Security's new unified command

Physical security and information technology security exist as separate worlds at most government agencies. The physical side employs guards and concerns itself with protecting facilities and people, while the IT side employs technical specialists and focuses on securing networks and computer systems. The two spheres involve distinct reporting hierarchies and maintain separate budgets. Their orbits have seldom intersected.However, that pattern of segregated security has begun to change. Spurred in part by recent technical developments, some agencies have concluded that physical and IT security missions have the same objective: Keep the bad guys out while letting the good guys in with minimal hindrance. “A physical threat to a building is not a whole lot different from a cyberthreat to our network,” said Elayne Starkey, Delaware’s chief security officer (CSO). That realization has led some government entities to combine their security efforts. A year ago, Delaware brought its physical security, disaster recovery, continuity-of-operations and information security programs together under the authority of the CSO’s office. Other agencies have launched task forces to oversee all aspects of security. Government and industry executives see a number of benefits to pulling security together, a strategy referred to as security convergence or enterprise risk management. In their view, a holistic take on security can eliminate gaps that might otherwise occur among different layers of security. Proponents also view converged security as more efficient and cost-effective. Technology helps make security convergence possible, and in some cases, it drives the process. For instance, the adoption of IP-based security cameras makes video surveillance an IT function and a physical security tool. Smart cards — particularly those required under Homeland Security Presidential Directive 12 (HSPD-12) — have also emerged as an important intersection of physical and IT security.Because security convergence is a relatively new area, no tried-and-true approach exists for agencies that wish to better coordinate their physical and IT security.“There isn’t a well-developed model for how this should be done,” said Jonathan Gossels, president and chief executive officer of SystemExperts, which provides security consulting services. “It’s evolving.”One approach puts all aspects of security under the authority of a single executive, typically a CSO. Creating such a position is a new strategy for most government agencies, Starkey said.  CSOs are  more common in the commercial sector. “The creation of a C-level individual — a CSO — is how most of the commercial industry deals with that [convergence] issue,” said Bruce Brody, vice president of information assurance at CACI International. Delaware officials have found that converged security helps them avoid duplication of efforts. A single program manager  oversees all of the state’s security projects, which are funded through a unified budget. “It’s all combined,” Starkey said. “It just makes the funding of the project and the overall management of the project life cycle much easier for us.”The state has also consolidated its efforts to prevent, respond to and recover from security incidents under an all-hazards approach, she said. Rather than maintain threat-specific plans for disaster recovery and continuity of operations, officials employ a standard risk-mitigation strategy.Other agencies form committees to coordinate the various aspects of security. Officials at the National Science Foundation took that approach.Instead of combining all elements of security under a single office, NSF established a Security and Privacy Working Group. In addition to IT security specialists, the group includes the director of NSF’s Administrative Services Division, who handles physical security, and a representative from human resources, who is responsible for conducting background checks on applicants for sensitive positions.The group meets monthly to discuss, create and test policies and procedures for NSF’s security and privacy programs, said George Strawn, NSF’s chief information officer. By meeting as a team, the security disciplines keep one another apprised of their activities. That communication is important given increasing interdependence of security fields. Strawn said HSPD-12 is a good example of that convergence. It calls for federal agencies to adopt a common identity credential for physical access to facilities and IT resources.NSF’s Administrative Services Division is tackling the physical security aspects of the smart-card initiative, and its representatives on the working group are keeping their IT security counterparts informed of their progress because the second phase of the program will involve them.  The Social Security Administration has also taken the working-group approach to coordinating physical and IT security. “Social Security manages the convergence of physical security and IT through inter-component workgroups with staff from the offices of Physical Security, IT Security and the Chief Information Officer,” an SSA spokeswoman said.The workgroups serve as SSA’s preferred method for managing complex projects that span multiple security disciplines, the spokeswoman said.Agencies stand to benefit in many ways from taking an all-encompassing approach to security. For example,  Brody said, an enterprisewide perspective could help organizations uncover vulnerabilities they would otherwise miss. An organization could manage vulnerabilities for each of its stand-alone security systems while overlooking a weakness at the point where those security layers intersect, said Brody, who held information security roles at the departments of Energy and Veterans Affairs before joining the private sector.“Quite frankly, if I’m the agency head of security, I would be kind of concerned if those [vulnerability assessments] are being done separately and not being done holistically,” he said.Security convergence can also help agencies meet the demands of HSPD-12 and its technical underpinning, Federal Information Processing Standard 201. “This is an area where we see the need for a cross-departmental approach,” said John Sabo, director of global government relations at CA. He is also president of the IT Information Sharing and Analysis Center, a nonprofit organization of leading IT companies focused on the trusted exchange of information about cyber incidents and a member of the Homeland Security Department’s Data Privacy and Integrity Advisory Committee.Sabo said that in addition to physical security and human resources representatives, an organization’s chief information security officer and chief privacy officer should be involved in FIPS-201 efforts.Sal D’Agostino, executive vice president of CoreStreet, said the Defense Department has made the most progress in deploying smart cards, but other agencies are getting the cards into the hands of employees. CoreStreet makes software for smart credentialing programs. Laurie Aaron, director of strategic sales at Quantum Secure and vice chairwoman of the Open Security Exchange’s board of directors, said the desire to increase security and the need to comply with regulatory mandates are the primary business drivers behind convergence. The exchange promotes the interoperability of physical security with IT security and more broadly with IT in general. She also listed reduced operating costs and enhanced business continuity as key reasons that organizations adopt security convergence. Potential savings stem, in part, from running physical security applications on an organization’s existing IT backbone rather than a parallel infrastructure. For example, video surveillance traditionally operated outside the IT realm on closed-circuit TV systems. But IP-based and digital cameras now let agencies take advantage of existing IT resources, such as data-storage equipment. Tony Lapolito, vice president of marketing at VidSys, likens today’s situation to the rise of voice-over-IP technology for mainstream telephone services. VidSys markets information management solutions that tie physical and logical systems into a unified system.“The business case that was made for VOIP was based around efficiencies on the network,” he said. “I think you are seeing the same exact desire within the physical security world.”Adding physical security to the IT infrastructure will result in cost savings and productivity gains, Lapolito added.Security convergence raises many organizational and cultural questions. Starkey said it was a challenge to bring together security units previously housed in separate state organizations and get employees to understand that they were now all on the same team.Organizations must be aware of the potential culture clash between the physical and IT security fields, said Paul Kocher, president and chief scientist at Cryptography Research, a security consulting firm. “The first thing that an organization has to do is make sure that the people in each group don’t view each other as a threat,” he said. “You can’t start out with an antagonistic relationship, with each [group] trying to preserve turf or gain ground.”If an organization has a CSO, he or she must maintain a good relationship with both sets of people, Kocher added.Organizations without a CSO should at least maintain an open dialogue among security players. That is true for both agencies and government contractors. Tim McKnight, vice president of information security at Northrop Grumman, said he talks once or twice a day with his physical security counterpart, the vice president of industrial security. Northrop Grumman also has a security council that includes McKnight, the industrial security vice president and the physical security executives from the company’s four business sectors.Obstacles to convergence also exist on the technical side. One issue is integrating the systems that protect buildings with the systems that protect IT resources. In general, most access-control vendors now provide application program interfaces, so integration is possible, said David Ting, founder and chief technology officer at Imprivata, which offers authentication and access-manangement appliances.But he added that none of the APIs are standardized.“It’s a mixture of proprietary APIs, database connectivity or the more modern Web services-based solutions,” he said. He added that Web services and the Open Security Exchange’s pursuit of standardized interfaces are positive developments. Better integration of physical and network-access programs will facilitate the development of smart-card systems that span both types of security, which is the goal of HSPD-12. Such coordination could enable new capabilities. For example, a system could deny network access to a user when he or she is not inside a government building, as indicated by his or her smart card not having been swiped at the building’s entrance. In addition to product vendors, service providers, such as the recently launched Sentrillion, also aim to help customers tackle the challenge of integrating physical and IT security.“The driving influence is HSPD-12,” said Jack Larmer, Sentrillion’s CEO.Add improved security and efficiency to the mix, and agencies have ample incentive to combine physical and IT security.










































