When Worlds Converge

• By John W. Verity
• May 14, 2007

Operations dispersed more globally than ever. Third-party outsourcing increasing exposure to new risks in new locales. Stolen laptops containing millions of customer records. Value shifting from hard assets to information, brand names and other intellectual property. The Wild Wild Web bringing more sophisticated attacks each day. Sarbanes-Oxley regulations looming over every activity.

Add to all this the usual budget pressures, and the challenge of keeping the global enterprise secure looks stiffer than ever. CEOs and their boards are scrambling to respond, with much of their energy focusing on what has come to be known as convergence: getting the traditional corporate, or physical, security department to team up and coordinate better with security specialists in the corporate IT division. Identified as a trend only a few years ago, convergence has since become top-of-mind for a growing number of chief security officers (CSOs) and chief risk officers (CROs). According to an annual survey by PricewaterhouseCoopers, the portion of global corporations that had in some way integrated physical security and IT security has doubled in the past three years, from 29 percent in 2003 to 58 percent in 2006. Even more dramatic during that same time has been the near quadrupling of companies reporting they have both security groups reporting to the same executive, from 11 percent to 40 percent.

Easier Said Than Done

Unfortunately, as many companies have been discovering the hard way, successfully achieving convergence is easier said than done. Differing mentalities, reluctance among executives to surrender turf, inexperience, a lack of knowledge are among the many barriers. And, implemented improperly, convergence can actually make a company less secure than it was before.

“Convergence is definitely happening,” says Ray O’Hara, senior vice president at Vance International Inc., an Oakton, Virginia-based security consultancy and unit of Garda World Security Corp. in Montreal, Quebec. “It’s just not happening overnight. Both sides still have a lot to learn from each other.”

Indeed, could any two groups be of more different mindsets? The chief security officer, the traditional head of physical security, often has years of experience in law enforcement, the military or intelligence. IT security people? They’re techno-geeks, and proud of it. Where the CSO may have gotten to where he or she is by acting as an authoritarian, IT people often have a libertarian bent.

Their toolsets are light-years apart, too. Corporate security’s arsenal is heavy on the hardware: badges, cameras, good old-fashioned barbed-wire fences and even guards wearing guns. IT, in contrast, operates in a mostly virtual realm: hushed, darkened control rooms lit by flickering screens, arcane acronyms and soft, squishy tools like firewalls and packet sniffers. Where traditional security tries to identify, block and nab warm bodies, IT does battle with anonymous hackers and hoards of hijacked "zombie" computers. With CSOs generally lacking in IT-specific experience and technical expertise, bridging the gap between these two groups calls for special attention.

“There’s a lot of misunderstanding out there,” says Larry Ponemon, chairman and founder of the Ponemon Institute in Elk Rapids, Michigan, which tracks corporate security and privacy issues. “I hate to say it, but CSOs can be a little close-minded -- old dogs aren’t always ready to learn new tricks.”

An Holistic Security Strategy

But try they must, experts say, even if there’s no single formula for converging two disparate security disciplines into a seamless whole. The ultimate goal should be to create “an holistic security strategy,” but that has to be done in a way that fits each company’s specific culture and the talent it has available to it, says Kim Jones, senior vice-president and CSO at eFunds in Scottsdale, Arizona.

Jones himself is a rare breed, a CSO who has racked up years of experience in the traditional security field yet also has strong, firsthand knowledge of computing. After getting his degree in computer science at West Point, he spent ten years in Army intelligence. His broad background, Jones says, “prepares me to take on both roles without short-shrifting either one. I understand camera placement, access control, dead-space analysis, fire and flood.”

He’s the first to admit that he’s hardly a world-class computer programmer, but his IT training gives him a good leg up. “The best technologist can’t BS me, and neither can the best physical guys,” he says.

Most CSOs have come up through the ranks of physical security and therefore lack much immediate experience with and knowledge of IT technologies and issues. But reality is forcing them to catch up, if only to better manage the specialists they have reporting to them, whether directly or via a dotted-line relationship.

Further, physical security’s video cameras and badge readers are connecting to their control points and monitoring stations -- as well as to enterprise directories, identity management systems and human resources databases -- via corporate networks that also carry Web traffic, email, internal data, even telephone calls. Because it’s generally IT departments that operate those networks, video surveillance traffic may not always be given the priority it requires.

