Can integration solve all our security problems?

As belts tighten in organizations and upper management has all eyes
focused on the bottom line ROI of every business unit, security
professionals must continually seek methods to reduce costs, while
maintaining reduced risks and increasing regulatory compliance.

A combined dose of the fundamentals and continual innovation seems to
be what the doctor orders to successfully meet security demands and
simultaneously elevate security in the organization, according to a
number of experts and security directors.

According to Peter Martin, president of security provider AFI
International Group, security has in past years been able to run with
small oversight. But, those days have come to an end, demanding for
many a return to business basic.

“Post-911 everyone’s (security) budgets inflated. And for the
consulting business and the security outsourcing business these were
fabulous times for us. People had blank cheques, big budgets; you could
write down a lose plan on a napkin and away you go.”

Seven years and a troubled economy have changed that, and organizations
are demanding security more closely align to the business, as well as
show ever-increasing accountability.

“Gone are the days when a company wants a security expert,” says
Martin. “They want a business expert with a strong focus on security.”

Security systems provider Johnson Controls says the key in today’s
economy is to focus on the integration of the “four pillars of
security”: event management, identity management, building management
and compliance management.

While the technology exists to help tie these areas together, the
challenges posed by them and their integration are rarely ones solved
by technology alone.
Quite often the problem is one of collaborating with disparate parts of
the organization. This can be especially true when it comes to
integrating building management (such as lights and utilities) with
more traditionally viewed aspects of security, suggests Mark Thomas,
the regional manager of Johnson Controls’ fire and security division.

“Traditional thinking is that they cannot possibly happen at the same
time: a force of people responsible for physical security, or an IT
department, and then another department responsible for physical
comfort of the building all working together. Our strategy is to
demonstrate that they can all be tied together.”

Thomas says efficiencies can be discovered through tying together
systems like identity management and building management. A simple
example, becoming more common in “smart buildings,” is lighting systems
that shut down when the identity management system communicating the
building has become empty.

Economies of scale can be found similarly by integrating the other security cornerstones.

Ross Johnson is director of security and contingency planning at EPCOR
Utilities, formerly Edmonton Power.  EPCOR uses C-CURE 800 to tie
together and centralize its security management in facilities and
remote locations in Alberta, and the system is tied to the
organization’s CCTV system.
But, more than technology, Ross attributes success to a more human sort
of integration.

By looking first at the concerns of other groups at EPCOR, Ross has
been able to tie security to aspects of safety and supply chain in
order to promote greater compliance from employees.
For example, when Johnson joined the utility company three years ago,
the organization was facing a problem with copper theft at its
construction sites. Instead of viewing this as simply the security
problem of theft, it was viewed from the perspective of the workers and
the danger of unprotected electrical wires. A traditional security
dilemma viewed through the workplace safety lens.

“Remember, we make and distribute lightning,” he said of the potential
dangers.
He worked closely with the safety group to create procedures to reduce
the amount of exposed, visible copper on site. Workers quickly embraced
a policy that had their well being in mind, and theft has since become
almost nonexistent.

“Policies are only as strong as the willingness of the individuals in
an organization to follow them,” he says of collaborating with groups
and individuals in the organization.

Johnson finds inspiration for this
approach from the’60s western The Man Who Shot Liberty Valance.
“There’s a scene in which Jimmy Stewart is talking about laws and says:
”˜laws have to fit a man comfortably like a good suit.’ The way I see
it, security policies have to be the same way.”

David Hyde, director of Security Services for Cadillac Fairview agrees with the crucial roles presented by Johnson Controls
to the management of events, identities, buildings and compliance—and
their integration—but he says to be successful one has to look deeper and
earlier in the business cycle.

“Before I start to integrate these systems I need to look at a few
things. I need to look at what’s the purpose of this security system.
To me that is the absolutely fundamental step. I would suggest that
most or many of the organizations looking to purchase a security system
either don’t really have a good idea of what it’s going to achieve, or
don’t even know what they want to achieve.”

He says that too often security professionals slavishly apply old
security models and default to deploying whatever is the newest in an
effort to “keep up with the Joneses.”
Hyde echoes Martin in saying that business needs have to be
investigated and addressed first and foremost in this economy. This
also leads to a stronger posture when meeting the challenge of bringing
together the disparate groups who are involved in an integration of
security, facilities and IT.

He agrees that integration of different
security and facilities management systems is becoming more prevalent,
but says it can be “bloody hard” to get groups to forget their
protectionist ways.
The closer a security manager or director focuses on aligning event
management, identity management, compliance management and facilities
with actual business needs and results, the better job he or she will
have of corralling the disparate groups, Hyde suggests.

“The integration is coming,” stresses Gene McLean, principal of McLean
Security Advisory & Associates Inc. and board director with AFI
International. “There’s more and more talk about it, and more and more
people in organizations getting involved. A lot of it is coming from
the top, being driven by the executive, because of budget issues.”

McLean says that important decisions about the direction and
integration of security are being dictated to security professionals
rather than developed by them because they fear the obsolescing of
their jobs.
McLean says security professionals cannot simply look at the techniques
in managing event, identity, facilities and compliance as they
traditionally would; they must look for innovative ways to use security
to create business efficiencies. Only then will their jobs actually be
safe and will they elevate the recognition for, and reputation of,
security in their organizations.

EPCOR’s Johnson agrees and cites an example in which he has used
identity and building security to ensure store room inventory is kept
proficiently maintained. Although typically security might only be
involved in loss prevention, Johnson says in many cases inventory
control issues are a matter of professionals using product for their
jobs, and simply not properly signing it out.

Through use of CCTV and
by using card readers in the sign out process, EPCOR can make the
inventory release process more convenient and ensure crucial inventory
is on hand when needed.
Meanwhile, he’s able to show tangible results for the work the security
department is performing”“as more than muscle preventing theft and loss.

“We are not the sheriff’s department and the last thing any security
department wants to be in this day and age is be considered the
sheriff’s department”