by Deb Radcliff

Related podcast: CONVERGENCE: Podcast interview with Tim Williams, CSO, Nortel; and Steve Hunt, former Forrester analyst and founder of 4AI

The job description of a hybrid Chief Security Officer (CSO) with responsibility for physical and IT security has been elusive ever since the American Society of Industrial Security formally began defining such a role in 1999 during its national conference in Washington, D.C. Even today, if you ask ten experts, you'll get as many different opinions -- all of which still fall into one of the same two camps.

To the enterprise-centric, it means blended identity and access management systems, maybe even security systems (e.g., cameras, videos, door entry) running over an IP network. But CSOs who've been at this a while say it's much more the convergence of physical and technical security. As such, their hands are just as full, with executive protection, workplace violence, regulatory compliance, supply chain, conflict-of-interest, disaster operations and other risk areas competing for their attention.

"People have been talking about the concept of how security interrelates and comes together for some time," says Tim Williams, CSO of Nortel, with a 25-year background in corporate security compliance starting with Proctor Gamble in the 1970s. "What it really boils down to is layers of interdependencies between all our business operations prioritized by what we deem most critical to our operation, which is the intellectual property and capital that comes from our employees."

Figure 1. Earnings drivers. Nortel Networks Corporate Security analyzed corporate strategy, the processes, and assets that drive our success and the risks jeopardizing all. Every company will have its own set of earnings drivers and risks to consider when integrating security with enterprise strategy.

Where convergence occurs, then, is where interdependencies naturally arise.

On an organizational level, for example, this would mean the guard needs to be trained in data center disaster recovery and understand that physical security in the data center is wound around audit trails, which only approved people have physical access to, says J.P. Callahan, operations security executive, customer data center security, Verizon Business. On a tactical level, convergence occurs when you replace a guard's station with a self-sign-in kiosk that can be watched remotely over the enterprise network.

Form Partnerships Now

Such technological convergence is already occurring. By 2007, the physical and IT security convergence market will command global revenues of over $6 billion, exceeding $22 billion by 2010, according to 4A International, a converged security analyst and consultancy firm based in Chicago.

"In five years, all of the systems that physical security relies on will be developed by IT companies," says Steve Hunt, President and founder of 4A. "That means that the IT professional, whether he likes it or not, becomes a major influencer in corporate physical security. My advice is not to let it go to your head. Form constructive relationships with your security staff today rather than wait for political battles tomorrow."

Such partnerships are critical, agrees Williams. Williams, with a staff of 18, reports to the VP of corporate compliance with what he calls a dotted line to the CIO.

"If we've had any level of success here at Nortel it's because of the CIO/CSO relationship and the drive of our CIO to make security part of our culture," Williams says. "I'm joined in my objectives with his objectives to provide a more secure network."

Tearing down silos is one of the biggest challenges facing the integrated CSO, says John Pontrelli, CSO of TriWest Healthcare Alliance, a medical services outsourcer for the U.S. government.

"My job is to take the hot seat for security, and that includes data on the enterprise network. When I explained that, our CIO was more than happy to defer that risk to me," says Pontrelli, who reports to the COO.

To do so means aligning with the CIO in a shared vision of protecting the network and the human capital that represents, he continues, adding, "We've got to have mutual respect, and the ability to work together quickly to support fast-moving business applications."

Pontrelli, like Williams, has a long history in converged security. In the mid-1990s, he set up the first combined physical/IT security group at Microsoft, then again at Gore Associates (the company behind Goretex and Teflon), before coming to TriWest in 2003 to do the same. Of his nine reports, four are directly responsible for network event monitoring and access security. And he co-located his physical and technical security staff to stimulate cross-training between the two groups.

Hunt praises TriWest as one of the truly converged organizations in a small portfolio of perhaps a dozen Fortune 500 organizations trying to manage the two disciplines under the single title of CSO.

At ten years old, TriWest has the advantage of being agile enough to grow up with a convergence mentality, says Pontrelli. Older companies are less nimble, particularly if there've been mergers and acquisitions, taking on average about five to six years to converge security across their organizations.

"There's a veritable dearth of awareness about what it's going to take to manage security that utilizes the best of physical and the best of IT security," adds Hunt. "From the IT side, there's little awareness of the politics of regulatory compliance, budgeting, and the business and architectural value of building streamlined systems and functionality."

