Security Magazine’s Publisher Mark McCourt, earlier this year, talked with some thoughtful industry leaders on what “convergence” means now and the role of the Open Security Exchange (OSE) in an ever-changing security world.
Joining Security Magazine at the roundtable:
- Gregg LaRoche, director of product marketing at Imprivata
- Peter Boriskin, director of product marketing at Tyco Fire & Security
- Gary Klinefelter, chairman, Open Security Exchange
- Arthur Bourque, president, Surveillance Specialties, Inc.
One of the ways of which it is starting to flower is because people are starting to resonate with the idea organizationally -- that top-down approach, how to get (the various parts) of an organization to work together. When you have the capabilities to solve business problems through security infrastructure, that is a whole new opportunity. For example, (end-users) see the opportunity and have the interest in a retail store that already has cameras to add video analytics, data mining and access control information. The possibility was always there but they were not focused on mitigating business issues with the security system. Now they are.
In the past we talked about technological convergence. Now we are focusing on organizational convergence. The key topics are business issues such as how to get organizations to work together, solving business problems and mitigating enterprise risk and business issues through security strategy
Arthur:
Convergence was talked about three to four years ago but now the security industry cannot hold it off any longer. There is too much demand for enterprise level value and change and too much competition for the traditional vendors to not take action.
From an integrator’s standpoint, everyone was saying, “It’s not the time.” But all of a sudden it is the time and if you’re not on board you’re going to be left behind.
Some of the change has been driven by acquisitions by companies including GE, Tyco and Honeywell. There is an understanding that suppliers have to partner or they will fall behind. In a way the VoIP (voice over IP) phone created the first wave of change and security was left as the last department not integrated into the enterprise.
What are the drivers to “why now” there is a development towards organizational best practices that include security and cut across the enterprise. Audit and controls demand that best practices cut across and include security so that one set of rules applies and that information can be leveraged enterprise-wide.
So we see security drivers (risk mitigation), regulatory drivers and technology readiness are all converging, if you will
Gary:
For the last six months we have seen a move toward compliance, asset protection, R2 (SAP’s enterprise software) integration and cost control initiatives to increase productivity and deliver shareholder value. As more applications move to the network, the risk for asset protection increases on an exposed network. These risks and realities are why this is happening now.
Security: What regulatory drivers and business goals are enterprises trying to address and achieve by converging physical and logical security?
Peter:
There are many drivers in the U.S. and others outside the U.S. Many are regulations that require top down management and enterprise security strategy and implementation as a result. And there are industry specific regulations such as HIPAA, SOX and Gramm Leach Bliley that require specific risk mitigation and action. The regulations distill down to a forensic detail and controls, observable and manageable controls and physical security (of computer cabinets, as one example). The regulations tend to force the security and technology policies to be followed.
Arthur:
We were blown away (about) the additional work for publicly traded companies due to SOX. The next logical steps -- continuing the audit trails and asset tracking requirements once the rules are in place. 9/11 and Enron have created new regulations, but at the same time, 9/11 brought a lot of new companies into the security market and new technologies followed as well as new bodies such as the Open Security Exchange. New APIs being opened between providers for interoperability are a response to the new regulatory landscape.
Gregg:
Regulatory pressure and budget concerns also play a role. Especially in vertical-regulated markets, the budgets were being set aside in response to the regulatory pressure. We saw that first in authentication management and then in password management and enterprise single sign on. All the things enterprises tried to do to get better control of user identity and access. I think we’ll see the same regulated verticals adopt convergent technologies for the same reasons they adopted single sign on.
For example, authentication and password management have become very expensive. Either the user cannot get access, which is expensive downtime or the help desk is resetting passwords and authenticating identities, which is also costly. Organizations in regulated vertical industries have to adopt solutions for budget as well as compliance reasons. As a vendor we are very sensitive to that and to helping enterprises solve those problems.
One area we haven’t mentioned is HSPD-12. Interesting because the standards are good but the transition is not well thought out. This is one area where the OSE is working to address these challenges. Another area is retail where there are concerns about legislation over privacy within transactions. So retailers and companies like Visa have to think about convergence in terms of privacy. The information can reside on the store’s system and create risk.
Security: How might a security executive begin thinking about convergence?
Peter:
The person leading security is changing and when you look at where that person needs to be focused, it is on creating a strong value proposition. When thinking about convergence you need to balance value and cost. For example, what does it cost each year to reset a lost password? $30? What if you could eliminate that $30 and improve operational efficiency? If the security leader can create the value proposition that this is the real cost today and something that the organization can mitigate to reduce a cost and risk, then you have a solution that positively impacts the business.
Arthur:
There is a significant change specific to how security managers are hired. The days of former law enforcement professionals are over unless they have a very technical skill set. The role will require more technical knowledge as the role becomes more complex. They will either hire a strong technical person in their department or learn those skills.
As IT becomes more significant in the solutions implemented, then the key role of the security executive will be organizational alignment and business skills.
Gregg:
In time of rapid change, the best advice is “keep it simple” and solve problems. Have a clear scope for the project to solve a specific result and measure the value. Technology can help. Avoid those “boil the ocean” projects.
Gary:
Talk to IT, build a relationship with clear roles and agree on a plan. In verticals, where they have very rigid compliance issues such as banks, this is a requirement because the plan must be in writing, executed, audited and adhered to. So both executives are accountable and they need to work together. Security professionals new to the leadership role may find this challenging but it is key for success.
Security: What personnel and policy issues must be addressed in the convergence process?
Peter:
The challenging question is whether you should do a certain thing just because you can. There are hidden pitfalls to converging data or allowing universal access. You have to ask, “What is the worst thing that can happen?” On the policy and personnel side for example, biometrics solutions can lead to privacy concerns such as “where can that data go?” You have to constantly ask, “What are you storing and why?”
Arthur:
The questions that must be asked are similar at each integration project:
- Who will set the policies?
- Who has privileges?
Gregg:
Privacy, when it meets technology, requires controls and processes, storage polices that protect personnel and address privacy issues. Technology allows us to create and implement these rules as part of the solution.
Gary:
Before you look at IT, you need to review the personnel and procedures from a top-down perspective. Strategy- tactics-operations. All of the rules should flow from there and the technology solution can be created to mirror those rules.
Security: What are customers really asking for when they bring up convergence?
Peter:
I rarely hear the word convergence, but when customers describe the changes they need to make, they tend to describe a converged system. They are usually trying to deal with many issues, address physical security while embarking on an IT effort. They want a unified system at the enterprise level and that is a challenge for any organization.
Arthur:
We find in most cases our customers go where we take them.
The word before convergence was integration. It always amazes me how many of our customers have systems that can be integrated but don’t integrate for whatever reason. They don’t care; they don’t want to integrate them. But when they bought it, the big selling feature was that it could be integrated and they wanted assurances it could be done. I think converged systems will go the same route. While customers want a converged system so they can, for example, connect physical and logical access, they may not do so. No one is asking for converged systems by name because no one knows if they exist yet.
Education will go a long way to discuss solutions that are converged.
Gregg:
What we are hearing from customers is a very focused view on convergence in terms of technology. We are looking for customers that are coming forward and saying: I want to close the security gap between our building access and our IT access or I want better reporting or that when we revoke someone’s credentials to the building we are also revoking all IT access. That is how they articulate their needs without saying convergence or reinventing the wheel. They want to improve without change and without deploying new technology enterprise-wide.
Gary:
The Open Security Exchange is providing business-modeling tools so that convergence leads to interoperable systems. While they are working to solve immediate security risks they need a long-term plan that provides scalability and flexibility.