“These are turf wars that really have to go away,” says Vance’s O’Hara.

Meanwhile, even as it uses ever-more sophisticated technology to battle would-be cyber-criminals, IT security must cope with serious new challenges that occur in the physical realm. Sensitive information is getting loaded into all kinds of mobile devices, for instance -- mainly laptops but also cellphones and PDAs -- and when one of them gets lost, stolen or misplaced, IT may fall short in critical skills in the areas of forensics and managing chain-of-custody.

The Best of Both Minds

”They have such different mindsets,” says Jerry L. Archer, a longtime security professional with experience at Visa International, Fidelity Brokerage Co. and Bankers Trust. But two minds, he says, are almost always better than one, especially when it comes to identifying security holes in IT systems before they’re exploited by bad-acting insiders or outside attackers.

If handled well, the natural tension between IT and security can be channeled into creative solutions. IT people, says Archer, tend to draw up a system design in a way that works right for the organization and then deploy it. The security department’s goal, on the other hand, is to demonstrate gaps in the design that make it insecure. In the end, a good security organization and good IT organization can elevate each other’s performance.

Pick-Up Sticks

”Think of it as a house of pick-up sticks,” Archer says. “Security’s always trying to pull one stick out and make the whole thing fall down. It’s important to have people with different focuses.”

“You don’t necessarily need one individual [to run security] as long as you get the existing individuals to work together seamlessly,” agrees Jones at eFunds.

Still, enterprises need formal policies and procedures that foster regular and constructive communications and collaboration between the two groups, all with the goal of driving “an overarching, holistic strategy that leaves no gaps in your security posture,” he says.

Without such a strategy jointly hammered out and agreed to, Jones warns, “there may be too much ego and one area will get neglected.”

In the end, he says, “convergence does make life easier. I have to worry less about coordination and buyoff among other security organizations.”

Rhonda MacLean, a security consultant and former CSO of Bank of America, says she advises clients to create and nurture “a culture of trust between physical and cyber-security guys. They need to talk or be together a lot. It’s really important that the two disciplines work together in an end-to-end process, that there is leadership that makes sure all the dots get connected.”

Organizational issues, such as whether IT security should report directly to the CSO, matter less than regular meetings. “I see it in terms of risk management, which involves security, business continuity and privacy,” she says. “Sharing and strategizing and tactical planning are a must.”

O’Hara at Vance takes the call for regular communications and collaboration a major step further. In this age of globalization, he says, security touches many corporate functions, and the CSO interested in full convergence may want to bring more voices to the table than physical and IT security.

For example, manufacturing is often outsourced to offshore producers, the corporation’s value is held largely in the form of easily purloined intellectual property and supply chains have been stretched out to involve many different partners operating in myriad locations. In such cases, “information, in all its forms, is probably more important to the company than who's coming over the fence,” says O'Hara.

Therefore, the CSO and chief information security officer (CISO) should get together with “supply-chain people, manufacturing, sales people and brand managers, for all of them have a stake in managing the enterprise risk factor,” he says.

What makes this wider conversation about security so critical, O’Hara says, is the growing complexity of the environments in which most large companies now find themselves doing business.

Take the common problem of tamping down gray market sales. It’s not unusual for authorized distributors to order more goods than they can legitimately sell and then quietly unload the excess into unauthorized channels. To crack down on such activity, which can affect the value of a brand, profit margins and relationships with key partners, a producer will often respond by being more aggressive in enforcing the contracts it has with the offending distributors. That will likely call for the security department to nail down certain investigative documentation. But as the gray market activity gets shut down, the company may see a decline in overall sales volume. Therefore, O’Hara says, itÕs advisable to give the sales department -- among others -- a say in resolving what turns out to be largely a security issue.

CSOs can benefit from not only improved familiarity with IT but with business issues as a whole, says Tom Cavanagh, a senior research associate in Global Corporate Citizenship at The Conference Board in New York City, a management consulting firm.

“It would be helpful to have an MBA and management experience so you know how to contribute to business value,” he says. “Most security guys know how to run a checkpoint or clear a building, but they're at sea with broader business concerns.”

And instead of viewing security merely in terms of defense, business managers ought to see it as an enabler that can help them take advantage of opportunities without incurring undue risk. As Cavanagh sums it up, “Don’t tell me no, tell me how.” John W. Verity is a freelance writer based in South Orange, N.J.