by Elizabeth M. Ferrarini

Ask some executives about their "Second Life experience," and they'll tell you about their plans for retirement. But ask the same question of Dr. Jonas Karlsson, a senior researcher at the Xerox Research Center in Webster, New York, and you'll be mesmerized by his answer. He says, "Second Life brings to life on the Web the virtual worlds created by William Gibson in Neuromancer and  Neal Stephenson in Snow Crash. Similar to multiplayer online games, the Second Life experience, developed and run by Linden Labs, enables people to build a 3D virtual reality community in which everyone creates an identity using an avatar, and interacts with people with more fluid communication, or as if they were living another life."

Many companies, such as Xerox and IBM, are looking at both internal and external applications for Second Life. Perhaps the most pervasive applications include employee collaboration, employee training, and product demonstrations.

Recently, Karlsson talked with Enterpriseleadership.org about the Second Life research he is doing at Xerox's Research Center, one of  four facilities that comprise the Xerox Innovation Group, which is charted to design Xerox's next generation products, and to test them internally.

EL: Given that you are a team leader in the Synthetic Worlds  initiative, why are you fascinated by virtual worlds?

JK: I am a computer geek who is enamored by the virtual, immersive environments described by both Gibson and Stevenson. In fact, a lot of terminology that Second Life developers are using comes from these science fiction novels. You can use your imagination to manipulate these environments in ways that you can't do in real life.

EL: Can you talk about the evolution of Second Life  technology?

JK: At the end of the 1990s, the gaming industry really started to pick up on virtual reality, developing very realistic 3D, multiplayer, role-playing games. Some people now play these games up to 30 hours a week. When you connect people to other people, something really dramatic happens.

Second Life provides the same type of environment minus the gaming. Second Life is becoming a platform that allows people to create and to share 3D virtual content with each other.

EL: Can you describe your Second Life piece of real estate, called  the Xerox Innovation Island?

JK: As part of my Second Life research project, I bought a small island to use for exploration and for others to test their ideas. Right now, it has a research building with meeting rooms and a demonstration space. The rest of the island is still undeveloped.

When we did a product launch at Fenway Park in Boston, Massachusetts, we had a parallel event on the island. We built a pavilion with an auditorium and a product display area. We streamed video so that people at Fenway Park could see it. On the island, we had people exploring the product and having a panel discussion with researchers from Xerox PARC, IBM, and other places.

EL: What are some of the business applications for Second  Life?

JK: Most companies plan to use this technology to communicate with other people. After all, Second Life is a social medium. It provides a more interesting and engaging experience than either the telephone or a Webcast. It's great for bringing together employees in remote locations to see, for example, a product demo. IBM plans to use Second Life to have all new hires participate in a new employee orientation, which will help them to adopt to the IBM culture.

Because you know at all times whom is in the Second Life environment, you are free to communicate with anyone and try out new ideas. You can't do this with some collaboration tools.

EL: What is the downside to the Second Live experience?

JK: At times it becomes difficult to distinguish between things in Second Life, or "inworld," and things outside of Second Life ("out of world"). Once you begin working in your space, you start thinking, "I shouldn't make my job sound like it is not part of the real world." We are trying to come up with other terms to use.

EL: Many of the collaboration tools don't require you to create an  avatar. What's the advantage of creating one?

JK: My avatar is Point Q. Malaproper. Every Second Life user has to create an account and to create an avatar. The avatar portrays how you want to look to others. People spend a lot of time customizing their avatar.

Google documents, Wikis, or blogs don't require an avatar. In some respect, virtual worlds, such as Second Life, are another collaboration tool. When I'm contributing to a Wiki, I don't necessarily know who else is working on it at the same time. In Second Life, you can see everyone's avatar. For example, I can go onto the Xerox Information Island and see people from different parts of Xerox. These are people who I might otherwise have had no contact with.

Creating an avatar is the first step in interacting with people. There's a real art in how you communicate in Second Life. You need to have the right tools in order to maintain the company. You need to know what makes for acceptable and understandable communications. One of our other Xerox Innovation Group labs is working on these issues.

EL: Who supplies the technology behind Second Life?

