Making the case for security system integration
Tuesday, November 27, 2007
| Senior security professionals discuss with Canadian Security and sponsor Intercon Security the challenge of selling IT and physical convergence to stakeholders. Written by Jennifer Brown Convergence, or the integration of IT and physical security systems has a lot of people talking these days, but are Canadian companies really finding value in unifying systems from two very different camps? Canadian Security magazine recently sat down with senior executives from some of the top names tackling security convergence — from both the end-user and vendor side — to discuss the challenges of breaking down silos and changing how security is viewed by business units. Can security really be an enabler of cost reduction and efficiency? In some organizations, IT and physical security have found ways to work together and save people time and their companies money, but not without a lot of hard lessons learned and heart-to-heart talks along the way The pioneers in this arena come from finance, health care, education, utilities and commercial property. Helping them do it are integrators from both physical and IT security. And while they admit they don’t have all the answers, they have lived through some interesting implementations. CSM: What are the benefits of unifying IT and physical security systems? David Stolovitch Assistant Vice-president IT and Security Governance Enterprise Information Security SunLife Financial Stolovitch: You have to look at it from a business perspective, not just the security perspective. You’re seeking a cost advantage in terms of operating on common infrastructures and when it is an IP network that already exists in the company so you don’t have to duplicate. You can get away from vendor proprietary protocols for how it all works, which means you’re not locked into one vendor. If you’re operating off an IP protocol there are places you can go if you need to swap out pieces of technology for other components. From a technical support perspective, it’s easier and cost efficient. People in security are always seeking ways to get the most mileage out of their budgets to use elsewhere in the security program. Tyson Johnson Manager, Physical Security TD Bank Financial Group Johnson: David’s point is bang on. At TD we have to look at what we’re selling to the business units. We need to make an argument from a man hours point-of-view. If an administrator in a business unit has to spend six hours a month doing attestation and handling access card issues, that’s six hours a month they aren’t doing core business functions. If we can integrate it and have the security group as the single point of contact and there are other ways to free up time and streamline the processes of non-security personnel, that’s a huge benefit. We have started a major access control integration process across our corporate footprint. Right now, pretty much every business unit is responsible for going out and sourcing its own access control systems, so we have multiple systems on multiple platforms being taken care of by multiple vendors and we’re not getting the best bang for the buck and we aren’t, as a security group, able to oversee the organization holistically regarding access control or where we have problems or need to identify trends. We need to bring it back to a centre point and IP allows us to do that. It works to the vendor’s advantage as well because they have a single point of contact to deal with at the corporate level. Todd Milne Corporate Manager, Security Operations University Health Network Milne: There are obvious benefits, but the initial part is there’s a lot of cost in moving to the IP component. Right now we have our security systems in the field and we definitely want to develop our own security network and therein lies the problem. In order to develop our own security network there’s the initial cost to that. The initial cost may be large, but at the end of the day you’re going to save costs as well. Once we get the funding we totally support security and IT becoming much more integrated than it is now. A couple of years ago having IT get involved in security was almost a no-no — IT didn’t want anything to do with security — it was, ‘We don’t want your video on or IP address chewing up our bandwidth’ and all of that. I can see there is a turnaround and they are embracing the idea of IT and security together. Minaz Jivraj School Safety and Security Officer Dufferin-Peel Catholic District School Board Jivraj: I think Todd makes a very good point. While a lot of large organizations have the infrastructure in place, it’s a matter now of trying to make a case to dovetail with what is there. The challenge is getting IT to accept some of what’s out there to run on their platform. I’ve been fortunate that I have someone in my organization who buys into what I do and lets me get on the network, but not without at least giving them the products to test out before letting us go on the network. While integration has good prospects, there are challenges for the majority of companies that are still building infrastructure. What happens to an organization that doesn’t have infrastructure in existence to do integration? For smaller organizations that have small IT functionality that still can’t accept “security” within that context, it’s a problem. Ted Maulucci Chief Information Officer Tridel Maulucci: There’s a whole new opportunity here and it’s a leap of faith. The challenge is how do you quantify what the value is? Security is just one piece that fits in that overall picture which is to create that backbone that gives you scalability and makes people’s lives better as well. When you start to push the boundaries and you want innovation, you need to take a leap of faith. The junior staff who work with me call me a salesman and I hate it. I’m selling the vision and part of the return is not about tangible hard dollars. Part of the return you don’t even know. You’ve got to believe and take the risk and do it. Dave Dickson Security & Surveillance Lead IBM Canada Dickson: To make an investment in security convergence you have to prove there is a business case in terms of lowering your costs on a common infrastructure. However, we’re also seeing in some sectors that you can increase revenues with convergence. But I think there’s another issue here and that a board of directors has a legal responsibility for the health, safety and security of their employees, suppliers and clients, so collaboration/convergence allows that new governance to take place where the board now has direct control. For example, working through the CSO title, to manage that at an enterprise level, and up to now that hasn’t been possible. I think it’s a legal issue that wasn’t there before. John Sheridan Director, Security Solutions, Nortel Sheridan: There are many technical and cost benefits to integration — the common wire and not being tied to a specific vendor; the technical reasons for having cameras and access cards and logical security all tied together, but to me the key benefit for integration is that the functionality within the enterprise has moved up a level on the food chain so that the enterprise client can now determine, using software, exactly how they want to use the security system. It may address corporate governance issues the organization is facing, it may provide rudimentary safety and security to its stakeholders, but once these systems are converged the folks building the software and middleware products can tailor the entire safety and security infrastructure to specific requirements. Gord Chizmeshya Senior Account Executive, National & Enterprise Solutions Intercon Security Chizmeshya: We’ve always tried