Layers of Accountability

That's why Williams helped to develop the ASIS CSO Guideline, published in 2004. In the report, Information Technology is identified as one of many risk areas under the responsibility of the CSO. Others, equally important, include human resources and intellectual assets, ethics and reputation, financial assets, IT systems, transportation, distribution and supply chain, legal, regulatory and general counsel, physical and premises, environmental, and health and safety.

Also in 2004, Williams developed a roadmap around Nortel's inter-dependencies where shared risk resides, the results of which were published in a Nortel white paper titled "Integrated Enterprise Security," released in 2004.

"In our plan, business continuity must have a cross-functional relationship with risk management, finance, and control areas where they move together across the organization," Williams says. "So we assess risk across the organization with an emphasis on business drivers: What are the risks to those drivers and what are the interdependent risks between functions and processes?"

Figure 2. For integrated security to be most effective, the enterprise will need to map security processes within each discipline and document where different groups have process ownership and cross-functional responsibility.

Once this mapping was completed, Nortel had identified who owned what security processes and the cross-functional team members working to support them. Interestingly, Information Security was owner of, or cross-functional partner in, all but three categories.

That's because much of corporate risk today is regulation-driven. And technology provides the best means of meeting new regulatory requirements.

"Right now, auditors have to go around and visit each business group and look for physical signatures on documents. Why not sign them electronically?" explains Callahan. "You can also answer other questions. Like who was physically in the room when something happened on the computer network?"

Logically, we do this very well, he continues. If there's a problem, firewall logs go off and correlate with access and security event management to tie everything together at a time and place. Just like our logical systems, he adds, we need a physical dashboard to manage events at the facilities level.  

Pontrelli's already converged physical security information gathering into his 21-state enterprise network. Alarm monitoring, door activity, cameras, intrusion detection, and burglar systems for more than 150 sites ride over the corporate IP network.

"To me, it's all about data," Pontrelli says. "So if I'm not going to integrate my security systems with my data systems, then why bother?"

Falling Through the Cracks

Without integration, he adds, critical information can fall through the cracks and create new risk. As an example, Williams retells the story of how a Nortel client's corporate data center was shut down for hours because a contract security guard mishandled a prank bomb threat and evacuated the data center staff.

Another client, he says, kept getting its system hacked by authorized user passwords even after they were reset. Suspicious, corporate security finally observed the dumpster late at night after a janitor recalled "homeless" people near the bin after hours. Turns out the homeless were hackers that were "dumpster diving" for passwords on sticky notes, forms and other slips of paper the employees threw in their garbage cans.

Ultimately, that's where physical and IT security most come together: In educating employees, explains Callahan. The Nortel interdependency matrix supports this, with cross-over functionality listed for all risk factors in the category of employee education.

So, to prevent the tossing of passwords into the garbage, password protection and shredding policies should be taught together. And if you're teaching them about a new physical/logical security access card, remind them that bad guys can circumvent this security when they "tailgate" close behind an authorized employee into the building, just as easily as they can "shoulder surf" information off their open computer screens by reading over their shoulders.

 "To ASIS, their vision of the CSO is the single stop for four different risk management disciplines," Pontrelli explains. "Information security, physical security, risk assessment, and business continuity. These are all wrapped into what we call the 21st-Century CSO."

It doesn't matter how you get to the job of CSO, continues Pontrelli. It could be the path he and Williams took, as both have military security backgrounds and went corporate with business management degrees and CISSPs. Or it could be CISOs who've trained with ASIS and other security training and membership organizations.

That's because the role is not so much about facilities and technology as it is about identifying and managing risk across the organization.

"Who's better equipped to handle this, the CISO or the CSO?" asks Williams. "That would depend on the person's business acumen, leadership characteristics and political skills needed to drive the function."

Of Note

In February, the Alliance for Enterprise Security Risk Management (AESRM) www.aesrm.org, announced a series of studies it will release on the matter of convergence at security conferences starting in June.

These conferences will be hosted by the three organizations responsible for the 2005 formation of AESRM to provide guidance on matters of convergence, including integration of technologies, value proposition, international security, and the formation of risk councils. The groups behind AESRM include American Society for Industrial Security or ASIS www.asisonline.org, Information System Audit and Control Association (ISACA) www.isaca.org the Information System Security Association (ISSA) www.issa.org.

--

Deb Radcliff is an award-winning freelance writer, educator and speaker based in Northern California. She's been covering online crime and security ever since working as researcher on a book about infamous hacker, Kevin Mitnick back in 1995.