JK: We contracted with Beta Technologies, a metaverse content developer, to build the Xerox Pavillion on the Xerox Information Island. Metaverse is another term for the 3D virtual world. This company created models for our devices, programming them to do various things when we interacted with them.

Linden Labs., based in San Francisco, California, runs Second Life on huge server farms. Every user needs to download a client in order to connect to the environment. The client is available for Windows, Macintosh, and Linux Alpha.

EL: Since Linden Labs controls the Second Life environment, what kinds of content and or security problems does that present to a company?

JK: That's one of the big problems with Second Life for a company like Xerox. The company firewall will block access to the Linden servers for both security and content reasons. However, many companies are trying to figure out how to provide safe and secure access to their Second Life environment.

The good new is that Linden Labs has announced an Open Source server, which will enable companies to run their own Second Life server behind the company firewall. This will make everyone happy.

EL: What is the competition like for Second Life  products?

JK: We're starting to see new competitors every day. For example, Sun Microsystems has announced a platform that will enable companies to build and to host a virtual environment on a server. This platform is based on two of Sun's gaming platforms.

There are other systems and platforms on the horizon. The main difference right now is the ease of use. Some systems require you to be an expert in 3D creation tools. If you want to succeed in the Second Life space, you need to make it easy for users to create 3D content.

--

Elizabeth M. Ferrarini is a writer from Boston,  Massachusetts. Reach her at elizabethferrarini@yahoo.com.

by Elizabeth M. Ferrarini

If you want to deploy IT for business value, then you'll need to innovate. That's the mantra of Martin Curley, global director of IT innovation for Intel Corporation, and that's the subject of his book, Deploying IT for Business  Value. Curley is responsible for stimulating, supporting, and nurturing the development of new products, services, and methodologies by Intel's 5,000 IT employees. He also oversees the worldwide Intel Innovation Centres, which enable IT employees to work with Fortune 500 customers and government agencies. He sat down with Enterpriseleadership.org recently to talk about how Intel creates an environment for IT innovators.

EL: Martin, we've interviewed dozens of IT executives from Fortune 1000 companies -- you're the first global director of IT innovation that we've interviewed. Can you tell us about your role? If we were to visit an Intel innovation center, what would we see?

MC: The primary role I have is around stimulating and creating innovation and creating an environment and set of tools to help our IT organization, and folks actually beyond the boundaries of our IT organization, innovate. My organization also does a lot of building prototypes, trying to drive new products and services across the chasm into production at Intel, so our Intel employees and our customers can get more value from IT. I'd almost say, in fact, that there's a new discipline emerging around IT innovation, which is the intersection of information technology as a discipline, and innovation as a discipline.

But if you were to walk into one of the innovation centers -- and we have a network of these worldwide now -- they're not very fancy, they're not high-cost, and you would see Intel IT employees working on some disruptive prototypes -- that might be one activity. You might see some innovation training going on, because there are some emerging tools and techniques that people are just starting to become aware of that can significantly increase the yield of innovation. You might see a customer executive workshop going on -- in our Ireland innovation center, we've hosted more than 20 workshops with various European governments around topics like transforming education or healthcare using IT. You'd certainly see a lot of showcases, and a mixture of sort of soft leadership around emerging practices or the latest Intel products and new usage models associated with those products. So, you'd see a mix of activities

EL: Are the people staffing your innovation centers full-time staff? Or, if someone in the IT group had an idea, could they submit that and be involved in developing the idea in an innovation center?

MC: We have quite a small team, actually, maintaining the infrastructure and creating the environment. There are a number of different mechanisms that enable IT employees who have a good idea to submit that idea. We have a virtual innovation center, and they can submit it there. We have the concept of an innovation assignment; if someone has a particularly good idea, they're able to take time out of their "day job" and work in the innovation center, to bring that idea to fruition. One employee in Sacramento who had a very interesting idea of using our new Viiv technology in the home for remote power monitoring and more efficient use of air conditioning took an assignment, and worked on a project with some of the local utilities there and tried some new algorithms around air conditioning; it looks like it could add significant value.

