Why Security Silos are the New Unifier
How is a Security Systems Management Platform the next frontier in enterprise security risk management?
When was the last time something you liked was identified as being bad for you? Probably, more often that you would like to admit. But then again, maybe it really isn’t bad for you. In the 1970s and 1980s, eggs were under an all-out assault from just about every health organization. According to Donald J. McNamara in a 2015 article, The Fifty Year Rehabilitation of the Egg, it is the only food that was ever singled out for restriction in an effort to reduce cardiovascular disease risk in the population. It really hasn’t been until the last few years that researchers have been reporting that eggs are a very healthy source of nutrients and protein, and the egg restrictions have been dropped from dietary guidelines. Why has there been such a shift in acceptance? Health Professionals now see the whole picture, with a better understanding of dietary cholesterol and the overall nutritional benefits of eggs.
No, you haven’t opened the wrong article. This is about security, but I wanted to share an example of how things are sometimes mislabeled as bad, when the issue is really a lack of proper understanding, big picture approach and functional application. Enter the “silos.”
Yours, Mine and Theirs
A common belief today is that unless you are farming, “silos” are bad for business. Drawing from the farm analogy, farmers keep different kinds of crops in different bins or silos. Similarly, in the business world each work group would develop their own resources to meet their operational needs without considering if other teams might be working with the same needs. The work groups develop their own “silo” and keep the resources pretty much to themselves. This could be true of any activity, whether services or technology and many times security needs. At first, this all seems well and good, until someone in the C-suite realizes that the organization is duplicating costs for the same types of goods or services across all the various work groups. That’s bad, right? Now starts the contention of who’s got the right system or resource and who must change in the consolidation. Of course, everyone has their reasons why they need to be isolated from the rest of the organization and why their needs are special, but in today’s business economy, the opportunity for expense reduction generally drives change. That’s good right? And thus, swings the pendulum in the other direction, smashing all the silos in the process.
In business, silos apply to many operational activities. In this discussion, we are interested in those related to security, but we’ll examine other aspects where we can create shared resources. In the past, I would have been even more specific and said physical security, omitting IT aspects, but those are becoming nearly impossible to separate today. What we want to start nurturing is an enterprise mindset. This approach applies globally in three key principles:
- Buy-in across all work groups. This is usually the most difficult to achieve as it requires big-picture vision, creative planning, insightful delegation and most of all, team-building skills.
- To the extent possible, don’t duplicate services. Identify the best resources for specific activities and use those same resources consistently across the entire organization.
- Develop dynamic solutions that can adapt to fit all work groups. Some of these solutions may already exist in one or more of the work groups, but usually you are looking for best-of-breed systems.
There are two common fears when we discuss enterprise solutions. The first is to think that we would have to re-do critical systems from the ground up. The other fear is to think that we must choose between existing solutions and re-deploy them unilaterally. Both are daunting, but the best solution is typically achieved in a hybrid approach.
The real key to an enterprise approach is to reduce duplicated tasks and resources to the least common denominator. In doing this, you will not only increase overall operational efficiencies, but most importantly reduce risk.
An enterprise approach looks at finding the best solution to support and manage your resources and delegate those responsibilities accordingly. Security should manage security activities, HR should manage HR activities, Finance should manage finance activities, IT should manage IT activities? From my career experience, that is where the most friction lies in many organizations. That separation of responsibilities will be very different from one organization to the next, but it is critical to find the best equilibrium. I have found that when both sides understand and work to achieve this, the outcome is much better than either party could have realized.
As in any directional decision, whether business, life or the food you eat, the best results are usually found in the middle ground. There are new solutions that help you manage those transitions and maximize your system capabilities.
Play Nice Together
Here is where it is critical to properly understanding this topic. To avoid the negative implications of the term “silos,” shift thinking to Operational Distinctives. These are legitimate differences in each work group’s leadership, goals, constraints, resources, personnel and likely funding, to name a few. I currently work for a large county, which is literally made up of many businesses. Several of those lines of business are very large, and coordinating within their own operations is challenging enough. When you start trying to apply the same practices across Corrections and Public Health, for example, there are some similarities, but just as many incongruities. What works for one may not work for the other. In addition, there are decision drivers that are unique to each, such as state and federal regulations, labor relations and even public opinion.
