If you go way up in the air and look down, welcome to mother earth, with hundreds of thousands of countries, cities, neighbors, laws, regulations and cultural differences. Back here on earth, for security executives with responsibility for protecting a global enterprise, the assignment blends consistency of policies, procedures and technologies with a measure of tailored operations in far-flung locations.
There is the need to protect the brand and the enterprise’s reputation across thousands of miles; the need to work with local, dispersed staff and distant outsourced companies; a requirement to face and handle regulations foreign to U.S. ones; and the ability to create levels and implementation of security technology from global to local.
For Microsoft, its Global Security team must protect resources at hundreds of sites. This task includes monitoring more than 27,000 pieces of hardware: card readers for physical access, cameras, fire panels, environmental alarms, biometric security systems, duress alarms and additional devices and sensors. Global Security manages more than 185,000 active holders of access cards and more than 30 million system events each month, for example, users who have misplaced their access cards, maintenance alarms, unauthorized access, building fires, or natural disasters.
Convergence and Intelligence Monitoring
With an enterprise as large as Microsoft, monitoring and protecting assets around the world is a challenge. Traditional security strategies proved too cumbersome and costly to be effective. So, in one important way, Microsoft developed convergence of physical security infrastructure with IT practices by using off-the-shelf software applications, wherever possible, to create a more streamlined, efficient, and cost-effective security solution, according to Brian Tuskan, Global Security’s senior director of operations, technology and investigations.While Microsoft is an influential world player, there is no bigger and more important a global, mobile and ever-changing operation than the U.S. military, including the Navy. In a telling example of handling its “always on the move” personnel, it has tailored a security system to each individual at a unique housing facility. For instance, at Pacific Beacon apartments in San Diego, the first privatized community in the world for enlisted single sailors, “We wanted to provide the best possible services at every level, including appliances and security,” says Sam Bellas, development associate at Clark Reality Capital. The integrated Pacific Beacon security installation includes card access controls, video, a fiber backbone and the Navy’s common access card (CAC), which provides secured access anywhere worldwide.
While America’s Navy is “a global force for good,” there are other earthly assignments that involve special sports and entertainment events.
And in today’s rough economy, firms such as IMS Research predict that such world-impacting events stand out as a Petri dish of the future of security. From the 2010 Winter Olympics in Vancouver to horse racing at Churchill Downs, venues now embrace security systems to reflect the dangers that come from events’ global spotlight.
Exercises to Protect the Olympics
In one Olympics security exercise held late last year, there was a review of how the military, police and government agencies will respond to a sudden release of radioactive material contaminating the population, a worry shared by security executives at other worldwide sports and entertainment events. John Oakley, director of the integrated public safety office of Emergency Management B.C., stated in an interview that the five-day security exercise, 10 minutes away from the Olympic Oval skating rink, involved “a chemical incident” that would end up with radiological isotopes contaminating people.Another Olympics security twist is a long range acoustical device, which directionally broadcasts sound and spoken instructions at long distances. At closer range, it can also broadcast incapacitating blasts of earsplitting noise. There also is concern in Vancouver that a cyber terrorist could disrupt the Games. Avoiding such incidents is the charge of Barry Caswell, director of information technology operations for the Vancouver Organizing Committee, who, with the help of firms such as IBM, is building expensive protection.
Keeping Olympics’ viewers and participants safe mirrors the need for higher level security at other venues such as Churchill Downs for its guests and four-footed runners.
Home of the world-famous Kentucky Derby, “Churchill Downs is an open environment,” says Chuck
Millhollan, program management director for Churchill Downs, Inc. “Even during non-race days, it had been common for people to walk about the facility freely. At the same time, we need to maintain a high level of protection for our employees.” So the facility upgraded to a higher level security management system, including proximity cards and readers.
What such global enterprises share when facing their common and unique security requirements can be summed up in two words: strategic planning.
Different than business planning and security planning, strategic planning is an organization’s overall process of defining its strategy, or direction, and making decisions to allocate resources to pursue the strategy, including capital for technology and people. Strategic planning is a living thing that changes and evolves, especially in a global environment.
Consistency of Implementing Strategies
Microsoft’s Tuskan adds consistency to the need for strategic planning. “There are a lot of similarities” between a global assignment and a local one, he says. “Consistency in terms of processes and policies is essential. But the key is localization and regionalization. What might work in southwestern U.S. might not work in southwest Asia.”He points out that things must be somewhat different at different locations. “If you come to Redmond, Washington, security is different than in Istanbul, Turkey, where there is harder security.” In a campus environment such as Redmond, “There are access controls for entry and egress, outer perimeter protection for flow of the traffic, biometric edge devices for higher security needs, scanners, digital video and other edge devices such as sensors,” to name a few.