Or, employees have taken an innovation assignment to work on a specific application that would add value to a particular set of Intel engineering.

EL: So, they are rewarded for coming up with innovative ideas, and  there's a support environment for this?

MC: Exactly. For innovation to prosper, you need to create a "virtuous circle" around it. If you're trying to change a culture to support innovation, you need to have tools and methodologies in place, and you need to have metrics. Andy Grove, one of our founders, often says, if you can't measure it, you can't manage it. So, you need to have different metrics in place. And then you need incentives, to recognize and reward innovators. We'll have some awards for the person who actually discovers and develops an innovation, but we also have one award for an information catalyst, for somebody who was especially effective in creating an environment that enables or fosters innovation.

EL: It's fascinating how that happens -- you have the one guy who has the idea, and the other four who helped to make it happen.

MC: You've just hit on an important point: Innovation is a team sport. To use the soccer analogy, it's important to recognize the person who provided the assist for scoring the goal. For every one person that has the idea, perhaps there are eight or nine or more people who are needed to get that idea into production, get it into use.

EL: You were most recently Intel's director of IT, People,  Intellectual Capital, and Solutions. What exactly did you do?

MC: Five or six years ago, we developed a business plan to help transform the Intel IT organization. And one of the gaps that were identified in the plan was that we weren't managing our global people resource in an integrated fashion -- we had four or five thousand employees across 50 different sites. The role of director of IT, People, Intellectual Capital, and Solutions was created to manage our people as an integrated resource, identifying the future core competencies for the organization and putting curricula in place. We also created an intellectual capital program to encourage IT employees to submit and mention disclosures.

Because Intel created this new position and initiatives, our IT organization is probably the fastest growing contributor to intellectual property. Four or five years ago, perhaps we might've had one patent issued, and today, we're doubling the number of patents, or the number of invention disclosures, every 18 months. And I think this past quarter, we had more than 200 invention disclosures submitted and more than 20 patents approved from our IT employees.

EL: You have a rich environment that really encourages people to innovate, and I can see the relationship to what you did and what you are doing as a direct line. Well, you know Nicholas Carr, and his book, Does IT Matter? One of the points he made in the book is that so many CIOs are stuck in a situation where they're spending 70, 80 percent of their time just keeping the infrastructure running, the lights and phones and the network. And this causes executive management to wonder, well, we could outsource that function, what is it of value do you really provide? From your perspective, what would you say to a CIO trying to get out of that mode?

MC: Nick Carr's book promoted a healthy debate within the IT profession in terms of whether IT can add value. I firmly believe that IT can add competitive advantage, and in some cases, competitive necessity, and some of Nick Carr's premises are based around the view of IT as a utility.

I think it is very important that a CIO look at the IT value chain and understand where the spend is. I wouldn't contest Nick Carr's point that 70 to 80 percent of the spend is in keeping the lights on, and I think the CIO needs to work really diligently to see how that spend can be reduced. One way would be to deploy new technology; for example, remote management technology. A higher-leverage activity that the CIO could take on is using the concept of design for assembly, which is used extensively in the automobile or consumer electronics industries: As you're designing solutions or cars or whatever, you're designing for the lowest operating costs. So if the CIO can inculcate the strategy that when solutions are developed, they're developed for lowest TCO, that would ultimately help.

I think the job of the CIO is to not just to optimize the operation, and make sure service-level commits are met, but to try to take spending out of operations and move it up the value chain into solutions delivery and particularly into innovation. We've seen evidence, some internal and some external, that you'll get a higher return on your dollar if you invest in the innovation space rather than the operations space. There are some role models -- Dell for example, and WalMart -- these are companies where IT really is a competitive advantage, and I think the CIOs there have been really successful in terms of trying to minimize the operations spend and invest in innovations that add value to the business.

EL: Let's talk about using IT as a competitive advantage; how do you go about doing that, what are some ideas around that that would be useful to other CIOs?

MC: We're starting to see a pattern emerge around IT innovation as a process; we see that there are at least six things that have to be in place for an innovation to be successful. The first one is that there is actually a problem or opportunity that needs to be fixed or to be addressed and someone actually has a vision as to how that can be achieved. One example would be Westminster Wireless City -- the CEO there had a vision of how wireless technology could potentially transform the city of London, but he really didn't know how to bring his vision about. He worked with his own IT department and with some support from one of the Intel innovation centers to build a prototype that eventually ran to a working implementation.