to identify things that make accountability and auditability within any given system a key mission. Depending on how evolved the thinking is of your client that will certainly determine how broad a scope they cover. There’s a lot of discussion about interoperability and convergence. Even the most organized, technically sound, automated companies struggle with the simplest personnel termination/transfer issues. I think as it moves up the food chain the umbrella will cover broader ground and reduce costs and allow centralized administration and better accountability. Jivraj: This is all great, but I think it’s envisioning something for the future. The challenge is about changing attitudes for today. I think it’s a turf protection issue more than anything else. You have two different worlds from the corporate structure saying ‘You can’t do that,’ and when you try and dialogue about what they’re refusing to let you do it turns out it’s about turf that has been someone else’s for many years. This is an education process — the fundamentals of Selling 101. You need to educate your client and failing to educate your client will not get you results. I was successful because I had the ability to get someone to listen to me. It’s the process of education and putting them in your context and making them understand what is beneficial. James Quin Senior Research Analyst Info-Tech Research Group Quin: We’ve discussed what the drivers are, but we haven’t discussed who is driving it? Is it a push from IT to take over physical security or is it a push from physical security to take over part of the IT component? Tyson: It’s physical security who is driving it and we work hand-in-hand with our IT group. We had the same initial problems of them saying ‘Wait, you can’t come in here and play.’ We used a soft sell to say ‘We’re not here to take anything over, we’re here to make everyone’s job a little smoother, but we need you to help facilitate that.’ Jivraj: You’re right, it is physical security driving things. I think where the challenge lies is in the embedded attitudes we need to break down. Ian Collins Vice-president of operations Toronto Hydro Telecom Collins: In terms of selling it and who do you sell it to, I subscribe to the idea of enlightened self-interest. You need to explain things in terms of what they are looking for and fulfilling that in a painless way. If you go in with a sledgehammer and say ‘We’re going to take over’ you will get push back. If you can present it in terms of saving money or making their job easier you’ve got their attention almost immediately. Milne: For us, it is physical security that is driving this. Coming from health care, right now IT is primarily responsible for clinical functions rather than operational. For us, IT is so focused on clinical demands we are taking a back seat and that’s where we have to get the self-enlightenment going on to say we are part of the clinical aspect of things. If, in the event of an outbreak, we have to lock down and people are coming into our facilities for inoculations and we have to keep track of who gets what and how much, they want to know if they can piggy back on our photo ID card system. So now they want something from me and I can say, ‘Sure, I can help you out, but can you help bring our operational part into clinical?’ Dickson: Typically, it’s physical and IT security driving this, but I also see a team of people from the corporate level, and almost every business unit, as part of this. With convergence you can have shared wealth, so to speak. Risk management, insurance, the network people — all these people who wouldn’t typically be in a security decision are now in the room. Don’t forget senior management — they are very aware of the new technology and are also aware of whether they want convergence or not. CSM: Are there enough people out there qualified to do this? Stolovitch: Absolutely not. A person who is able to span both IT and physical security is extremely rate. The challenge is to bring both together and then bridge the cultural gaps of the IT people versus the more traditional physical security people and get them to work collaboratively toward some common solutions. This is an evolution of the security professional. If you look at the security trade journals you are starting to see more IT security content, there’s also more exposure to it at security conferences and the ASIS physical security professional program has more content related to security systems as they relate to IP and that reflects the reality of products now coming on the market. CSM: How do you overcome the challenges of turf wars and lack of expertise? Johnson: The reason we have turf wars is because a lot of organizations don’t structure themselves properly when it comes to their security model. In a true CSO model, your IT security and physical security are working on the same projects. A lot of organizations still have one sandbox as the IT security group and one sandbox as physical security and never the two shall meet. You spend so many cycles trying to broach one subject or another that you’ve delayed a successful implementation by weeks or months. Organizations really need to ask, ‘How do we structure security?’ Stolovitch: You end up with some very silly things happening when IT security people specify physical security for say, a data centre or LAN closet. What they come up with is just totally different than what physical security would do according to physical security standards. You also end up with questions like, ‘Who has responsibility for the security awareness program?’ The fact is it’s all security to the average employee. You want an integrated security program so that whatever the key messages are for security, all employees are getting a consistent message in a consolidated package and that leads to improved employee behaviour for security awareness. Chizmeshya: The ultimate accountability for a lot of what goes on in an organization is still at the executive level. I would consider both IT and physical security, merged or not, to be critical support services to the execution of company policy. So it really comes down to mandate — if there is a mandate to protect a trading floor or server room, in order to sell that well internally it’s simply a matter of saying here are the options in terms of the tools we can use and these are more automated and these are less costly. You have to find the equilibrium between design and your program. If you don’t blend the two you’re wasting money. Sheridan: I think we need to cut the industry some slack because it is an evolution. On the technical side you have some installed legacy systems that have to be slowly changed out, and on the people side you have installed silos of organizational structures that need to be torn down. The more progressive industries are tearing those walls down faster, and moving faster than others. We’re seeing strategic and systemic changes happening inside our organizations that were unheard of five years ago, so I’m encouraged by that. CSM: Where will convergence be a year from now? Quin: We are at a very early phase of integration with some of the largest enterprises that exist in this country. I’m going to be pessimistic and say we’re not going to be much further ahead than we are now. It won’t be pushed down to the medium or the small enterprise. Until integration is simplified and sold as a package, it will have value only to large enterprises. Stolovitch: I don’t think we will see radical progress, but incremental progress. It’s a major development for security and it’s going to take years. Milne: I expect we will be a lot further than we are now. The first challenge is to know what you want and that’s half the battle. |
|||
|
|||