From local to regional to international, it is not surprising that Tuskan sees infrastructure as essential. “You must have a good, strong, robust network. With the right infrastructure and right connections, you can manage anywhere,” he says.
One of the biggest strategic decisions that Microsoft Global Security made was to have its physical security focus take advantage of strategic IT convergence.
At Microsoft, the strategy for developing the processes and solutions that help provide physical security includes a partnership between the internal Global Security and Microsoft Information Technology teams. This partnership takes advantage of the available technology and technical resources to provide a scalable system for life safety and facility monitoring that can be managed from virtually anywhere in the world.
Uniquely, through the establishment of three regional Global Security Operations Centers (GSOCs) and the strategic deployment of security systems, the Global Security team is improving the way it protects Microsoft assets, information, and employees. By aligning physical security drivers and IT delivery mechanisms, the team can produce an environment where physical security and IT complement each other rather than compete with each other.
Off-the-Shelf Approach
As Tuskan points out, Microsoft developed the convergence of physical security infrastructure with IT practices by using off-the-shelf software applications wherever possible, to create a more streamlined, efficient, and cost-effective security solution.Approaching security as a unified initiative enables Microsoft to monitor and protect more assets by using fewer resources. Global centers for security monitoring can deliver total interoperability, including failover capabilities as necessary. To effectively monitor and protect its resources, Microsoft Global Security built its solution on ten essential design principles to provide a layered security model.
It focused on:
1. Deterrence value: Security measures must strike a balance between security and functionality. By simply making people aware of monitoring devices and other physical security measures helps to deter theft or trespass.
2. Remote monitoring: Monitoring security systems from a remote location provides the ability to centralize the administration and response. The firm also takes advantage of remote functionality to maintain and troubleshoot the physical security equipment over the network.
3. Precision response: Closely related to remote monitoring, the solution must provide for precision response. If the design philosophy calls for remote monitoring from a central location, it also must ensure that the proper resources can be dispatched on site in a timely manner when an event is detected.
4. Off-the-shelf infrastructure: By using standard off-the-shelf hardware and software, the Global Security team made a conscious decision to adapt its processes to the infrastructure and not the other way around.
5. Use of partner products: Wherever possible, the design of physical security relies on Microsoft products, including third-party products such as those built on Microsoft technologies, including Microsoft SQL Server database software, Microsoft .NET, and Microsoft SharePoint.
6. Remotely managed IP devices: Microsoft uses the existing global IP network to handle rapid changes in hardware and to achieve faster and more cost-effective scalability. Using IP-based edge devices also enhances the ability to monitor and maintain the equipment.
7. Defense in depth: Defense in depth provides for multiple layers of security at a facility that is appropriate to asset risk. A threat that infiltrates one layer is detected at another layer, giving Microsoft multiple opportunities to detect and respond to an event.
8. Forensics/investigative model: A critical component of the design philosophy is to ensure that video data, access logs and other pertinent information are properly captured and stored for investigation if a physical security incident occurs.
9. Reliability: An infrastructure must be reliable and work when needed. Leading edge technologies may promise additional functionality but can be a hindrance if they do not have a consistent expectation of availability. Microsoft evaluates all new technologies against this core ability to provide a consistent level of expected uptime.
10. Sustainability: Sustainability is the ease of which a new infrastructure or device can be maintained and supported. As the environment increases in size and complexity this element is crucial to keep support costs low.
Microsoft Global Security has comes a long way. Originally, site security was the responsibility of the real estate and facilities group, which hired security labor or contracted guarding services at individual facilities and campuses. There was no strategic, regionally coordinated security operation. The company maintained a life safety control center at its main campus in Redmond, and established separate security operations at other domestic sites in the United States, but security at international Microsoft sites was almost entirely uncoordinated.
Global Security Operation Centers
After spending several years developing an official charter for Global Security services, a comprehensive strategy emerged for protecting the physical property, assets and people around the world. Out of this charter, the company ultimately established those GSOCs.“Office InfoPath 2007 is the backbone of our security operation,” says Tuskan. “We’ve used it to change the way we collect point-of-contact data for sites around the world, develop emergency response plans, and manage day-to-day operations.”
Using InfoPath forms on their computer desktops, each site manager can distribute real-time updates on point-of-contact, facility headcount, response plans and other important information to a centralized SharePoint Web portal. When personnel at one of the GSOCs receive an event alarm or intelligence of a critical incident at any facility, they can easily access the form through the Web portal and combine the data with other information to develop an event advisory using another form.