But most innovations don't come from "blue-sky thinking"; they come from addressing a specific problem or a potential opportunity. Necessity is the mother of invention, as the saying goes. Typically then, an IT solution has to be associated with fixing a problem or seizing an opportunity, and very often, a business case has to be there. IT went from irrational optimism before the dot.com crash to irrational pessimism, and today there's a modicum of normality coming back to IT investments, but a business case is a prerequisite.

And then there are three vectors where the most difficulty are. As IT professionals, we naturally think of technical risk and the IT solutions. But with every IT investment, there's an associated business investment. There may be a business process change that needs to happen, there may be an organizational change that needs to happen, and the last vector is perhaps the most difficult -- very often a customer change is required, or even a societal change. Many of the innovations that are being introduced today are touching many parts of society, and society's willingness and ability to adopt an innovation are really crucial to the innovation being successful.

EL: So then the question might be, how do you measure the relative  value of IT innovation to profit?

MC: This is something the whole profession has wrestled with. One solution that we find quite effective is what we call the "value dials." We identify the critical business variables at Intel and maintain a list of those, and the monetary value of driving a change in each of them. When we are developing a value proposition for a particular innovation, instead of having a very "wooly" statement -- "This application might improve supply chain flexibility"-- we'll actually hard code into the value proposition that, for example, the goal of this project, which will improve supply chain flexibility, will be to reduce our days of inventory by one day and achieve a one percent market share increase in a particular market.

EL: Ah -- put some real teeth into it.

MC: Absolutely; and we then know the direct value of reducing the days of inventory by a day, or improving our market share by one percent, and that gives us the numbers that form the business case. And then the IT organization or the project team and the business team work together to do the best they can to realize that result. And by measuring that, we can see if the solution or project actually delivered what it set out to achieve?

EL: Does Intel have a budget for IT innovation, or is it parceled out  of everyone else's existing budget?

MC: We do have a budget, and just to recognize that innovation happens everywhere, we have a small part of the budget that is centrally managed, and that part of the budget is to help stimulate and capitalize and create an environment for innovation, and also to do research, we have a central research group that is working on some specific agenda. And then the remainder of the innovation budget is split out amongst our various organizations within the IT organization -- innovation is happening everywhere, and what we are trying to do is to do more innovation more effectively and increase the return on innovation by catalyzing and better supporting innovation.

EL: Tell us about some of the innovation projects that you've worked  on at Intel.

MC: One example of innovation at Intel is of a particular solution under development called Miramar. One of the challenges that companies like Intel face globally is collaborating with employees in different parts of the world and in different time zones. Miramar is an emerging application that we developed to try to provide a solution to that. We have a vision called "better than being there" -- that you could actually have a remote meeting experience that is actually better than physically being in the room with somebody through computer mediation. Miramar is in its early days, but today, we have on employees' desktops we have 3D immersive environments where they can better organize and better locate and better connect information.

EL: To what degree does IT organization carry over to the external,  product side?

MC: Quite a bit; our primary focus is internal, to help the IT organization be more innovative and develop more solutions, but we see an increasing pull on both sides working with our product divisions to give them ideas and help them build new features into the products, and we have done a lot more work with Intel's customers than we originally would've expected to, with, for example, European governments; we will very often work with our sales team and with your fortune 500 execs on exec workshops looking at specific problems and how an innovative solution might be able to help. There is a significant crossover.

EL: Do you see any disruptive innovations that could change IT within the next five years? I'm curious about your views of the use of RFID or WiMax, in particular, are people coming up with ideas on how to use that kind of technology?

