Separate but Coordinated
Ryan Buckley, vice president of information security for Citizens Financial Group, said his company currently operates with separate but coordinated groups for physical security (PS) and information security (IS). The arrangement, he said, works well for Citizens primarily because of frequent communication and close cooperation between the organizations.
“We think our two functions have done a great job of collaborating over the last couple of years,” he said. “We are getting our security teams to understand the responsibilities, talents and skills of each other so that people aren’t afraid to pick up the phone or send an e-mail to leverage that expertise.”
The communication extends to a number of areas. Buckley said a representative from the physical security staff typically is invited to join IS meetings. A physical security staffer may spend the day with an IS engineer to get a better idea of the job. He said the results in terms of knowledge and relationships from these interactions are “priceless.”
Citizens conducts monthly security roundtables to which both PS and IS staffs are invited. These meetings focus on strategies to deal with continuity issues, risks and security threats that come from a combination of technology and physical security conditions. In order to be ready to handle a crisis, there are regularly trained, prearranged teams of employees who know they will be called upon to act depending upon the specific situation.
“If there is a physical security issue that has an IT spin to it, there is a whole team of information security guys ready and willing to jump into action and help,” Buckley said. “And likewise, we run into ‘bad stuff’ all the time—maybe an employee violating his access privileges or an issue that may require law enforcement intervention. In those cases, the physical security group is our liaison.”
To gain the assistance of the bank’s employee base in spotting security issues, the bank began a citizens alert line, an 800 number call-in program which employees can call to anonymously report suspected violations of security protocols, both on the IT and physical security sides. The bank, through a variety of communications with its employees—including a twice-yearly newsletter from the physical security group—encourages use of the alert line.
Higher Collaboration to Come
For the future, Buckley predicted an even higher level of collaboration between the bank’s IS and PS groups. For example, the bank plans to correlate reports of security problems so that events can be reviewed in automated ways and, if necessary, proper teams can be alerted to take action.