GSOC teams then convert the form to a .pdf format and quickly distribute it through the Outlook messaging and collaboration client to executive decision makers’ computers or mobile devices, usually within minutes of the event. The decision makers first get information about the event, such as which facility is affected, how many employees are involved, whether local airports, roads, or other resources have been affected, and then they can develop a response plan.
Navy Covers the World
For the U.S. Navy, the Pacific Beacon facility is a unique security strategy that can be replicated worldwide.The first privatized community for enlisted single sailors in the country, it is being protected by a GE Security integrated approach consisting of 941 dual master suites in three high-rise buildings overlooking San Diego Bay.
In addition to residential units, the facility includes a pool, rooftop terrace, barbeque area, poker room and café. To meet the challenge of helping protect this facility and the active duty men and women who live there, Clark Realty Capital and the Bergelectric Corporation, the project’s integrator, selected Facility Commander to serve as the main security system. Pacific Beacon represents the first large-scale deployment of the InfoGraphics architecture integrated into Facility Commander under the Microsoft Windows platform.
Currently, the system guards common areas and individual apartments for more than 1,800 residents, integrating more than 1,000 access control readers, 300 fixed and dome cameras and numerous entry and exit points into a single, unified system, operated through a central monitoring station. Additionally, the system will be compatible with the Navy’s new Common Access Card (CAC), which will allow personnel the convenience of using their existing CAC cards.
Sports and Entertainment Venues
At one of the world’s most historic and iconic sports venues, new technology and security measures will allow Churchill Downs to maintain a free-flowing public setting while providing a safe and secure environment. The venue selected Honeywell’s Pro-Watch security management system to ensure better control and monitoring of the racetrack’s administrative facilities.Louisville-based integrator Ready Electric Company, Inc. installed the initial proximity card reader system at the Churchill Downs administrative building, where all track operations are managed. The system will ensure only authorized personnel can access the building, while continuing to allow easy public access to the rest of the campus.
System operators can assign appropriate access privileges to individual cardholders. Additionally, badging capabilities allow designated Churchill Downs employees to manage the credentialing process for all cardholders as necessary. The software will allow staff to expand the overall security system in the future as needed. For example, the access control system can add an unlimited number of doors and encompass multiple buildings, as well as advanced video technology.
What about Protecting the Brand?
Brand and reputation are growingly important aspects of global security programs, whether the sensitivity is throughout the world or situated more locally. Andrews International, for example, sees growth in diverse services. A new service aimed at Fortune 500 firms is based on Andrews’ Security Effectiveness and Efficiency (SEE) methodology, which includes matching security resources to risk profiles, maximizing the integration of uniformed guards and electronic security assets and accurately projecting return on investments through industry-specific financial models.Jill Knesek, chief security officer at BT Global Services, has a different perspective on brand and reputation. “I believe that in most instances brand and reputation are highly overrated, especially for a global company that doesn’t enjoy the type of brand recognition as, say, a McDonalds or Microsoft.
“In most cases, a security incident that impacts the brand and reputation of a company will be fairly localized to a country and probably not have a global effect on the company,” she says. “The more critical indicator of security is risk and that should be the driving force behind implementing certain security measures. Whether a company is limited to a single country or is a global enterprise, a mature risk management program is the key to ensuring the right amount of mitigation is applied to protect not only the brand and reputation of the company but the assets that drive the business.”
When viewing the differences securing a global enterprise as compared to a more typical organization, Knesek says, “There are quite a few differences that impact not only management of the security team but management of compliance with security policy and enforcement.”
At Odds with Diverse Regulations, Laws
“One of the obvious differences is the geographic separation that requires a global team working within your key countries and/or regions to provide support during normal business hours,” she says. “Another difference is the cultural aspects of implementing security; for example, what might be quite appropriate in one country or region could be at odds with local laws and labor union agreements in another country. This is why having a global team with local support is critical so that security is appropriately applied around the globe, while appreciating and fine-tuning security programs to support the cultural aspects.”There are complexities no doubt, she says. “In many cases, the language barrier alone can be enough to add significant complexities. Consider a security awareness program with mandatory security training that must be rolled out globally. The awareness messages and training modules must be translated accurately in many different languages to ensure that everyone receives the same and consistent message and fully understands the security policies they must comply with,” observes Knesek.
What about Remote Access?
There are special information security risks no matter a local or global firm. Remote access is always a challenge, whether it’s to Boston or Bangkok.For example, according to a survey by market research institute DT&P International, the combination of user name and password remains the most commonly used authentication method (99 percent of respondents authenticate in this way) for remote access among European firms.
