Cisco - Connected Real Estate (9:43): http://tinyurl.com/Cisco-cre

Seven Steps to Achieving High ROI
By Ray Bernard, PSP, CHS-III

In Panduit's new headquarters project, soft and hard ROI elements were examined very closely. One part of the ROI work was to contrast the traditionally separate SOC and NOC functions, with a Unified Operations Center function. Another part had to do their Unified Physical Infrastructure approach as compared to traditional approaches to communications infrastructure. Still another aspect has to do with the interoperability of technologies, such as pushing emergency notification messages to IP telephones. Finally, from a big-picture view, every aspect of the building experience was examined to determine how that experience could be enhanced by the utilization of security and communications technology. From a people, process and technology perspective-all the bases were covered.

All that sounds good in summary, but how does one go about accomplishing the achievement of high ROI? Are there specific actions involved, or is it more a matter of intuition and gut feel for where to look for ROI elements?

Steps to ROI

While experience, intuition and even imagination do play a part, those are best brought into play by following specific steps for progressively building a sound ROI business case. Those steps are:

- Capture the Purpose
- Capture the Costs
- Capture the Benefits
- Analyze the Costs and Benefits
- Express the ROI
- Present the ROI Business Case
- Achieve, Monitor and Report the ROI Results

The first five steps are examined very closely in the linked white paper "Five Steps to Accurate and Compelling ROI" (view or download at http://tinyurl.com/5-steps-to-security-roi). While these steps apply to ROI for any business function or initiative, they are examined here (and in the white paper) with regard to security measures. Each of these seven steps is summarized below.

Capture the Purpose

There is a purpose that is being served by the measures for which the ROI case is being developed. Capturing that purpose involves identifying the stakeholders who benefit directly or indirectly. The purpose (or purposes) must be tied back to strategic objectives at some level to ensure relevance to what the company is trying to accomplish.

Capture the Costs

The costs include both direct and indirect costs, all of which must be identified, and quantified where possible. If the people paying aren't the people directly benefitting, then the business case (and perhaps some aspect of the way the business is organized or operates) needs to be thoroughly examined.

Capture the Benefits

Something that benefits all employees should benefit the entire company in some way, but sometimes in-depth analysis is needed to identify the full scope of the benefits. If the business environment is made noticeably safer, it could become easier for HR to hire qualified people at lower pay levels. Thus the benefit chain can often be found to link to business-building and revenue-generating aspects of the business. (For a close look at such factors see the book Not a Moment to Lose...Influencing Global Security One Community at a Time by Francis D'Addario, a principal of Crime Prevention Associates, Emeritus Faculty member of the Security Executive Council, and former the former vice president of partner and asset protection with Starbucks. For more information see: http://tinyurl.com/not-a-moment-to-lose and download an excerpt from the book.)

Analyze the Costs and Benefits

Cost/Benefit analysis can only be done when the previous steps are fully done. Here is where direct and indirect costs are evaluated, ranked, and prioritized according to business objectives. At each cost or benefit point, the measures under consideration will be competing with other measures for funding. Developing this context for ROI is where most ROI analyses fall short. No matter how good the benefits are or how low the costs are, any ROI case will be competing with other ROI cases on its merits with regard to business benefits, improvements, and return.

Express the ROI

The ROI must be expressed in the ways that the stakeholders view things. Thus for financial stakeholders, the numbers may at some point need to be expressed as MIRR (Modified Internal Rate of Return) or whatever other formulas are currently in use within the business. Other metrics may be used in other parts of the company. The expression of ROI must be meaningful to each stakeholder. This is a factor that is often not understood and could very well be the factor that elevates an ROI proposal above competing proposals. Understanding and expressing ROI in terms that are meaningful to the business shows that you have a senior understanding of the business and makes your assertions more credible. It also puts you in a position to know what you have to deliver, thus enabling you to actually deliver on what you promise.

