Breaking new ground

CSM: What are the benefits of
unifying IT and physical security systems?

David Stolovitch
Assistant Vice-president IT and Security Governance
Enterprise Information Security
SunLife Financial

Stolovitch: You have to look at it from a business perspective, not
just the security perspective. You’re seeking a cost advantage in terms
of operating on common infrastructures and when it is an IP network
that already exists in the company so you don’t have to duplicate. You
can get away from vendor proprietary protocols for how it all works,
which means you’re not locked into one vendor. If you’re operating off
an IP protocol there are places you can go if you need to swap out
pieces of technology for other components. From a technical support
perspective, it’s easier and cost efficient. People in security are
always seeking ways to get the most mileage out of their budgets to use
elsewhere in the security program.

Tyson Johnson
Manager, Physical Security
TD Bank Financial Group

Johnson: David’s point is bang on. At TD we have to look at what we’re
selling to the business units. We need to make an argument from a man
hours point-of-view. If an administrator in a business unit has to
spend six hours a month doing attestation and handling access card
issues, that’s six hours a month they aren’t doing core business
functions. If we can integrate it and have the security group as the
single point of contact and there are other ways to free up time and
streamline the processes of non-security personnel, that’s a huge
benefit.
We have started a major access control integration process across our
corporate footprint. Right now, pretty much every business unit is
responsible for going out and sourcing its own access control systems,
so we have multiple systems on multiple platforms being taken care of
by multiple vendors and we’re not getting the best bang for the buck
and we aren’t, as a security group, able to oversee the organization
holistically regarding access control or where we have problems or need
to identify trends. We need to bring it back to a centre point and IP
allows us to do that.
It works to the vendor’s advantage as well because they have a single
point of contact to deal with at the corporate level.

Todd Milne
Corporate Manager, Security Operations
University Health Network

Milne: There are
obvious benefits, but the initial part is there’s a lot of cost in
moving to the IP component. Right now we have our security systems in
the field and we definitely want to develop our own security network
and therein lies the problem. In order to develop our own security
network there’s the initial cost to that. The initial cost may be
large, but at the end of the day you’re going to save costs as well.
Once we get the funding we totally support security and IT becoming
much more integrated than it is now. A couple of years ago having IT
get involved in security was almost a no-no — IT didn’t want anything
to do with security — it was, ”˜We don’t want your video on or IP
address chewing up our bandwidth’ and all of that. I can see there is a
turnaround and they are embracing the idea of IT and security together.

Minaz Jivraj
School Safety and Security Officer
Dufferin-Peel Catholic District School Board

Jivraj: I think Todd makes a very good point. While a lot of large
organizations have the infrastructure in place, it’s a matter now of
trying to make a case to dovetail with what is there. The challenge is
getting IT to accept some of what’s out there to run on their platform.
I’ve been fortunate that I have someone in my organization who buys
into what I do and lets me get on the network, but not without at least
giving them the products to test out before letting us go on the
network. While integration has good prospects, there are challenges for
the majority of companies that are still building infrastructure. What
happens to an organization that doesn’t have infrastructure in
existence to do integration? For smaller organizations that have small
IT functionality that still can’t accept “security” within that
context, it’s a problem.

Ted Maulucci
Chief Information Officer
Tridel

Maulucci: There’s a whole new opportunity here and it’s a leap of
faith. The challenge is how do you quantify what the value is? Security
is just one piece that fits in that overall picture which is to create
that backbone that gives you scalability and makes people’s lives
better as well. When you start to push the boundaries and you want
innovation, you need to take a leap of faith. The junior staff who work
with me call me a salesman and I hate it. I’m selling the vision and
part of the return is not about tangible hard dollars. Part of the
return you don’t even know. You’ve got to believe and take the risk and
do it.

Dave Dickson
Security & Surveillance Lead
IBM Canada

Dickson: To make an investment in security convergence you have to
prove there is a business case in terms of lowering your costs on a
common infrastructure. However, we’re also seeing in some sectors that
you can increase revenues with convergence. But I think there’s another
issue here and that a board of directors has a legal responsibility for
the health, safety and security of their employees, suppliers and
clients, so collaboration/convergence allows that new governance to
take place where the board now has direct control. For example, working
through the CSO title, to manage that at an enterprise level, and up to
now that hasn’t been possible. I think it’s a legal issue that wasn’t
there before.

John Sheridan
Director, Security Solutions, Nortel

Sheridan: There are many technical and cost benefits to integration —
the common wire and not being tied to a specific vendor; the technical
reasons for having cameras and access cards and logical security all
tied together, but to me the key benefit for integration is that the
functionality within the enterprise has moved up a level on the food
chain so that the enterprise client can now determine, using software,
exactly how they want to use the security system. It may address
corporate governance issues the organization is facing, it may provide
rudimentary safety and security to its stakeholders, but once these
systems are converged the folks building the software and middleware
products can tailor the entire safety and security infrastructure to
specific requirements.

Gord Chizmeshya
Senior Account Executive,
National & Enterprise Solutions
Intercon Security

Chizmeshya: We’ve always tried to identify
things that make accountability and auditability within any given
system a key mission. Depending on how evolved the thinking is of your
client that will certainly determine how broad a scope they cover.
There’s a lot of discussion about interoperability and convergence.
Even the most organized, technically sound, automated companies
struggle with the simplest personnel termination/transfer issues. I
think as it moves up the food chain the umbrella will cover broader
ground and reduce costs and allow centralized administration and better
accountability.