In the background, Public Key Infrastructure (PKI), in the form of digital certificates, is making headway, showing real momentum as a means of granting remote access. In fact, 77 percent of those surveyed use PKI as a preferred method for remote access security in addition to user name and password. It’s catching on worldwide.
The survey highlights that businesses see high levels of security as a necessity when accessing data remotely. Other selection criteria that were depicted through the survey results as being essential to remote access security include low administrative overheads, access locking capabilities and reasonably low training requirements. On-demand certificate management services users have been able to benefit from these functions as well as the ability to quickly and safely replace lost, defective or forgotten access tokens.
Privacy Varies by Culture
Privacy is part of the information security risks agenda when it comes to global operations, according to Andrew Serwin, founding chair of the Privacy, Security & Information Management Practice at Foley & Lardner LLP. He urges security and their C-suite executives to convene an information management committee. “Get them altogether in a room to talk about challenges and to fix things before there is a problem. Different cultures have different expectations of privacy even if company policies are consistent. In the U.S., we have better privacy.”Serwin points out that, as data become increasingly regulated, it is creating new exposures, particularly in the areas of data privacy and reputation risk. “In some ways, it is up to the customer when it comes to the culture of privacy. Do they have a reasonable expectation of privacy.” On the other side, “It’s important to understand that data can be monetized.” So, especially in a global arena, there may be business reasons in terms of collecting and offering personal information.
Adds Christine Carron of Ogilvy Renault, “Once you move out of the U.S., Canada and Europe, all bets are off with respect to the extent that privacy legislation exists or is enforced. In many jurisdictions there is no one law or regulatory framework governing privacy. Instead, laws or regulations relating to privacy are often found as a subset of sector-specific or constitutional laws.”
Carron adds, “Although efforts are underway in many regions to harmonize legislation, privacy laws around the world still differ in many respects. For U.S. firms, outside of Canada and Europe, privacy legislation is either non-existent or a patchwork of sector-specific laws and regulations. U.S. organizations conducting business in these regions should use the most stringent legislation as the lowest common denominator in order to establish an effective privacy policy.”
A security anecdote to privacy intrusions may be global use of biometrics.
With concerns growing over the incidents of bank card fraud and identity theft, a majority of people globally would accept biometric authentication to verify their identities, according to recent research from Unisys Corp.
Biometrics More Accepted
Analyzing recent findings from the nine countries covered in its bi-annual Unisys Security Index, the tech firm found that consumers remain most concerned about bank card fraud and identity theft, despite a general decrease in overall concerns about security threats. These global concerns may have led to an increasing consumer acceptance of biometric technologies, such as fingerprint and eye (retinal) scans, versus more traditional methods of using passwords and PINs. Respondents in every country surveyed in the Unisys Security Index indicated a majority favored the use of advanced biometric methods.In the UK, for example, 95 percent of those who said they would be willing to provide biometric data said they would be willing to provide fingerprint data; 90 percent said they would provide an eye scan; and 82 percent said they would agree to a facial scan. High acceptance rates for these types of biometrics were also reported in other countries.
U.S. Department of Homeland Security (DHS) activities and requirements often cross borders. At a panel presentation at ISC East in New York City late last year, moderator Peter Harlick of Global Elite Group, put together a group including Maryann Goldman, special agent and InfraGard coordinator with the FBI, and Joe Tadrick, protective security advisor, N.Y. District, DHS. Among take-aways: Training of guard force members is key, according to Goldman. The private sector all too often focuses on the bottom line dollar. There needs to be a balance between cost and quality. Look for security firms that invest in ongoing training to educate their guard force to be at their best. Join organizations like InfraGard and other local security organizations to network with peers, she added.
Partner with FBI
InfraGard is an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members. At its most basic level, InfraGard is a partnership between the Federal Bureau of Investigation and the private sector – businesses, academic institutions, state and local law enforcement agencies, and other participants – sharing information and intelligence to prevent hostile acts against the United States. InfraGard chapters are geographically linked with FBI Field Office territories.According to Tadrick, “Complacency can all too often occur. Stay alert and maintain a level of readiness at all time. Training courses like the Surveillance Detection Class, offered by the Department of Homeland Security, is one to look at as continuing education is so important in the private security sector.”
Circling back to the importance of strategic planning when it comes securing the global enterprise, David Nicastro, senior vide president at GlobalOptions, says that the “level of strategic planning is much greater as compared to other organizations. There is also a factor of the number of stakeholders in the organization and how global security fits into the overall business.”
Nicastro believes there is a lot to gain and to lose when it comes to brand. “It’s a very significant part of the company. Concerns plug into the chief financial officer, risk management, communications, crisis management and investor and public relations, to name a few.”