Numerous advantages

























Obstacles to convergence
























EDS offers convergence adviceWhen EDS officials reconsidered their approach to risk management a few years ago, they concluded that pulling the various security components into one organization was the way to go.

The company’s Chief Security and Privacy Office houses information technology security, physical security, business continuity and privacy, along with other functions. Dave Morrow has been EDS’ chief security and privacy officer since 2005. He reports to the company’s vice president of enterprise risk management. He said convergence allows the company to “examine risk from all kinds of different angles.”

A consolidated view of security and privacy also helps EDS address the concerns of regulators and auditors, whose questions can encompass many facets of security.

Based on EDS’ experience, Morrow offers the following advice:
  • Enterprises moving toward converged security should build consensus around a common high-level goal. “It’s not thinking about just physical security or just IT security,” Morrow said. “It’s thinking about protecting the business and enabling the business.”
  • People who manage converged groups should encourage their colleagues to think beyond their own security areas. The goal is to have specialists become good generalists in security, Morrow said. “You can’t be afraid to get people out of their comfort zone,” he said.
— John Moore
Does FISMA stymie convergence?The federal government has inadvertently made it difficult for agencies to integrate information security and physical security, said Bruce Brody, vice president of information assurance at CACI International.

A former federal information security officer, Brody said the Federal Information Security Management Act conflicts with security convergence.

FISMA calls for federal chief information officers to appoint a senior information security officer to carry out the law’s security mandates. That stipulation is problematic for consolidating physical and information technology security, Brody said.

By reporting to the CIO, the information security officer will face a “balancing act that subordinates security to the other priorities the CIO is dealing with,” Brody said.

He said managing a converged security organization is a task better suited to a chief security officer, a position he called equal in stature to a CIO.

— John Moore


Convergence considerationsIf you’re thinking about consolidating your organization’s security programs, keep the following factors in mind.

Organizational structure.
Consider your risk management needs and then weigh your options, which include forming a multidisciplinary working group or designating a chief security officer who will oversee physical and logical security.

Culture.
Remember that team members won’t be accustomed  to working with colleagues in other security disciplines. A converged security organization must change employees’ mind-set to focus on a common goal rather than on objectives tied to narrow specializations.

Technology.
Recognize that security systems can be as isolated as the fiefdoms that operate them. Therefore, your organization must develop a plan for integrating the various systems.

— John Moore

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.