MC: Yes indeed, and I think the pace of change in terms of new and disruptive technology emergence is happening much faster than any of us could potentially could have conceived of. I'm sure if you held this interview in a year's time, there are things that will be quite commonplace in our vocabulary that we don't know about today. But you mentioned two specifics, RFID and WiMax. Within Intel and the innovation centers, for example, RFID, we've been involved in projects in a hospital in Korea in neonatal care, where the mother and baby have RFID tags to avoid mixups, and in a hospital in Milan, we've been using RFID working with the hospital and a system integrator to make sure that blood transfusions don't get mixed up. So, RFID in some industries is becoming pervasive; some other industries, it's going to take more time for it to proliferate. WiMax is a hugely exciting technology; it really is the classic disruptive technology and moving very fast. I think in a year's time, if you'd have this interview, I think WiMax will start to widely diffuse, with a 10x degree of deployment of WiMax compared to today; certainly, the economics are staggering compared to putting fiber in the ground, but as happen normally with new technologies, you'll get hype. Gartner has that very famous "hype curve." I think there is a hype around WiMax. However we have been trialing it at the Ireland innovation center and innovation center in the UK, and the performance is very good. We're actually using it in production, we have construction going on of a new factory, and many of the suppliers that are working with us are connected via WiMax, and their internet access is very effective and probably a tenth of the cost of a conventional connection, so WiMax is very exciting and is actually very real.

EL: Well, Martin, thank you for taking some time to talk with us  today, and talking about your program and your people!

--

Elizabeth M. Ferrarini is a consultant for the Swive Group, an IT consultancy based in Boston,  Massachusetts.

In 2000, when Jon Beyman became chief of operations and technology at Lehman Brothers, the global investment firm, he set out to deliver on the company's mission statement: to drive productivity, enabling the firm to generate superior returns. Even the catastrophic events of September 11, 2001, propelled Beyman, along with his heroic IT staff, to make sure the company could resume trading within days. For more than six years, Beyman made his IT staff of 4,000 at Lehman Brothers delivered the services the business needed, and did it at a reasonable cost. In fact, cost containment of IT expenses became the underpinning of Beyman's leadership style.

In 2006, Beyman left the investment firm to spend more time with his family  and to pursue some personal interests.

Recently, enterpriseleadership.org spoke with Beyman about how his staff rebuilt Lehman Brothers' infrastructure following 9/11, what types of cost controls he put in place, and why the need for them. Here's what he had to say:

EL: Where were you on September 11, 2001?

JB: I was standing on the Lehman Brother's London trading floor when the first plane hit the first tower of the World Trade Center. We had offices on the 38th through 40th floors of Tower One in the World Trade Center, and across the street at the World Financial Center.

EL: How did you start the monumental rebuilding task of rebuilding  after 9/11?

JB: We started to rebuild our trading floors immediately after the event took place. We moved more than 4,000 employees into a Jersey City facility that had a data center and space for 1,500 employees. None of these people had PCs. We ordered more than $100 million worth of networking and computer equipment directly from the vendors without any formal paperwork. I was on the telephone with CEOs from Sun, Cisco, EMC, and Compaq.

We relied on everyone's unbelievable imitative to put Humpty Dumpty together again. On Thursday, September 13, we were able to trade in the bond markets. The following Monday when the New York Stock Exchange opened, we were able to trade that day.

I didn't worry for months after getting back my cost controls. I focused on  how to keep the firm going.

EL: What did you come away with from this situation?

JB: We thought we had built this unbelievably resilient IT infrastructure. Now, we had to take disaster recovery to an entirely new level of seriousness than we ever had before. We built additional trading floors in Jersey City, so if a disaster strikes again, traders in NYC can go to these unused floors. The telephone system even enables traders to connect directly with customers.

EL: Outsourcing of Lehman Brothers' telecom expense was a big  priority for you. Why?

JB: We had more than $100 million worth of telecom equipment, including 20,000 phones in NYC for 8,000 employees. We also had a lot of complicated ring-downs and point-to-point circuits, and we had an impossible time tracking all of the cell phones and Blackberries we gave to employees. Our power pricing was based on individual deals.

No one works on Wall Street to look at phone bills, which is a tedious process to manage. You need to know what's on your bills, what type of equipment you have, and what your contract says. I knew we weren't going to do a good job of tracking all of these things accurately. I believe that telecom companies rarely give you a completely accurate bill.

