The word “convergence” may sound like nothing more than the latest security-industry buzzword. However, when it comes to protecting an organization’s assets, it is a concept facility executives would do well to become familiar with. That’s because effectively securing an organization today requires protecting both physical and information-based assets.
That’s what convergence is all about: the realization that traditional and IT security are interdependent, and that steps to address risks should address both areas — indeed, should cover the entire enterprise.
“I see convergence happening just about every place,” says Dave Cullinane, CPP, international president of Information Systems Security Association (ISSA). “It’s like a wave crashing over the ship’s bow.”
As security technology and processes come together, people in an organization inevitably are affected, as well. That can generate rifts between the employees who traditionally have been responsible for protecting a company’s physical assets and those who are in charge of protecting its information assets. “It can become a turf war,” says Sean A. Ahrens, CPP, senior security consultant with Schirmer Engineering. Either side may feel that the other is encroaching on its territory.
Information security typically rests within the IT department, while physical or traditional security is often a function of the facilities or real estate departments. However, as physical and information technology security policies, technology and people converge, many facilities executives should learn the range of risks their organization faces. They also should become adept at working with employees in other areas of their organization to find the best solutions to mitigate those risks.
A report, The Convergence of Enterprise Security Organizations, was commissioned by the Alliance for Enterprise Security Risk Management (AESRM) — a partnership of ASIS International, Information Systems Audit and Control Association (ISACA) and ISSA formed to address issues surrounding the convergence of traditional and logical security—and was prepared by the consulting firm of Booz Allen Hamilton. The report identifies five factors driving security convergence:
Although it’s easy to see why there has been a convergence of physical and IT security, the shift rarely occurs without some turmoil. For example, employees in charge of protecting information technology may want to add physical security to their list of responsibilities. They reason that they already guard the company’s information assets, so it only makes sense for them protect the company’s physical assets, as well.
Those in charge of physical security may rightly question just how much an IT employee knows about minimizing the risk of workplace violence, developing relationships with local law enforcement officials or getting employees safely out of the building during an emergency.
People in one department may feel that they are being left out of key decisions. For instance, the IT administrator may get frustrated when a colleague in physical security orders computer servers to support a new closed camera television system without consulting IT, which then must break the bad news that the new servers won’t work on the corporate network.
The rift can be exacerbated by the relative political standings of the two groups within the company. IT departments in many organizations have more experience asking for and often receiving funding for new investments than do their colleagues in the physical security arena. The IT department also may claim, with some justification, that protecting information has become more important in many organizations than protecting a specific piece of property, says Ray O’Hara, CPP, a senior vice president with Vance.
In addition, some physical security employees are not well-versed in information technology, and may hesitate to ask questions, Freidenfelds says. As a result, “you get missteps and people distrusting each other.”
Working through the politics that can arise from convergence can be done in any number of ways, says Cleveland. “There doesn’t seem to be a set way to deal with it; it’s case by case.”
A handful of larger organizations have created a CSO, or chief security officer, position. “Ideally, we would see the functions of physical security, investigations and IT security complement each other and roll into the function of the chief security officer,” says Ahrens.
The CSO should be independent of the various security groups. That means the CSO should be able to listen dispassionately to arguments for funding and projects from each area, and then make decisions that offer the greatest benefit to the overall organization. “Successful programs have an enlightened manager at the apex where the physical security and IT silos meet,” Freidenfelds says. “They promulgate the requirement that both sides must get along, work together and use a team approach to security.”
The CSO doesn’t need to be an expert in either technology or in physical security, but should know enough about the various functions that he or she can competently evaluate what both groups are saying and get them to work together. “The person has to be positioned in such a way as to make the hands shake,” says Freidenfelds.
Smaller- and mid-sized companies often won’t have the resources to staff a new, executive-level position. Communication between the various security areas becomes key. “The issue is to ensure that the various functions look at the overall risk to the enterprise, and the inter-dependent risks,” says Tim Williams, CPP, vice president, corporate and systems security, Nortel.
To facilitate discussion, the company can form an enterprise risk council including employees from each area of security. The council provides a forum in which everyone can offer thoughts on security projects, investments and policies, says O’Hara. “There are a lot of people who have responsibility for the company’s assets,” he says. “These people have to talk together.”
Some security departments bring in their own IT support staff; that’s often the case when the corporate IT staff lacks experience with security devices, Cleveland says. If the security staff is responsible for the equipment and its performance, dedicated IT support may be warranted.
In some cases, bringing in a consultant can help break down walls between groups of employees. Often, it’s easier for an outsider, rather than someone from within an organization, to get the individuals from various security groups to come together and discuss their differences.
The idea is to have a unified security strategy, Williams says. Everyone needs to know the risks the organization is exposed to and then understand their role in helping to develop the tactics and tools the company will use to minimize exposure.
Getting there may require an organization chart that strays a bit from the tried-and-true. Williams, for instance, reports to the senior vice president of compliance, with a dotted-line reporting relationship to the chief information officer. At the same time, the director of information systems security reports to Williams on a dotted-line basis.
The directive for all departments to work together should come from the executive level, Cleveland says.
The convergence of physical and IT security has several implications for facilities executives. For starters, they need to “jump into the fray,” says O’Hara, and navigate the political battles that can erupt when different departments, such as security, facilities and IT, find their areas of responsibility overlapping.
Facility executives should also be thinking about how technology can help protect the assets of the organization, Freidenfelds says. Traditionally, many companies have resolved security challenges by adding staff, such as security guards. Given the ability of technology to help secure buildings and equipment cost-effectively, facilities executives now need to determine whether it’s best to address risks with people, policies, technology or some combination of these three.
Finally, the facilities executive needs a deep understanding of the organization’s mission. In fact, this usually is more important than an understanding of technology, says Williams. “Security requires people who understand business and know how security affects the company.”
When properly managed, the converging roles of physical and IT security should allow organizations to better anticipate and respond to future emergencies. One example: Should avian flu become an epidemic within the U.S., both IT and physical security know-how will be needed to avert total business shutdowns. If the flu hits, different groups of employees may need to be segregated from each other and some offices or departments closed down — typically, the realm of physical security. At the same time, employees may need access to the corporate network in order to work from home. Making this happen is a role that IT security typically oversees. “It’s an example of the union that needs to be there for the corporation to function, and to roll out an effective, complementary security program,” says Ahrens.
What is Convergence?Convergence refers to “the identification of security risks and interdependencies between business functions and processes within the enterprise and the development of managed business process solutions to address those risks and interdependencies,” according to ASIS International. |
A Convergence Resource
One resource to which facilities executives dealing with convergence can turn is the Alliance for Enterprise Security Risk Management (AESRM). AESRM came into existence directly as a result of the convergence of traditional and IT security. The Alliance was created in February 2005, through the joint efforts of ASIS International, ISACA and ISSA. |
Karen Kroll, a contributing editor for Building Operating Management, is a freelance writer who has written extensively about real estate and facility issues.