Present the ROI Business Case

There should be more than one presentation of the elements of the ROI business case, some for preliminary approvals and stakeholder support, and some for whatever formal approval processes are involved. The previous steps will develop a lot of work product and backup material. That now needs to be distilled down and presented as simply and graphically as possible, so that little to no explanation or discussion is needed for the basic ROI case to be understood. The method of presentation will depend upon the approval processes. Two different types, for example, are the meeting format with verbal discussion and Q&A, or the review committee format, where there is no discussion and submitted materials are utilized for evaluation. Ensuring that key stakeholders are educated in advance can be critical to ensuring an evaluation environment that includes strong support for your ROI case. All ROI presentation materials should be "tested" with people who don't already know the ROI case, to ensure that they communicate as effectively as you want them to. It is irrelevant how well the materials impress you - they have to impress the intended audience.

Achieve, Monitor and Report the ROI Results

The full scope of ROI work is captured in these two phrases: Achieving ROI and Managing ROI. Most practitioners ask about "finding ROI", "selling ROI", "quantifying ROI" and so on. ROI should be an ongoing element of managing operations. What has been invested in, and what it the return from it? This is simply good business management. Thus ensuring that you achieve the ROI case that you have documented on paper requires implementing management controls and metrics so that the approved measures or programs achieve the levels of effectiveness and performance that are required to warrant the investment in them. (You can find 375 security metrics in the book, Measures and Metrics in Corporate Security, by George Campbell, former CSO for Fidelity Investments, and an expert in the field of security-related metrics. See http://tinyurl.com/measures-and-metrics for more information and to download an excerpt from the book.)

The big picture is that ROI is simply one factor in establishing and maintaining a good security program, one that is well-aligned with the business and is known to provide strong business value.

Essential Elements, Business Case and Strategy
By Tom Shircliff and Rob Murchison, Co-founders, Intelligent Buildings, Inc.

Organizational alignment is the reason why most projects, both new and retrofit are not more intelligent or converged. When it's all or nothing in real estate it's generally nothing.

That alignment starts with business strategy, and involves people from all of the areas that have historically worked in silos.
Both Security and IT departments need to work closely with other internal departments such as facilities, finance, HR, planning, purchasing and others. Whose department is it when access controls pull data from an HR database through building systems middleware over a single switched building network and then bills back for afterhours activity? Is it HR, IT, Finance, IT or Security? Who has what role and responsibility, and how does this come together? A sound strategic approach can facilitate collaboration at high levels, and provide a starting point for answering these kinds of questions.

Strategic Approach

The EBS methodology is part of a larger strategic approach to "smart buildings". The "S" in EBS is indeed "strategic". This underscores the importance of strategy right down to the system level. EBS makes actual system purchase decisions based on essentiality, business case AND now strategy. It's the issues of our day that have caused building and facilities issues to rise to the level of "C-suite" involvement.

The most notable issues are:

1. Sustainability
2. Smart Grid
3. Government Regulation
4. Technology Changes

Many corporate, government and institutional real estate owners have publically stated sustainability goals which often are not measurable and manageable. This requires technology and connectivity involving multiple building systems including security. The smart grid is coming faster than expected due to stimulus and the necessity of increased capacity and more reliable distribution, but is incomplete without interaction from the buildings that consume the electricity. The prospect of Cap & Trade laws along with other existing and proposed government legislation or regulatory requirements are a reality for building owners that presents risk and likely increasing operational expenses. Finally, technology changes are causing increasing need for organizational alignment as systems such as security, BAS, lighting and A/V merge functionally, pull from disparate budgets and force new types of decision-making across departments and even geographies.

That decision-making and the aforementioned organizational alignment are the key to EBS and smart buildings in general. Without an authoritative champion, an EBS-type methodology and aligned staff any smart or converged building effort will be challenged. Alignment should be both internal with departments and budgets but also importantly with external vendors. Some vendors are risk-averse and sometimes set in their ways and need clear directives from the client to make changes to their traditional process.
Strategy, alignment and decision making methodology will ensure a successful convergence project.

Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). Mr. Bernard is founder and publisher of "The Security Minute" 60-second newsletter (www.TheSecurityMinute.com). He is also active in the education committees of the in the ASIS International Physical Security and IT Security Councils (www.asisonline.org). Mr. Bernard is also a member of the Subject Matter Expert faculty of the Security Executive Council.