“With enterprise risk, you have to build all the security disciplines into it,” says Ray O’Hara. Still, Bill Crowell admits that we all are “off to a slow start.” He does see emergence – one day – of a whole new profession that will bring together physical and logical security. “Specializing in one and ignoring the other is not satisfying,” Crowell understates. On Joey Sudomir’s wish list is “a more natural convergence. The change bringing newer types of physical security such as IP video to IT’s common, standardized infrastructure is a positive step.”
Convergence is challenging and controversial.
Some enterprise security leaders have embraced it. Their traditional system integrators are climbing on board. And value added resellers or VARs coming from the IT side are starting to work convergence, often entering into physical security with help from in-house IT and the chief information officer.
One indicator of the increased aggressiveness of IT-centric VARs into physical security came late last year when Ingram Micro, the world’s largest technology distributor, introduced a new physical security division. Its channel partners now access a variety of physical security products. “We’ve been watching the growing convergence of IT security and physical security and have established this division in anticipation of their eventual synthesis,” said Keith Bradley, president, Ingram Micro North America, at the time.
“Physical security companies and IT VARs. Which way to go? They will all go head to head with United Technologies Corporation and Cisco Systems being examples of the end game, from a vendor perspective,” says O’Hara, ASIS International’s 2010 president-elect and senior vice president at Andrews International.
Still, for early convergence adopter chief security officers, convergence as a descriptor may be overworked.
There are those who feel it’s the term that should be killed off and not the concept. In an article in the March 2010 Security magazine, under the feisty banner, “Let’s Forget Convergence,” the author proposes that “convergence” has become an ineffective word that unintentionally slanders some truly game-changing ideas. For instance, in that article, Dave Kent, vice president of global risk and business resources for Genzyme, says, “We used ‘convergence’ early on. We started bringing together physical and IT security in the late 1990s, when ‘convergence’ was the leading edge. There seems to be less clarity around it now than there was back then.”
Well, wishing and hoping is one thing.
Collaboration on the people side and interoperability on the systems side is quite another.
The ability to work together – whatever name you call it or reputation it has – is a forever business concept.
The ability to work together – whatever name you call it or reputation it has – is a forever business concept.
Sharing Similar Work-A-Day Terms
Today, for instance, there’s already a sharing of terms. Intrusion detection means something similar to both physical and computer security professionals. And a firewall is just a door control, kind of. For physical security and life safety, it’s a physical barrier inside a building, designed to limit the spread of a threat. In computing, it’s a technological barrier designed to prevent unauthorized or unwanted communications – a threat – between sections of a network.Things get decidedly dicey or opportunist – depending on that half glass of water thing – when getting around to identity management. A convergence hurdle, “It’s slowing progress but also is a fundamental place where both [physical and logical security] converge. It has been plagued with a large number of solutions aimed at one or the other. Smart cards? Combining a smart card with a proximity card in a single credential is a solution. But there are business problems such as the potential need for readers on every desk and in every laptop,” says Crowell, coauthor of Physical and Logical Security Convergence: Powered by Enterprise Security Management, with Brian Contos, Colby Derodeff and Dan Dunkel.
“What we are looking for is a more fundamental credential,” points out Crowell, who now specializes in information technology, security and intelligence systems. He is former chairman of Broadware Technologies and former CEO of computer security pioneer Cylink Corporation, acquired by SafeNet after partial ownership of it was spun off by Honeywell Corporation during its acquisition of Pittway, the latter then a major physical security and distribution player.
By the way, if such “what corporation acquires which” details are dizzy for the average security director, future big name industry acquisitions may prove the fastest pathway to security convergence. But more on that later.
In the meantime, today’s convergence efforts aim at all the stakeholders being at the same table, especially when it comes to protecting intellectual property, data and data centers, says O’Hara. Where are we now? Things are still emerging, and O’Hara believes that it is not a top down initiative. It’s bottom up.
There’s lots of action that’s always been going on at the bottom, or rather in those silos.
No doubt, “silos” is the much-preached word of the day, as reengineering was in the 1990s, and Peter Drucker’s phrase that pays, the knowledge worker in the early 1950s. But, when taking the kitsch out of the silo, there still remains separate areas – physical security and information security with a bow to building and facilities management – that have their own skills and knowledge bases; their own tools; their own threats and risks; their own perception by the C-Suite folks; and, in essence, their own territories.
There’s Silo Shifting
Sudomir, vice president, information technology, for Texas Health Partners, says that there is “slowly starting to be a shift mainly from a system perspective. Silos? You can converge today with disparate systems. But, in order for change to be most effective and natural, the players must come out of their silos and adopt shared standards.”Just as reengineering had its obvious business benefits during its hay-day, convergence does, too.