Jivraj: This is all great, but I think it’s envisioning something for
the future. The challenge is about changing attitudes for today. I
think it’s a turf protection issue more than anything else. You have
two different worlds from the corporate structure saying ”˜You can’t do
that,’ and when you try and dialogue about what they’re refusing to let
you do it turns out it’s about turf that has been someone else’s for
many years.
This is an education process — the fundamentals of Selling 101. You
need to educate your client and failing to educate your client will not
get you results. I was successful because I had the ability to get
someone to listen to me. It’s the process of education and putting them
in your context and making them understand what is beneficial.

James Quin
Senior Research Analyst
Info-Tech Research Group

Quin: We’ve discussed what the drivers are, but we haven’t discussed
who is driving it? Is it a push from IT to take over physical security
or is it a push from physical security to take over part of the IT
component?
Tyson: It’s physical security who is driving it and we work
hand-in-hand with our IT group. We had the same initial problems of
them saying ”˜Wait, you can’t come in here and play.’ We used a soft
sell to say ”˜We’re not here to take anything over, we’re here to make
everyone’s job a little smoother, but we need you to help facilitate
that.’

Jivraj: You’re right, it is physical security driving things. I
think where the challenge lies is in the embedded attitudes we need to
break down.

Ian Collins
Vice-president of operations
Toronto Hydro Telecom

Collins: In terms of selling it and who do you sell it to, I subscribe
to the idea of enlightened self-interest. You need to explain things in
terms of what they are looking for and fulfilling that in a painless
way. If you go in with a sledgehammer and say ”˜We’re going to take
over’ you will get push back. If you can present it in terms of saving
money or making their job easier you’ve got their attention almost
immediately.

Milne: For us, it is physical security that is driving this. Coming
from health care, right now IT is primarily responsible for clinical
functions rather than operational. For us, IT is so focused on clinical
demands we are taking a back seat and that’s where we have to get the
self-enlightenment going on to say we are part of the clinical aspect
of things. If, in the event of an outbreak, we have to lock down and
people are coming into our facilities for inoculations and we have to
keep track of who gets what and how much, they want to know if they can
piggy back on our photo ID card system. So now they want something from
me and I can say, ”˜Sure, I can help you out, but can you help bring our
operational part into clinical?’


Dickson: Typically, it’s physical and IT security driving this, but I
also see a team of people from the corporate level, and almost every
business unit, as part of this. With convergence you can have shared
wealth, so to speak. Risk management, insurance, the network people —
all these people who wouldn’t typically be in a security decision are
now in the room. Don’t forget senior management — they are very aware
of the new technology and are also aware of whether they want
convergence or not.


CSM: Are there enough people out there qualified to do this?

Stolovitch: Absolutely not. A person who is able to span both IT and
physical security is extremely rate. The challenge is to bring both
together and then bridge the cultural gaps of the IT people versus the
more traditional physical security people and get them to work
collaboratively toward some common solutions.
This is an evolution of the security professional. If you look at the
security trade journals you are starting to see more IT security
content, there’s also more exposure to it at security conferences and
the ASIS physical security professional program has more content
related to security systems as they relate to IP and that reflects the
reality of products now coming on the market.

CSM: How do you overcome
the challenges of turf wars and lack of expertise?
Johnson: The reason we have turf wars is because a lot of organizations
don’t structure themselves properly when it comes to their security
model. In a true CSO model, your IT security and physical security are
working on the same projects. A lot of organizations still have one
sandbox as the IT security group and one sandbox as physical security
and never the two shall meet. You spend so many cycles trying to broach
one subject or another that you’ve delayed a successful implementation
by weeks or months. Organizations really need to ask, ”˜How do we
structure security?’

Stolovitch: You end up with some very silly things
happening when IT security people specify physical security for say, a
data centre or LAN closet. What they come up with is just totally
different than what physical security would do according to physical
security standards. You also end up with questions like, ”˜Who has
responsibility for the security awareness program?’ The fact is it’s
all security to the average employee. You want an integrated security
program so that whatever the key messages are for security, all
employees are getting a consistent message in a consolidated package
and that leads to improved employee behaviour for security awareness.


Chizmeshya: The ultimate accountability for a lot of what goes on in an
organization is still at the executive level. I would consider both IT
and physical security, merged or not, to be critical support services
to the execution of company policy. So it really comes down to mandate
— if there is a mandate to protect a trading floor or server room, in
order to sell that well internally it’s simply a matter of saying here
are the options in terms of the tools we can use and these are more
automated and these are less costly. You have to find the equilibrium
between design and your program. If you don’t blend the two you’re
wasting money.

Sheridan: I think we need to cut the industry some slack because it is
an evolution. On the technical side you have some installed legacy
systems that have to be slowly changed out, and on the people side you
have installed silos of organizational structures that need to be torn
down. The more progressive industries are tearing those walls down
faster, and moving faster than others. We’re seeing strategic and
systemic changes happening inside our organizations that were unheard
of five years ago, so I’m encouraged by that.

CSM: Where will
convergence be a year from now?

Quin: We are at a very early phase of integration with some of the
largest enterprises that exist in this country. I’m going to be
pessimistic and say we’re not going to be much further ahead than we
are now. It won’t be pushed down to the medium or the small enterprise.
Until integration is simplified and sold as a package, it will have
value only to large enterprises.
Stolovitch: I don’t think we will see radical progress, but incremental
progress. It’s a major development for security and it’s going to take
years.

Milne: I expect we will be a lot further than we are now. The first
challenge is to know what you want and that’s half the battle.