In 2006, 3500 non-government corporations in North America, Europe, Asia and the Pacific Rim spent more than ¢æ3 billion collectively on projects requiring the cooperation of physical security and Information Technology (IT). (Source: 4A International (www.4ai.com), 2005)
Heading a research team at one of the great think-tanks is a privilege few get to experience. While heading Forrester¡¯s, and now 4A International¡¯s, security research groups, I have been privy to thousands of conversations with security professionals and individuals working for manufacturers, service providers, consulting firms, and industry associations. From those interactions, my teams and I have gleaned stories of the best (and worst!) ways of doing just about everything in security.
Yet it wasn¡¯t until 2004 that I understood the magnitude of the change uprooting hundreds of years of tradition in security: in five years, the systems on which nearly all physical security deployments will rely will be software applications written by Information Technology (IT) companies.
That places the IT industry in a position to influence and even replace giant sectors of the security industry. For example, imagine a company like Hewlett-Packard. With its state of the art software development; highly efficient hardware manufacturing of cameras, panels, printers, and computing equipment; a global distribution channel that is second-to-none; and relationships with executives in every major corporation in the world -- the day HP decides to get into the security business, it¡¯s game-over for Tyco, Lenel, and a hundred other suppliers.
Intel, Oracle, Microsoft, Cisco, EMC and many other IT giants are setting their sights on the ¢æ120 billion security industry.
WHAT CREATED THIS MONSTER?
Twenty years ago, access control and video surveillance was a much simpler business. There was no IT security department in your organization -- and even if there were, it was relegated to the dark corners of the basement or data center. Similarly, corporate security was the last office at the end of the darkest corridor. Security personnel oversaw the installation and maintenance of alarm panels, door controls, fencing, lighting, cameras and kilometers of coaxial cable. Countless hours registering employees for ID badges, the occasional report on executive protection, a few crime investigations filled out the rest of the day.
By the mid 1990¡¯s the IT security hobbyists working on mainframe computers had made enough noise about viruses and hackers that business managers finally authorized a budget for data security. ¡±Here¡¯s some money to keep bad things from happen -- as long as you don¡¯t tell what you are doing! I don¡¯t want to know about security,¡± they would say.
The years went on, with security professionals dreaming up every bad thing that could possibly happen, then devising ways to mitigate them -- all the while complaining that the executives don¡¯t pay enough attention to security.
In 2000 the economy tightened up and for the first time corporate and IT security directors were brought out of the shadows and into the light -- but it wasn¡¯t the limelight of the stage. It was the interrogator¡¯s lamp. For the first time, security experts were asked to describe protection efforts in terms of Return on Investment (ROI), and cost-benefit analysis.
Needless to say, 2000 and 2001 saw the highest number of firings of security managers in recent years as access control and guard professionals failed to articulate the value of security in terms that executives could appreciate.
It got worse after 9-11 when hundreds of CEOs called in the heads of IT security and corporate security for a briefing, only to discover that the two chaps had never met one another.
Security received lots of attention after September 2001 when hundreds of millions of dollars were spent on security-related stocks and knee-jerk corporate defenses.
Then another shoe dropped. Enron. WorldCom. Sarbanes-Oxley. Basel II Capital Accords. EU data protection directives. Suddenly, risk management was the new bon mot of the executive suite. Security plays a role -- to be sure -- in corporate risk management, but it is a role subservient to investment risk, brand risk, credit risk, and the myriad other forms of risk management.
Chief Security Officers -- sometimes hired, sometimes self-proclaimed -- attempted to rise to the risk management challenge, but failed to gain more influence than a certain previously unknown influencer in the executive suite: the chief information officer.
The CIO had, for the previous ten years, steadily grown in status and influence across all sectors of the corporation. It is the information technology professionals who did the best job of translating the importance of technology to business value. Physical security professionals have still not learned that language. As a result, the IT professional is the ¡±Go to¡± guy for technical risk mitigation.
WHO TAKES MOST OF THE BLAME?
Among technology companies the trend is similar. Manufacturers of physical access control, surveillance equipment, alarms and door controls rush to upgrade from proprietary, non-standard, and downright primitive designs to modern, standards-based, network-connected solutions. The old boys club of security vendors is being ripped apart by the younger, faster IT champions.