One benefit is a no-brainer to Mike Snyder, partner, GSC Consultants, and who owns a unique background as president of ADT North America and CEO of Vonage Holdings. He suggests that the cost of operation will reduce and that there will be more investment in technologies.
A necessary focus on standards will sharpen. Maintaining stringent standards of security is a crucial enabler toward achieving organizations’ business objectives, suggests Neil Campbell of Dimension Data, a specialist IT services and solution provider. By adopting a strategy that allows organizations to prevent, detect and respond to threats – and honing that strategy with the insight and ongoing help of trusted advisors and integrators, who understand and are immersed in infrastructure, security strategy and overarching business goals, organizations are well en route to achieving a more effective and strengthened security posture, he advises.
Another convergence benefit is open architecture. Anthony Onorati, James Bracone and Laurin Rollins of Risk Controls Strategies, Inc., speak as one when pointing out that in the past, physical security had always been designed with closed architecture in mind. These systems had limited capabilities to the outside world. At the most, they used to dial up the central station to report an alarm or the security integrator would buy an overpriced piece of hardware or software to connect to their installed systems to perform simple programming or diagnostics. Today, in the natural progression of convergence, new synergistic elements need to be considered in the grand scheme of things.
Open Architecture Opens Doors
Write that grand scheme as open architecture, which allows systems to be connected easily to devices and programs made by other manufacturers. Open architectures use off-shelf components and conform to approved standards, already IT’s mantra. A system with a closed architecture, on the other hand, is one whose design is proprietary, making it difficult to connect the system to other systems. No doubt, physical security systems are more open than ever, but convergence enlarges that openness.Of course, whatever the benefits and drivers, there is always cost to contend with.
There will be more innovation, more productive thinking
outside of the box. “When you have different groups come together, they often
come up with different ideas,” comments Bill Jacobs of Next Level Security
Systems. “The question is, at some point, all these groups want to be
recognized, seen as leaders and show management that they have a brain and
their solution has value to the enterprise.” But, he warns, convergence must
not just reduce to job retention and budget renewal. When all is said and done,
Jacobs adds, “the primary business benefit is the reduction of risk.”
In the corporate world, the case for physical and logical security convergence is difficult to make, suggests Jacobs. When you speak to CFOs, they ask: What are you trying to achieve; what does it cost; and what is the return on the investment. Physical and logical security convergence may not have a tangible result that can be quantified in terms of ROI or net present value.
Cost aside, however, based on commonsense and business benefits, convergence has a toe-hold. But, beyond how fast to move to the finish line, the question remains as to what road to take to the endpoint.
Pathways can include:
• Collaboration over specific projects
• Use of convergence savvy integrators
• The network and infrastructure factor
• The IP security video factor
• Continued consolidations in the physical and IT industries
• Cyber crime added to the mix
Let’s look at the pathways in more detail.
Pathways can include:
• Collaboration over specific projects
• Use of convergence savvy integrators
• The network and infrastructure factor
• The IP security video factor
• Continued consolidations in the physical and IT industries
• Cyber crime added to the mix
Let’s look at the pathways in more detail.
Collaboration over Specific Projects
Particular projects with manageable, limited scope can be steps along the convergence path. How do physical security system such as electronic access control and security video fit into the logical security arena? Look at emerging elements such as remote video monitoring and video on demand, in addition to potential projects that center on building management.Use of Convergence-Savvy Integrators
Traditional security system integrators in significant numbers are seeing business in convergence projects. Many already have bulked up with computer and communications expertise to handle IP security video and staff members boast Microsoft and Cisco certifications.When these integrators work with enterprise security executives, there most often is involvement from in-house IT, too. Still, “the best applications and providers win out. But you will also see influence from the Ciscos and IBMs for platform functionality,” advises Snyder.
A key element in this pathway is trust – trust in systems and processes, technologies and strategies. And when selecting a systems integrator to partner with, trust also takes center stage, as companies are increasingly seeking to partner with not just any integrator, but rather a “trusted advisor” who understands and is immersed in their infrastructure, security strategy and overarching business goals – as well as the broader security market, including both the threat and vendor landscape.
The Network and Infrastructure Factor
What’s going for IT is that they can own the enterprise and government networks, in addition to having large and ongoing budgets and inherent support from the C-Suite.But if we all work together, that’s good. Work that is silo-ed is just wasting energy and time, adds Jacobs. On the logical security side, some solutions may be similar but different enough that there is a waste of time pursuing a converged answer, he adds.