I outsourced our telecom expense management to TNT. If TNT finds an overcharge or an inaccuracy on one of our bills, then it gets a certain percentage of each dollar it collects or it saves us. TNT also negotiates all of the telecom contracts, seeing what the telcos would accept. From 2001 to 2006, TNT saved Lehman Brothers in excess of $35 million.

Lehman Brothers has a reputation on Wall Street for being one of most cost conscious and hardest drivers of saving money. The strategy to outsource our telecom management to TNT aligned well this strategy. We were able to offer the best telecom services for the lowest cost.

EL: How would you rate how well other companies handle their telecom  expenses?

JB: Most companies don't have a good handle on their telecom expenses. To begin with, most companies don't have the experts in-house who can negotiate telecom deals and who can track telecom expenses accurately. Besides, a lot of IT organizations don't want to handle telecom. They have more interesting and value-add work they'd rather be doing than telecom.

If you want to handle telecom expense management in-house, you're going to spend a lot of money for the right personnel and processes. You also need to be committed to understanding your telecom expenses. That's why it makes sense for a global company to outsource this task.

EL: How did you drive innovation at Lehman Brothers?

JB: You can waste a lot of money trying to innovate, especially if you do it wrong. My innovation philosophy was simple: to make sure every dollar we spent generated some sort of return. To this end, I made the IT staff understand what both perpetual returns and absolute returns were, and how we deployed all resources. I also made sure that the business units, the people footing the IT bills, really understood what they wanted, how much it cost, and what they could expect for a return.

I hired the smartest and most creative IT people I could find, and I paid them well. They had the freedom to work on a variety of business problems. I also made sure that we had some really smart people managing projects tightly and getting every dollar they could out of them.

Technology enabled us to be innovative about the way we solved business  problems.

EL: Can you describe the theme of your chapter in the book,  Managing the Technology Team? 

JB: IT organizations get knocked because they spend money badly and without accountability. My chapter, called "Sunlight the Great Purifier," talks about making IT processes transparent and making sure people understand how money is spent and are held accountable for those expenditures. The title is from Chief Justice Brandeis's famous line, "Sunlight is more like a disinfectant, and electric light is the best policeman."

EL: What type of a governance model did you have at Lehman  Brothers?

JB: Our large projects went very smoothly because of lots of reporting, design reviews, and health checks. We handled small projects very well, too. When it came to medium-size projects, we were always at the mercy of the project manager's competence to handle technical issues, to resolve budget problems, and to deal effectively with staff. Without a lot of transparency and accountability, you don't find out how bad things will turn out until the project manager fails to deliver.

I made sure everyone had a common language, and a common framework for understanding what things needed to be done. The project management office did health checks. Senior people from the infrastructure group did design reviews. We had peer reviews on various types of technology.

EL: Looking back, what would you have done differently as  CIO?

JB: Not much. I had several multi-year projects that I accomplished. I made sure the yearly projects got done on time and within budget. I worked hard to improve IT cost controls and the relationship between IT and the business unit. Perhaps I could've done more in this area. Sure, I did question the way some transactions turned out.

EL: How are you spending your free time?

JB: I've been taking history courses at Columbia University and teaching a course called, "The Management of Technology" for the University of Connecticut's MBA program. I'm also on the board of a charity, DonorsChoose, to fund public school projects.

EL: Do you plan to return to IT?

JB: Now that my non-compete agreement with Lehman Brothers is over, I'm free to look at a variety of opportunities. I'm looking forward to a period of exploration. That's all I'm going to say on the subject.

--

Elizabeth M. Ferrarini is a free-lance technology and  business writer from Boston, Massachusetts. You can reach her at elizabethferrarini@yahoo.com.

by Deb Radcliff

The job description of a hybrid Chief Security Officer (CSO) with responsibility for physical and IT security has been elusive ever since the American Society of Industrial Security formally began defining such a role in 1999 during its national conference in Washington, D.C. Even today, if you ask ten experts, you'll get as many different

opinions -- all of which still fall into one of the same two camps.

