Function Vs. Faction

If one accepts the premise that security is a “weakest link” discipline, then no organization can truly approach being secure unless they consider all of their security risks when crafting an overall security strategy and making risk mitigation decisions.

For many years, organizations have approached risk mitigation in an essentially siloed format, where physical security, IT security, audit, risk management and other risk-oriented functions operated independently. The gulf between these divisions inevitably increased duplication, bureaucracy and cost.

Over the past few years, a variety of business drivers has led these independent business functions to come together. This trend has been called security convergence: the formal, collaborative and strategic integration of the cumulative security resources of an organization in order to deliver enterprise-wide benefits through enhanced risk mitigation, increased operational effectiveness, and cost savings.


Study Finds Convergence Drivers

In a recent study commissioned by ASIS International, the Information Systems Security Association and ISACA (Information Systems Audit and Control Association) and conducted by Booz Allen Hamilton research, 36 global organizations were surveyed about the business drivers motivating security convergence in their organizations. The top five business drivers were:


1. The rapid expansion of the enterprise ecosystem. Organizations' network environments continue to expand, introducing new risks to the enterprise. Just a few factors extending the perimeters of organizations: global enterprises connecting disparate systems across countries and continents, connections with third parties, business partners, remote access, wireless, and the promotion of legacy systems to the outside world through the Internet. This push to expand technology borders is driving the risk equation to new heights.


2. Value migration from physical assets to information-based and intangible assets . For many years organizations were primarily concerned with protecting assets in the physical realm—inside filing cabinets and desks. In recent years we have seen a number of assets transition to almost entirely electronic form. Records often exist only in electronic format; orthophotos are stored in GIS databases, and CAD drawings are available online. The skill sets required to protect these assets have had to evolve in parallel with the migration of the assets themselves.


3. New protective technologies blurring functional boundaries. Historically, the tools of the physical security department included the standalone access control system, alarm system and CCTV system. Many of these systems now operate solely in the network environment, and all the while many physical security professionals are becoming less knowledgeable about the systems they rely on to conduct their operation.

One of the more frightening realities is that often physical security equipment is proprietary and can be left unsupported, ending up un-patched, insecure and vulnerable to attack.


4. New compliance and regulatory regimes. New regulations are enhancing due diligence requirements all over the world. Organizations are required to certify, with a high level of assurance, that data and financial records are accurate and personal information is protected. Legislation like PIPEDA in Canada and Sarbanes Oxley and Gramm-Leach-Bliley in the United States are all escalating the pressure on organizations to efficiently address enterprise security issues.


5. Continuing pressure to reduce costs. There has been no relief worldwide from the pressure on organizations to do more with less. In both the public and private sectors there are always more projects and more initiatives than can be delivered. So the cost reductions and projected cost savings arising from convergence activities make them especially attractive to all organizations.


These five drivers constitute a compelling case for convergence. The urgency of a convergence response is further enhanced when one considers the changing nature of threat itself.


Combat Changing Threats

Implicit in all discussions about the security risks facing organizations today are the changing threats with which the world is faced. For years the physical security department was chiefly responsible for dealing with organizational responses to acts such as fraud, theft and harassment in the workplace. They used traditional investigative and security processes and tactics to hunt down the culprit and initiate punitive action. In the virtual business world, these crimes can occur with stealth, anonymity, and blinding speed, and they are capable of eviscerating any protections that the physical security department can employ.

The physical security professional is often left unprepared to deal with cyber stalking, electronic identity theft, or viruses that introduce spyware and keystroke loggers to an employee's computer. These profitable and destructive behaviours can add significant pressures to an already stressful work environment and place new burdens on IT security personnel, who have traditionally had their responsibility limited to technology and data protection.

IT security people have for years asserted to senior management that major changes need to be implemented, often at the cost of convenience or at the expense of competing projects. But in many organizations, this sage advice was treated as fear mongering or prescriptive twaddle. Through convergence, security groups can unify their message and deliver more cost-effective security controls to meet new threats.


Key Concepts of Convergence

Both IT and physical security functions bring significant strengths to the table, and these strengths must be capitalized upon in order to address the inherent challenges of the broader business context. IT security has technical expertise but limited staff numbers; physical security generally has the opposite. When these groups work together, the assets of each group can aid in threat mitigation, cost reduction and improved efficiency.

Before such effective cooperation can be achieved, however, these groups must learn to speak a common language. IT people traditionally know very little about patrolling buildings and arresting criminals, whereas physical security people are often equally baffled by firewalls, servers and viruses. The common language between them is the language of risk. Both groups speak to their reporting chain about situations that jeopardize the organization's assets.