Other applications cry out for convergence. For example, if an employee didn’t card into a building, he or she is not allowed into the network, if the enterprise has that as a business rule. It could significantly cut down on employee tailgating. And the business would have a greater level of granularity about how buildings are used to reduce the real estate footprint and save on energy costs.
The IP Security Video Factor
The attraction and growth of IP-based security video – from cameras at the edge, encoders, storage, transmission to command and control – are obviously bringing physical security and IT operations closer.An obstacle, video devices that do not work together or within the larger system, is being quickly overcome. The Physical Security Interoperability Alliance, for one, is a global consortium of myriad physical security manufacturers and system integrators focused on interoperability of IP-enabled security devices across all segments of the security industry. As an example, IQinVision, a PSIA member, was among four open system vendors that conducted a joint live demonstration of IP technology interoperability at ASIS International 2009. The firm, with Exacq Technologies and Firetide, showed how standards-based solutions can integrate and be supported in the field.
Continued Consolidation in Physical, IT
The bouncing ball of Cylink may indicate convergence will be driven from the vendors on down the chain. Physical security manufacturers continue to acquire each other, as also happens on the logical side. Acquisition blending is sure to follow and “one stop shopping” is a powerful attraction for busy end user buyers who have the bucks to purchase direct and for integrators and VARs broadening their offerings without broadening their vendor partners.Cyber Crime Added to the Mix
Cyber crime policies must integrated with ongoing convergence efforts, advises Dan Dunkel, president, New Era Associates, which targets physical security and IT convergence, and a contributing writer for Security magazine and Today’s System Integrator. “Today security professionals are facing cyber crime on an unprecedented level as hackers, global organized crime syndicates, and nation state actors threaten our national security and the global economy,” Dunkel says.Dan Dunkel On: Cyber Security Convergence
Sometimes the world changes right in front of our eyes and yet we fail to make the connection until years down the road. The United States is largely responsible for two of the “macro” trends impacting the world today. Information technology, our first “macro” trend, in the form of Silicon Valley innovations, is responsible for the evolution of the second “macro” trend, globalization.Unfortunately, the software industry grew to power the American high technology engine with a blind eye toward security concerns, to our collective detriment. During the late 1990s’ tech wreck, the deployment of fiber optic networks at pennies on the dollar wired the world allowing mobility and social networking to exacerbate this security problem and today we find our digitally connected world at serious risk.
Today security professionals face cyber crime on an unprecedented level as hackers, global organized crime syndicates, and nation-state actors threaten national security and the global economy. The trend is so enormous that it is rapidly rewriting international business rules and the job description for the 21st Century security executive.
For instance, the McAfee Corporation reveals in 2009 international businesses lost over one trillion dollars in intellectual property due to data theft and cyber crime. So cyber security is more than simply the protection of all things Internet and involves people, partners and policy. The concept grew out of necessity as business operations embraced Web 2.0 technologies to leverage online collaboration and information sharing on a global scale and in real-time. The growth of the Internet has been a doubled-edged sword of business opportunity and risk. The roles of the CSO and CIO remain to protect the operation and integrity of the business, and it must evolve rapidly with the technology cycle to answer new age risks.
As information is being generated by more people and deployed to more remote devices, we compound our risks. The technology road map has pushed information from computer room to desktop to laptop to handheld. As a result, the responsibility for security protections has quickly outgrown the capabilities of the internal IT department. They still have a vital role to play, but securing business operations against supply chain fraud, corporate espionage, intellectual property theft, and traditional criminal activity remains the responsibility of the security executive. Cyber crime is still crime.
In these early months of 2010, it is interesting to consider how cyber crime will impact the security profession.
Over the last five years the traditional physical security industry (if that description still applies) has embraced convergence with their IT colleagues, albeit reluctantly in some cases. The next two years will see an accelerated convergence between physical and cyber security policies. The threat is too big to ignore any longer. The FBI recently warned small- and medium-sized business owners that they are under attack by organized hackers who systematically penetrate their commercial bank accounts, credit unions, or third party providers because these firms lack proper cyber defenses. The stakes are very high and they involve businesses of all sizes and geographic locations.
This warning points to the weak link theory enacted by cyber criminals. Cyber crime leverages new technical capabilities to threaten the successful operation of a business and/or its supply chain of regional, national and global partners. These criminal activities have a range equal to cyber space and capitalize upon a lack of coordinated law enforcement efforts to stop them, and until recently ignorance of the threat. Today’s emerging security executive understands the importance of a policy that blends the converged physical/logical domain with cyber security defenses to defend the brand.
There simply is no alternative. Cyber policy must be integrated with ongoing convergence efforts. We have entered a new era of security risk.
There simply is no alternative. Cyber policy must be integrated with ongoing convergence efforts. We have entered a new era of security risk.