Live from SecureWorld Expo Seattle: Convergence at Hand

Oct. 20, 2005
Deep in the heart of Microsoft's territory, we're finding a place where physical security and IT are converging

Today we check in with you from Seattle, where we have just wrapped up the Wednesday portion of the SecureWorld Expo conference. Security Technology & Design Editor Steve Lasky and I made our way out here to be a part of the security convergence portion of this mobile conference series.

If you're in the world of physical security - the world of gates, guns and guards - the SecureWorld Expo might not have blinked onto your radar screen until recently. That's partly because this is a fairly new expo series (it certainly doesn't have the years of history that a show like ASIS or the ISC shows have), but also because it really is being driven by the IT side of the world.

In fact, easily nine out of every 10 persons here at the conference come from the "geek" side of the business rather than the "guard" side. That's really no surprise, since most of the conference tracks are decidedly IT security focused on such topics as network user identity management, web-based risks, network access control and a variety of stuff that is - at its core - just what you do, but based on the Internet.

SecureWorld Expo brought on the Convergence track, which is put together by ST&D magazine and sponsored by a few companies that known convergence well - Bosch, IPIX and HID. As many of our attendees shared, the convergence track at an IT security conference made sense because physical and IT security staffs are starting to work together in the "real world" - so why not get them together at a conference, too?

That was the goal, and it works, as Steve and the folks at SecureWorld are keenly aware.

In our first session of the morning, Steve and I headed up to room 408 of Bellevue, Washington's Meydenbauer Center (the offices of Microsoft are close by to us, and Microsoft's CISO Karen Worstell was the day's keynote speaker) and were joined by panelists from The Municipal Court of Seattle, the City of Vancouver, as well as industry convergence consultants Ray Bernard, PSP (a contributor to both ST&D and to SecurityInfoWatch.com) and Fred Zagurski, CPP, who knows his way around a converged system quite well, too.

Russ McRee, who is on the IT end of the stick at the Municipal Court of Seattle as the "information security architect", explains what happened for convergence at his operations:

"We were asking, 'Can we share technology? Can we convince them that at least there is room for cooperation?' We were wondering whether a single leader could successfully guide both disciplines," says McRee, whose IT department was facing up with a very police centric, inmate-focused security department.

"And then we had some incidents where intruders came in and were attacking us from the public kiosks, trying to create attacks on the system," McRee continues. "What we found was that we had no written standard of what happens when people violate both physical and IT security standards, so we started to work together to develop those standards. Now that we've done that, everybody knows the others concerns and knows how to get in touch when they have questions or concerns."

In the Q&A of our first session, we heard from audience attendees who had developed IT and physical security projects that had convergence written all over them. One that was specifically mentioned was an entirely wireless-driven management system for a correctional facility that pushed out access control info, inmate data and other management controls directly to PDAs of staff members walking the halls. We heard from companies that "converged" missions only when they realized that it was going to take a collaborative effort to secure their server rooms, and from others who had simply started talking when the physical security staff asked the IT staff about putting IP-based cameras out on the network.

As Dave Tyson, the CSO for the City of Vancouver, noted during the roundtable, part of what it takes for IT and physical security folks to talk is to stop thinking in terms of their disciplines and to speak a common language.

"The common language has to be business risk," he says. "For the most part, the physical security guys don't speak techie; they talk about gates, and access control and guards. The tech guys, on the other hand, are talking about malware, packets, frame rates, networking intrusion. They have to each lose their unique language and speak together in the common language of risk."

After a quick break to peruse the small, but vibrant exhibit hall, we were back at 11:15 with Ray Bernard to get his take on the world of convergence. Bernard's discussion illustrated two of the key points of convergence that all security persons should know:

1) It doesn't matter if the CSO comes from the IT or physical security side as long as they have leadership skills, can understand risk in a holistic manner and have the ability to sell the security program (IT or physical) to the company's executives.

2) You're going to face bandwidth issues as we move to IP-based video. During most times of the day, the security system is sending no data, maybe 30k to announce a door has been opened by employee X, but really nothing is being shipped over the network. Then you have an incident and bandwidth is blown out because everyone from the Grand Poobah to HR to public relations to the guards to the facility manager to the managers in the company's area affected by the incident is trying to access this video at once.

We headed out to lunch (or actually, to a roundtable discussion of high-level CISOs and CSOs where there really was no lunch), but we got some interesting takes on people's challenges.

Back from the lunch hour, the convergence track of SecureWorld saw a visit from Clara Conti, the CEO for IPIX Corporation. For those of you who still remember IPIX from its days as a virtual real estate tour, you're on the right track for this company, but they're doing so much more since Conti came aboard. The 360-view is now being coupled with higher-resolution cameras (2 megapixels now, and 3 megapixels are right around the corner) and has been used for some high-profile security events, including the last presidential inauguration.

Conti brought attendees up to speed on IP camera technology and video analytics and discussed issues such as approval of digital images for court. The session actually had a great discussion about what the "uncertified" nature of digital images means in terms of adding an extra legal step or two to the court process. It was clear from a number of people in the room, that IT personnel are willing to take security into their own hands to secure IT assets that are going unprotected. Whether this was an indication that some companies are developing IT security staff long before they even think of needing a physical security staff member, or whether it shows the continued disconnect between IT and physical security, it's hard to say. One thing's for sure - if IT starts to play with what are traditionally considered physical security devices, and if physical security staff want to put their devices on the network, then convergence will have to happen.

Tomorrow (Thursday) we're going to hear more on these subjects, check back for a report on Thursday's session in my weekly wrap-up e-newsletter that we send out on Fridays.