Converging Risk Assessments

• By Marleah Blades
• Aug 19, 2008

Just as every business is unique, so too are corporate approaches to physical and logical security convergence. However, as companies develop their convergence models, they should thoroughly consider all business functions or processes that may benefit from it, says John McClurg, vice president of global security for Honeywell.

McClurg, a member of the Security Executive Council, has seen a variety of models as he’s researched convergence practices in large organizations, and he’s noted that corporations frequently overlook one function that could benefit from convergence: risk assessment.

“Classically, your IT risk assessors will go to part of a business, show up one week and then come back and issue a product,” McClurg says. “A couple of weeks later your physical team will come, take more of your time, do an assessment and issue a product. It’s left to the [assessed department] to correlate the total risk posture.”

At Honeywell, McClurg has pulled those two activities together, cross-training risk assessors and sending out teams able to perform a single comprehensive risk analysis comprising both IT and physical security. He’s seen a number of benefits from this innovative approach.

A Clearer Risk Picture

“The converged assessment is more likely to present in a coherent manner the interdependencies between physical and cyber vulnerability,” McClurg says.

“A good example is the phreakers (telecom hackers) I used to work against when I was in the FBI,” he said. “They would exploit a 30-year-old rusty lock with an old-fashioned pick set -- a physical world vulnerability. Once that’s exploited, the phreaker goes into the central office of a phone company and quickly gathers up manuals, passwords and other equipment that he can take back to his base of operations, and there advance a far more sophisticated cyber attack than he would ever have been able to do but for the physical world deficiency.”

When IT and physical risk assessments are done separately, the assessed business unit has to put the two assessments side by side and analyze them carefully to discover interdependent vulnerabilities -- but this doesn’t happen often. A converged assessment draws the lines of interdependency for the business unit, leaving less to the imagination and allowing it to move directly to the mitigation phase.

Better Audit Performance

Because the converged audit provides a clearer risk picture, it helps each business unit prepare more thoroughly for the corporate audit, anticipating which issues might be cited and dealing with them in advance. When one team is responsible for risk assessments, it is also easier to coordinate them with the corporate audit schedule in mind.

“We know where [the audit is] going to go a year in advance,” McClurg explains. “And we try to get our assessments pre-positioned six months in advance of the audit so any remediation that needs to be done can be fixed before they come. You see a more robust audit rating and less going to audit committee.”

A single converged risk assessment causes less interruption, improving unit productivity. McClurg says Honeywell also has experienced significant cost savings from using converged risk assessment teams.

“With a team that is cross-trained, you can do more with the same individuals,” he says.

Significance Of Influence

To begin converging risk assessments in the corporation, you must have a relationship and influence with the heads of other business units and in the executive suite.

“I sit on [Honeywell’s] IT Council with the CIO and its Technology Leadership Council with all the CTOs, and I advance those duties as a peer, which conceptually pulls or expands the way you traditionally think of the CSO,” McClurg says.“It’s a positioning that acknowledges that in this day and age security is not an afterthought but an inextricable, indispensable way of advancing the business, whether it’s the technology or the IT or the resiliency piece of the business.

The inextricable nature in which security weaves itself into the company justifies the placement of this critical role.”

Because of his role in the organization, McClurg has found strong support for converging risk assessments: “I end up not having to do nearly as much pushing as I’d otherwise have to do, because as you educate your peers, they start to recognize the need for certain initiatives, so they’re pulling with you instead of being pushed.”