After receiving the funding to develop several security projects to update or replace systems and components, including upgrading more than 3,000 cameras to IP, across more than 100 facilities that Security Director Kirk Simmons is responsible for securing in Hennepin County, MN, Simmons and his team found themselves in a predicament: navigating the county’s IT department processes for project development, as most systems depend on the IT network and servers for which the Hennepin County IT team has responsibility.
With video surveillance increasingly IP enabled – IMS Research estimates that about 22 billion devices overall will be internet-connected by 2020 – it’s really just a matter of time before most companies consider convergence. But before any enterprise can realize the potential gains – like cost savings and efficiency – it must sort out any power struggles and turf wars that likely can result between the physical security and IT departments. Because the modern design of IP networks means that they can encompass business critical system alongside security video and other security systems that enable physical access to a building.
Doug Button, CPP, Simmons’ physical security specialist at Hennepin County, who is spearheading the security projects, says: “IT tries to take over project control even though it isn’t necessarily all IT related. It’s a blurred line of sorts. I’m comfortable working with the IT department, and we need them to help keep our security systems operating. But at some point there needs to be a division of what IT should be able to access. They don’t really want to patrol buildings and monitor security cameras for us; that’s part of our job.”
So, Simmons and Button are working to find, develop and implement legitimate divisions of power by understanding viewpoints, communicating needs and wants and good old-fashioned communication.
“There’s no right answer. Each enterprise has to spend time to figure it out,” adds Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute, which is a research think tank dedicated to advancing privacy, data protection and information security practices.
He notes: “The security industry has changed quite a bit, especially with emergence of the CSO, who believes that he/she owns all security, including IT security. It’s difficult for a CSO who has a law enforcement and intelligence background to not feel like they don't have control.
“And IT creates a level of complexity. In general, we in the physical security community are very territorial, and we have turf issues. We want to do our job, be stealthy and not be too public, and we don’t want other departments interfering with our work. But the turf issue between IT and traditional security can be overcome through leadership in the enterprise to hold people accountable for sharing. It’s very hard to do. Organizations make the mistake of changing the organization chart, but power struggles will still exist. Leadership needs to get involved and have very frank discussions.”
Greg Kushto, Director of the Security Practice at Force 3, has been in IT for 15 years in roles in large banks, healthcare and the federal government. “Convergence depends on your industry, but the smaller your enterprise, the faster it happens. But convergence makes sense because it can save so much money having one network that handles your security cameras, key card readers, fax machines, etc.”
He offers one way to circumvent any turf wars: “The main thing that IT security professionals have to do is look at themselves as service providers. Previously, they handled all security. But IT has to step back and allow business unit owners to have responsibility to make decisions. IT people get concerned about things touching their network, which is an old school mentality. It has to help people use their capabilities and empower them to make their own decisions.
“On the physical side, security executives need to take the time to understand their network and IT as a shared resource across the business.”
Overall, he notes that convergence can provide an enterprise-wide perspective and accountability for managing the risks to the business; so then security becomes not just security’s problem – it’s a business concern.
How is physical security and IT security convergence happening or not happening in your enterprise? I’d like to know. Please email me at firstname.lastname@example.org