The switch from the old to the new is not an easy one, however, with most physical security technology companies finding themselves very short on IT savvy.
That leads us to three different types of security convergence with IT occurring suddenly and globally:
-Security companies are adopting IT hardware, software, processes, and protocols.
-Physical security vendors are partnering with IT security companies to create complementary solutions.
-And corporate security departments are doing projects alongside, or outright merging with, IT security departments.
The first is the most pervasive. Physical security manufacturers and service providers are actively forming alliances with IT software and hardware companies like Microsoft for its Active Directory servers and .NET developers language, Cisco for IT networking products, and the storage company, EMC, for a variety of solutions for video and event archiving.
The convergence of physical security with IT is driving the physical security industry toward greater reliance on IT software and Internet communication protocols, and standards generally, but it is also spinning off two parallel trends.
TWIN STEP-CHILDREN OF CONVERGENCE
IT security vendors are already ¡±Plugged in¡± to activities related to compliance to regulations and make a natural partner for physical security. The IT security team is commonly brought in for projects related to identity management, one-card access management, and security event management. Sometimes the IT security department calls on the expertise of corporate security when deploying biometrics, door controls or surveillance for sensitive IT areas like the data center.
The other offshoot is the trend around merging physical and IT security groups and forming a single security organization, usually headed by a Chief Security Officer. There are loads of troubles in store for any organization attempting to bring these two very distinct groups together, but if successful, an organization can reap potentially millions of euros of benefits.
Some of the benefits of merging IT security and physical security in a company include reduced operational costs, streamlined processes and administration, lowered risk, and perhaps most importantly, improved agility -- that is, the ability to respond more quickly to changing needs of business units, corporate mergers, etc.
It is important to note that reducing operational costs does not necessarily mean reducing headcount. Plenty of money may be saved by converging the hardware, software and systems supporting visitor management, physical access control, logical access control, physical incident management, data security event management, business continuity, backup, disaster response, command centers, cabling, and trouble tickets.
THE SOFT SIDE OF CONVERGENCE IS HARDEST
However, the challenges are significant. The obvious first hurdle is the cultural difference between the two groups. 4A research shows that corporate security personnel are by-and-large inexperienced with computers and networking technology, and are not inclined to learn computing skills independently. Conversely, IT personnel are highly inclined to learn new technology skills. That basic difference leads to some measurable fear and suspicion on the part of the physical security professional, while IT professionals look at physical security staff as backward and simple-minded.
Companies that have had success merging the groups highlighted the special skills, professionalism and talents of each. For example, physical security professionals excel at designing ID cards, positioning surveillance cameras, documenting crimes, interrogating crime suspects, protecting personnel, maintaining alarms and door controls, and executive protection -- all skills quite foreign to the IT professional.
Overcoming the cultural hurdle will pave the way for effective cooperation between the two groups and permit managers to solve an even bigger problem: salaries.
The average IT Security director makes 50% to 100% more annual compensation that their corporate security counterparts. The discrepancy is even greater among subordinate personnel. IT security project managers or domain experts can make 200% to 300% more than senior security officers or command center personnel. How can one individual with 30 years experience in security work alongside a kid fresh from university making three times his salary?
In light of the cultural and financial divergence, companies should carefully consider expert advice when attempting to converge the security departments in order to avoid costly and embarrassing failures.
AND THE WINNER IS...
The industry discussions detailing the pros and cons of converging security groups bring out one more possible future scenario. It seems very likely that physical security professionals will become more specialized, and IT security personnel will become more process and compliance oriented. In other words, neither group will ¡±Win¡± the battle for security leadership.
We are seeing that happen already in IT. Antivirus management is no longer controlled by the IT security team. IT has been shipped down to desktop operations. The same holds for firewall and intrusion detection management, now held by the network operations group. The IT security department spends its time, more and more, focused on policy management and compliance to regulations.
SKEPTICAL BUT INTERESTED
All of this activity in embracing standards, complying with regulations, cutting costs, improving efficiency, and converging security teams has had one special and welcome effect: It has grabbed the attention of senior executives.