To the enterprise-centric, it means blended identity and access management systems, maybe even security systems (e.g., cameras, videos, door entry) running over an IP network. But CSOs who've been at this a while say it's much more the convergence of physical and technical security. As such, their hands are just as full, with executive protection, workplace violence, regulatory compliance, supply chain, conflict-of-interest, disaster operations and other risk areas competing for their attention.

"People have been talking about the concept of how security interrelates and comes together for some time," says Tim Williams, CSO of Nortel, with a 25-year background in corporate security compliance starting with Proctor Gamble in the 1970s. "What it really boils down to is layers of interdependencies between all our business operations prioritized by what we deem most critical to our operation, which is the intellectual property and capital that comes from our employees."

Figure 1. Earnings drivers. Nortel Networks Corporate Security analyzed corporate strategy, the processes, and assets that drive our success and the risks jeopardizing all. Every company will have its own set of earnings drivers and risks to consider when integrating security with enterprise strategy.

Where convergence occurs, then, is where interdependencies naturally  arise.

On an organizational level, for example, this would mean the guard needs to be trained in data center disaster recovery and understand that physical security in the data center is wound around audit trails, which only approved people have physical access to, says J.P. Callahan, operations security executive, customer data center security, Verizon Business. On a tactical level, convergence occurs when you replace a guard's station with a self-sign-in kiosk that can be watched remotely over the enterprise network.

Form Partnerships Now

Such technological convergence is already occurring. By 2007, the physical and IT security convergence market will command global revenues of over $6 billion, exceeding $22 billion by 2010, according to 4A International, a converged security analyst and consultancy firm based in Chicago.

"In five years, all of the systems that physical security relies on will be developed by IT companies," says Steve Hunt, President and founder of 4A. "That means that the IT professional, whether he likes it or not, becomes a major influencer in corporate physical security. My advice is not to let it go to your head. Form constructive relationships with your security staff today rather than wait for political battles tomorrow."

Such partnerships are critical, agrees Williams. Williams, with a staff of 18, reports to the VP of corporate compliance with what he calls a dotted line to the CIO.

"If we've had any level of success here at Nortel it's because of the CIO/CSO relationship and the drive of our CIO to make security part of our culture," Williams says. "I'm joined in my objectives with his objectives to provide a more secure network."

Tearing down silos is one of the biggest challenges facing the integrated CSO, says John Pontrelli, CSO of TriWest Healthcare Alliance, a medical services outsourcer for the U.S. government.

"My job is to take the hot seat for security, and that includes data on the enterprise network. When I explained that, our CIO was more than happy to defer that risk to me," says Pontrelli, who reports to the COO.

To do so means aligning with the CIO in a shared vision of protecting the network and the human capital that represents, he continues, adding, "We've got to have mutual respect, and the ability to work together quickly to support fast-moving business applications."

Pontrelli, like Williams, has a long history in converged security. In the mid-1990s, he set up the first combined physical/IT security group at Microsoft, then again at Gore Associates (the company behind Goretex and Teflon), before coming to TriWest in 2003 to do the same. Of his nine reports, four are directly responsible for network event monitoring and access security. And he co-located his physical and technical security staff to stimulate cross-training between the two groups.

Hunt praises TriWest as one of the truly converged organizations in a small portfolio of perhaps a dozen Fortune 500 organizations trying to manage the two disciplines under the single title of CSO.

At ten years old, TriWest has the advantage of being agile enough to grow up with a convergence mentality, says Pontrelli. Older companies are less nimble, particularly if there've been mergers and acquisitions, taking on average about five to six years to converge security across their organizations.

"There's a veritable dearth of awareness about what it's going to take to manage security that utilizes the best of physical and the best of IT security," adds Hunt. "From the IT side, there's little awareness of the politics of regulatory compliance, budgeting, and the business and architectural value of building streamlined systems and functionality."

Layers of Accountability

That's why Williams helped to develop the ASIS CSO  Guideline, published in 2004. In the report, Information Technology is identified as one of many risk areas under the responsibility of the CSO. Others, equally important, include human resources and intellectual assets, ethics and reputation, financial assets, IT systems, transportation, distribution and supply chain, legal, regulatory and general counsel, physical and premises, environmental, and health and safety.