Much has changed overall, Nicastro says. “Back then security had to wear many hats. Now, with global views and specializations, the C-suite looks for dedicated security professionals on the strategic side, with just enough people to do the job while outsourcing to specialists here and abroad.”
What’s a Strategy?
Strategic planning is an enterprise’s process of defining its strategy, or direction, and making decisions on allocating its resources to pursue this strategy, including its capital and people. Various business analysis techniques can be used in strategic planning, including SWOT analysis (strengths, weaknesses, opportunities, and threats); PEST analysis (political, economic, social, and technological); STEER analysis (socio-cultural, technological, economic, ecological, and regulatory factors); and EPISTEL analysis (environment, political, informatics, social, technological, economic and legal).Strategic planning is the formal consideration of a future course. All strategic planning deals with at least one of three key questions:
• “What do we do?”
• “For whom do we do it?”
• “How do we excel?”
In many organizations, this is viewed as a process for determining where an organization is going over the next year or more – typically 3 to 5 years, although some extend their vision to 20 years. In order to determine where it is going, the organization needs to know exactly where it stands, then determine where it wants to go and how it will get there. The resulting document is called the “strategic plan.”
• “What do we do?”
• “For whom do we do it?”
• “How do we excel?”
In many organizations, this is viewed as a process for determining where an organization is going over the next year or more – typically 3 to 5 years, although some extend their vision to 20 years. In order to determine where it is going, the organization needs to know exactly where it stands, then determine where it wants to go and how it will get there. The resulting document is called the “strategic plan.”
How in the World Do You Handle Social Media?
It’s a worldwide movement. Today’s Web 2.0 tools, such as blogs, Twitter, Facebook, LinkedIn, and the many other social media options, are all about engagement. It’s also about security, too. A two-edged sword, social media can extend the reach, involvement and productivity of the enterprise and its employees or open a door to trouble.Creating social media guidelines for the company and its security operation does not have to be difficult. Once you get clear on the core message you want to send out and the dialog you want them to engage with, use the following tips to create guidelines that your staff can use to shape their posts around the strategy, according to Dan Burrus, founder and CEO of Burrus Research, and one of the world’s leading technology forecasters and strategists.
• Transparency. When participating in any online community, your employees should disclose their identity and affiliation with the organization, clients, and professional and/or personal interest. When posting to a blog, they should always use their real name, not an alias.
• Be direct. When creating posts and content, your employees should be direct, informative, and brief. They should never use a client’s name in a posting unless they have written permission to do so.
• Give due credit. If your employees post copyrighted materials, they should identify the original source. This includes sources for direct or paraphrased quotes, photos, videos, and anything else they did not originally create.
• Self-edit. Your employees should always evaluate their posting’s accuracy and truthfulness. Before posting any online material, they need to ensure that the material is accurate, truthful, and without factual error.
• Responsibility. Make sure employees know that they are responsible for what they post. Negative or questionable posts will not be tolerated.
• Be professional. When posting comments, employees should refrain from writing about controversial or potentially inflammatory subjects, including politics, sex, religion or any other non-business related subjects.
• Privacy. Employees should never disclose proprietary or confidential information. This includes product releases, service updates, and employee information not made public yet.
• Obey the rules. All employees should follow local, state, federal and other country laws and regulations where applicable as well as the company’s internal and security rules and the rules established by each social networking venue. Ultimately online activities will be a reflection on the company.
• Transparency. When participating in any online community, your employees should disclose their identity and affiliation with the organization, clients, and professional and/or personal interest. When posting to a blog, they should always use their real name, not an alias.
• Be direct. When creating posts and content, your employees should be direct, informative, and brief. They should never use a client’s name in a posting unless they have written permission to do so.
• Give due credit. If your employees post copyrighted materials, they should identify the original source. This includes sources for direct or paraphrased quotes, photos, videos, and anything else they did not originally create.
• Self-edit. Your employees should always evaluate their posting’s accuracy and truthfulness. Before posting any online material, they need to ensure that the material is accurate, truthful, and without factual error.
• Responsibility. Make sure employees know that they are responsible for what they post. Negative or questionable posts will not be tolerated.
• Be professional. When posting comments, employees should refrain from writing about controversial or potentially inflammatory subjects, including politics, sex, religion or any other non-business related subjects.
• Privacy. Employees should never disclose proprietary or confidential information. This includes product releases, service updates, and employee information not made public yet.
• Obey the rules. All employees should follow local, state, federal and other country laws and regulations where applicable as well as the company’s internal and security rules and the rules established by each social networking venue. Ultimately online activities will be a reflection on the company.