Security is high on the radar of executives. That means more scrutiny, but also more spending.
SPENDING FOCUS
4A International research shows that major spending in security may be grouped into a few general categories: identity management, security event management & IP surveillance, and services.
Identity management is the category of technologies and processes that manage identities of people and their respective privileges to corporate assets. Sounds simple enough, although the physical security industry and IT historically perform this privilege management quite independently. In physical security, the corporate security office registers new employees and distributes ID badges, keys and key cards. In IT, new employees are granted ¡±Keys¡± such as passwords to networks, computers and applications. And while the two systems sound similar, the two groups have found very different ways of doing it.
IT departments commonly centralize all identities and privileges in special computer software called a directory. The central repository saves a company thousands of euros -- sometimes millions -- by allowing all identity and access systems related to the computer network to share information. Employees are added to the system more quickly; privileges are modified easily; and individuals may be removed from all systems instantly.
That sort of streamlined data sharing is not common at all in physical security. To get anywhere close to the same functionality, companies have to settle on proprietary products from a single manufacturer like Tyco or GE. Most companies tend to think of such restrictions as heavy handed and undesirable.
Purchasing trends and budgets at hundreds of companies indicate that the end is near for proprietary identity and access management systems. Instead, companies are looking to buy -- or sometimes building by themselves -- identity management architectures that combine privilege management of logical and physical assets.
TWO GROUPS WORK TOGETHER
One chief financial officer told 4A that in one month he received two purchase order requests that he could not approve. One came from the security department for an ¢æ1 million upgrade to the access control infrastructure to manage people and their privileges to corporate assets. Then he received a request for a ¢æ1 million ¡±Identity management¡± solution from the IT department. It too was designed to manage people and their privileges to corporate assets. One system managed physical privileges and the other data, but that subtle difference was lost on the CFO who declared the expense redundant, demanding that the two groups work together to save costs.
Bringing the two solutions together into one is complex, but quite achievable. One large pharmaceutical company in Europe assembled a prototype solution that was later adopted by one of Europe¡¯s largest systems integrators. The company started with a new ID badge incorporating a standard employee photo, an embedded smart card chip, and radio frequency technology compliant with the existing electronic door controls. Card management software encoded the cards, and provisioning software managed all of the approvals by all of the system owners and managers.
WHAT¡¯s HAPPENING?
One story commonly shared among integrators is of the customer who heard ten different vendors pitching their respective surveillance, alarm, and business continuity systems only to proclaim in frustration, ¡±I don¡¯t care about cameras! I just want to know if there¡¯ anything I should worry about!¡±
What¡¯s happening, how important it is, and whether it changes the company¡¯s risk profile are the basic questions on the minds of every executive considering event management technologies such as cameras, digital video recorders, video analytics, or alarms.
Corporate security and IT fail to solve problems and create unnecessary costs related to event management from the point of view of executives. Both groups deploy systems to watch for malicious or anomalous behavior, trigger alarms, and launch responses and repairs. Both rely on a combination of people, processes, sensors and software to aggregate, correlate, and report on incidents. So why can¡¯t the two systems become one?
The answer is, they can. In fact software is available off-the-shelf today that would streamline response management for all incidents -- logical or physical. But until the two groups of security professionals learn to work together, the company will suffer from continued inefficiency and shirked responsibility.
Today, several major physical security manufacturers are forming relationships with software companies, search engines, and communications providers to produce next generation consolidated event management and response systems.
SECURITY IS NOT THE POINT
Business managers, especially executives at the highest levels of an organization, have a very simple view of security: It is a tool in the corporate toolbox for enabling business.
If you know your facilities need more security, tell your managers how it will help them measure or achieve compliance to regulations like Sarbanes-Oxley: you audit employee behavior, or lock up financial systems, or shred financial documents, or do background checks, or secure backup tapes. For any business problem, you should be prepared to help your management identify the ways that the authentication, authorization, administration or audit solutions you¡¯re proposing will solve their problem, or help customers make the gains they hope for.
Remember, it is not our job to secure the building. It¡¯s our job to secure the business.