Also in 2004, Williams developed a roadmap around Nortel's inter-dependencies where shared risk resides, the results of which were published in a Nortel white paper titled "Integrated Enterprise Security," released in 2004.

"In our plan, business continuity must have a cross-functional relationship with risk management, finance, and control areas where they move together across the organization," Williams says. "So we assess risk across the organization with an emphasis on business drivers: What are the risks to those drivers and what are the interdependent risks between functions and processes?"

Figure 2. For integrated security to be most effective, the enterprise will need to map security processes within each discipline and document where different groups have process ownership and cross-functional responsibility.

Once this mapping was completed, Nortel had identified who owned what security processes and the cross-functional team members working to support them. Interestingly, Information Security was owner of, or cross-functional partner in, all but three categories.

That's because much of corporate risk today is regulation-driven. And technology provides the best means of meeting new regulatory requirements.

"Right now, auditors have to go around and visit each business group and look for physical signatures on documents. Why not sign them electronically?" explains Callahan. "You can also answer other questions. Like who was physically in the room when something happened on the computer network?"

Logically, we do this very well, he continues. If there's a problem, firewall logs go off and correlate with access and security event management to tie everything together at a time and place. Just like our logical systems, he adds, we need a physical dashboard to manage events at the facilities level.

Pontrelli's already converged physical security information gathering into his 21-state enterprise network. Alarm monitoring, door activity, cameras, intrusion detection, and burglar systems for more than 150 sites ride over the corporate IP network.

"To me, it's all about data," Pontrelli says. "So if I'm not going to integrate my security systems with my data systems, then why bother?"

Falling Through the Cracks

Without integration, he adds, critical information can fall through the cracks and create new risk. As an example, Williams retells the story of how a Nortel client's corporate data center was shut down for hours because a contract security guard mishandled a prank bomb threat and evacuated the data center staff.

Another client, he says, kept getting its system hacked by authorized user passwords even after they were reset. Suspicious, corporate security finally observed the dumpster late at night after a janitor recalled "homeless" people near the bin after hours. Turns out the homeless were hackers that were "dumpster diving" for passwords on sticky notes, forms and other slips of paper the employees threw in their garbage cans.

Ultimately, that's where physical and IT security most come together: In educating employees, explains Callahan. The Nortel interdependency matrix supports this, with cross-over functionality listed for all risk factors in the category of employee education.

So, to prevent the tossing of passwords into the garbage, password protection and shredding policies should be taught together. And if you're teaching them about a new physical/logical security access card, remind them that bad guys can circumvent this security when they "tailgate" close behind an authorized employee into the building, just as easily as they can "shoulder surf" information off their open computer screens by reading over their shoulders.

"To ASIS, their vision of the CSO is the single stop for four different risk management disciplines," Pontrelli explains. "Information security, physical security, risk assessment, and business continuity. These are all wrapped into what we call the 21st-Century CSO."

It doesn't matter how you get to the job of CSO, continues Pontrelli. It could be the path he and Williams took, as both have military security backgrounds and went corporate with business management degrees and CISSPs. Or it could be CISOs who've trained with ASIS and other security training and membership organizations.

That's because the role is not so much about facilities and technology as it is about identifying and managing risk across the organization.

"Who's better equipped to handle this, the CISO or the CSO?" asks Williams. "That would depend on the person's business acumen, leadership characteristics and political skills needed to drive the function."

Of Note

In February, the Alliance for Enterprise Security Risk Management (AESRM) www.aesrm.org, announced a series of studies it  will release on the matter of convergence at security conferences starting in  June.

These conferences will be hosted by the three organizations responsible for the 2005 formation of AESRM to provide guidance on matters of convergence, including integration of technologies, value proposition, international security, and the formation of risk councils. The groups behind AESRM include American Society for Industrial Security or ASIS www.asisonline.org, Information System Audit and Control Association (ISACA) www.isaca.org the Information System Security Association (ISSA) www.issa.org.

--

Deb Radcliff is an award-winning freelance writer, educator and speaker based in Northern California. She's been covering online crime and security ever since working as researcher on a book about infamous hacker, Kevin Mitnick back in 1995.