Different isn’t bad, it just requires an understanding of each user group’s needs and considering both the common and different perspectives so that you can make the proper applications. This is true whether you are starting from scratch or reorganizing multiple existing disparate resources. Once you understand the Operational Distinctives of each work group, you begin to identify key requirements of the systems and solutions you develop. Best-of-breed solutions will have the dynamic development capabilities to help them adapt to each work group. Where a user group may have initiated a security or IT resource on their own, identifying why they believed there was justification to do so will help to understand their uniqueness. Then work with them to identify how an enterprise approach can meet their unique needs and could likely provide greater benefits.
Thinking beyond security applications, you can start to identify other benefits those resources could provide in various user groups. For example, video surveillance can provide important benefits in manufacturing activities or evaluating customer traffic in a store. Card access can be associated with your logical and automation systems to provide more than just door control. The more you can expand systems’ uses, the more you will increase the investment value and generate buy-in from other groups. Additionally, you may learn about other non-security solutions various user groups have developed that could benefit the organization in various ways.
As you work with all of the user groups to identify their distinctives, common needs and engagement, it will be important to start looking at security and operational systems through non-traditional spectacles. Over the years, various security systems such as card access, video surveillance, ID badging and more have gone from stand-alone systems to integrated, interoperable solutions. Many product manufacturers have merged to provide even more robust capabilities, and many new solutions have developed, but they are still multiple systems administered independently. Where the future is leading in enterprise security solutions is what I call the Security Systems Management Platform (SSMP). This approach involves five primary activities: Credential Management, Physical Security, Cybersecurity, Situational Awareness and back-office operations, all connected through a single platform. Some products and concepts from these approaches have been around for a while, but as they continue to develop and merge they create a more robust and intuitive platform. These approaches by themselves are still fairly compartmentalized between physical and logical security, but as they merge into a unified SSMP, those lines should begin to disappear, or at least to the extent that you want them to. Additionally, other operational benefits and efficiencies will present themselves as it becomes part of the organization.
The Security Systems Management Platform (SSMP) brings these systems together into a unified, interoperable, enterprise fortress, while still allowing each user group to operate within their Operational Distinctives. It does so by connecting to back-office systems like HR, Facility Management, Client Information and Active Directory to develop thorough user management capabilities. User management refers not only to employees, but anyone who might be given access to facilities and organization resources. SSMP does not replace any of the primary security or operational systems, but connects to them and provides data management between them. The SSMP becomes the new user interface for nearly all of the operational activities of the connected systems. This is what allows organizations to select best-of-breed from each system based on operational needs and scale. Through automated workflows, role-based resource management and robust system integrations, the SSMP allows organizations to build an Enterprise Security Risk Management program to its fullest potential by engaging all user groups and likely giving each of them more control, without compromising their Operational Distinctives.
While some user and system management can be achieved through Active Directory or inter-system integration, the SSMP is able to provide more extensive management through its customizable workflows and process automation. Decision of what privilege or resource a user should have can be made based on relevant data or routed to appropriate managers to assist in the process. Another important point is that the SSMP does not have to the central database for all systems, it just has to know where the data resides, again, leveraging the most appropriate resource for the task.
Because of the connectivity and processing capabilities of the SSMP, it can provide all the user management functions from onboarding to termination and direct each system as appropriate to meet the user and organization’s needs. At any time or by scheduled reports, any manager can identify and adjust their staff’s entitlements, or see who has access to their space and resources. This management also helps to provide additional monitoring of users by tracking risky activity such as unauthorized access attempts and creating a risk score for each user.
With all systems at your fingertips, the SSMP will provide event monitoring and management at any level, from the GSOC to the NOC to the receptionist. Integration with physical and logical security systems present a whole new approach to threat monitoring. Add situational awareness to that mix and a whole new perspective of your world will emerge.
You could call the SSMP a Silo Management Platform! Because the SSMP can be developed to work within each user group’s operational distinctives, it can build bridges to increase interoperability and enterprise efficiencies. Duplicated resources can be managed through the SSMP to reduce the inefficiencies or support a phased migration to a single preferred solution. The SSMP ties your organization together, reducing waste, increasing shared information and most of all, providing a more secure environment. This is the next frontier in enterprise security risk management.
About the Author
Douglas Button, CPP, is Physical Security Specialist at Hennepin County, Minnesota, and Consultant/Owner at Advanced Security Consulting.