In many organizations, the critical functions of information technology and physical security often operate independently of one another—unaware of each other’s strengths and weaknesses, the potential risks of operating separately and the benefits of operating as a team. Increasingly, however, the convergence of IT and physical security is becoming a preferred and highly desired business practice because of the new levels of performance it brings to its users.
Lessons Learned from Peers
The 6th ADT Financial Security Symposium, which will be held Nov. 14-16 in Palm Beach Gardens, FL, will address these issues as well as trends in physical security, identity fraud, and new video and access control technologies. Program presenters will include several of the 50 representatives from leading regional and national banks in attendance, representatives from the American Bankers Association, the FBI and Security Technology & Design’s editor and publisher, Steve Lasky.
At last year’s symposium, top security officers from two major financial organizations—National City Corporation and Citizens Financial Group—shared with 40 senior security officers from national financial institutions precisely how they are working to enhance the capabilities of their physical and IT security groups.
Gareth Webley, chief security officer for National City Corp., said his company has created measurable efficiencies by combining the physical and information security functions into one operation.
“At National City, we believe security events, regardless of whether they are physical or electronic, are to be handled from the same place,” Webley said. “You have to get it down to a single voice. The security solutions on the market today are IT based, and that will continue.”
Webley said the convergence of information and physical security is well underway in the banking industry. Physical security systems such as access control, intrusion and fire detection, video surveillance monitoring and other systems now demand larger segments of the network bandwidth.
He said other factors driving convergence are terrorism, cyber-based crimes coordinated with physical attacks, a host of government regulations such as the Sarbanes-Oxley Act of 2002, and natural disasters that have impacted the continuity of banking operations in recent years.
“A (physical) security officer is going to have distinctly different responsibilities than a firewall engineer, but there is an awful lot in between that can be done within the same group, under the same management with consistent policies, processes and discipline,” he said. “We want to create and foster a true unified organization with common services—investigations, administration, risk assessment and project delivery,” Webley concluded.
Separate but Coordinated
Ryan Buckley, vice president of information security for Citizens Financial Group, said his company currently operates with separate but coordinated groups for physical security (PS) and information security (IS). The arrangement, he said, works well for Citizens primarily because of frequent communication and close cooperation between the organizations.
“We think our two functions have done a great job of collaborating over the last couple of years,” he said. “We are getting our security teams to understand the responsibilities, talents and skills of each other so that people aren’t afraid to pick up the phone or send an e-mail to leverage that expertise.”
The communication extends to a number of areas. Buckley said a representative from the physical security staff typically is invited to join IS meetings. A physical security staffer may spend the day with an IS engineer to get a better idea of the job. He said the results in terms of knowledge and relationships from these interactions are “priceless.”
Citizens conducts monthly security roundtables to which both PS and IS staffs are invited. These meetings focus on strategies to deal with continuity issues, risks and security threats that come from a combination of technology and physical security conditions. In order to be ready to handle a crisis, there are regularly trained, prearranged teams of employees who know they will be called upon to act depending upon the specific situation.
“If there is a physical security issue that has an IT spin to it, there is a whole team of information security guys ready and willing to jump into action and help,” Buckley said. “And likewise, we run into ‘bad stuff’ all the time—maybe an employee violating his access privileges or an issue that may require law enforcement intervention. In those cases, the physical security group is our liaison.”
To gain the assistance of the bank’s employee base in spotting security issues, the bank began a citizens alert line, an 800 number call-in program which employees can call to anonymously report suspected violations of security protocols, both on the IT and physical security sides. The bank, through a variety of communications with its employees—including a twice-yearly newsletter from the physical security group—encourages use of the alert line.
Higher Collaboration to Come
For the future, Buckley predicted an even higher level of collaboration between the bank’s IS and PS groups. For example, the bank plans to correlate reports of security problems so that events can be reviewed in automated ways and, if necessary, proper teams can be alerted to take action.
John Pearce has 20 years of experience in the security industry, the last five as commercial marketing/national accounts manager for financial institutions and banks for ADT Security Services Inc.