The process must also battle historically different hierarchies and dissimilar cultures. Once the groups begin to speak the common language of risk and begin to work together to improve security, then the benefits can be effectively quantified. Once measured and understood, the value of integration must be evangelized throughout the organization to promote continued convergence.


The City of Vancouver 's Experience

The City of Vancouver approached the convergence of IT and physical security in the manner outlined above, and it has paid dividends for the security program and for the organization's ability to address risk.

The city employs an in-house guard force for its City Hall campus, and this team was trained to assist in IT security compliance reviews. Given that they already patrolled the facility every day, they made the perfect resource to observe and report on IT security conditions at desktop locations. In one instance, they were able to identify two rogue wireless access points.

Many other options exist to enhance the duties and effectiveness of existing staff, including cross-training investigation staff and IT security analysts and having technical staff review the physical security architecture to ensure fundamental IT security protections are in place.

While not all the results are in, the city has experienced a significant drop in IT security policy violations. In fact, they saw a 54% reduction in just the first 90 days of the program. In addition, there has been a rise in customer satisfaction and a general increase in the morale of the security officers.

The city is now moving ahead with the integrated reporting of security incidents and risks. In this combined format—that identifies risk in a more comprehensive manner—senior management will receive, in one document, a broader understanding of the enterprise-wide risks, thereby enabling better risk mitigation and reducing the time spent on decision making.

The security teams are working together to creatively define benefit opportunities. These have included using the city's SAN infrastructure for massive cost savings on CCTV storage and archiving.

Finally, the city is moving to maximize any opportunity to deliver the security message to the customer more efficiently. Threat and risk assessments (TRAs) are becoming more integrated so that both physical and IT security matters are considered in them. Security awareness training and security education are conducted in a combined format.


Setting Directions: Lessons Learned

To engage security convergence principles in a meaningful way, one must divorce oneself from the concept of security factions and begin to allocate integrated resources to mitigate organizational risk. The overall goal of all security and risk departments is, in the end, to protect the organization's people, information and property while minimizing the costs of those protections and enabling an efficient business to deliver for the customer.

Convergence will be a key defining factor in an organization's strategic competitive advantage in the coming years. In all organizations, the initial integration points for security convergence exist at the strategic, tactical, policy and operational levels.

• At the strategic level, it is important to focus on the development of an integrated security strategy and on cost-saving opportunities. These can come in the form of an enterprise security strategy that provides leadership on organization-wide issues. An example of such a strategy would be the reduction of duplication in identity management systems by integrating the function into one system.

• At the tactical level, opportunities exist in merging risk assessment and investigation methodologies as well as developing specialized integrated training programs for more effective staff performance. At the City of Vancouver , the investigations and risk assessment methodologies are integrated to ensure that these activities take full advantage of the resident skill sets and knowledge bases, thereby reducing duplication and consequently the cycle time in completing these activities. Similarly, costs are reduced because staff completes only one TRA for each facility, instead of separate TRAs for the physical security and the IT security functions.

• At the policy level, organizations should seek to minimize policy duplication by integrating similar physical and IT security policy subjects into a single policy development framework. If developing a corporate standard on access control, it is important to consider all forms of access to the organization, both IT and physical, and to then develop a policy that addresses the protection of, and access to, all corporate assets. Such integration is likely to result in demonstrable time savings in policy development and will reduce significantly the time demands on stakeholders engaged in comment and review.

• Finally, at the operational level, significant benefits can accrue from the integration of security functions. These can include organizational benefits, such as the use of physical security staff to aid in IT security policy compliance reviews. Security personnel who are patrolling facilities can be re-trained to look for IT security risks at the desktop location.


During the initial year of the City of Vancouver 's integration program, a number of valuable lessons have been learned.

• Pick off the low-hanging fruit in order to build team support and belief. Once the team has some initial successes, they will buy into the program more readily.

• Successes must be communicated religiously to all levels of the organization. Organizational barriers are broken down by delivering on promises and showing that the program can deliver lower overall costs.

• It is important to accept that not every part of each group is best converged, and to try to work around this. There may be some functions that cannot be easily converged, either initially or ever. The lesson is both pragmatic and simple: adopt the level of convergence that will work for your organization.

Convergence needs to be methodical, measured and sometimes slow, but it leads to significantly increased efficiency and cost savings.


Dave Tyson, CPP, CISSP is the senior manager of IT and physical security for the City of Vancouver . He has been working in the IT and physical security industry for 22 years with a focus on security management and training, audits, risk analysis, security architectures and administration. Mr. Tyson is also the chairman of the 2006 IT Security Council for ASIS International, and he is a member of the Canadian National CIO Sub-Committee on Information Protection.