This is the first of a series of articles that explores the convergence of physical security technology and information technology, and its impact on security departments and IT departments. The convergence at the technology level is a natural fit, and has resulted in many security technology breakthroughs and an impressive increase in the capabilities of today's physical security systems.
For organisations, the technological convergence does not have a parallel organisational convergence. Quite to the contrary. It has resulted in what can be best characterised as 'collision' - with IT and Physical Security departments butting heads and finally scratching heads, trying to figure out how to solve the problems that keep appearing.
Information technology is now critical to security systems
Initially the trend was for physical security technology and physical security systems to incorporate information technology components and infrastructure. Now many security technologies and systems do more than incorporate those elements, they are completely based upon them.
CCTV surveillance is a good example. I discussed this subject with Emil Marone, the chief technology officer of Henry Bros. Electronics, a large-scale security systems integrator headquartered in Saddle Brook, New Jersey. "The type of CCTV cameras that are used in facial recognition have been around for more than 30 years," explained Marone. "The introduction of computers is what has spurred the more recent advancements in their use." Until affordable computer technology could be utilised to make CCTV monitoring and recording manageable (becoming widespread around 10 years ago), their usefulness was limited and manpower intensive. Today information processing technology has made possible video-based smoke and fire detection, facial recognition and many types of advanced situation-based alarm monitoring based upon pattern recognition.
Beyond security
New security capabilities are also providing benefits outside the realm of security, and that has complicated the picture significantly. For example, shipping and warehousing operations can be monitored remotely by CCTV. If a critical shipment is due to go out early in the morning, the video management software can be used to point a camera at the shipment material and set an alarm that will alert a manager or executive when the containers are moved or if they are not moved within a specific time period. Card or biometric-based access control systems can provide electronic time card functions, generating time and attendance records for the payroll system. Human Resources can review video recordings to verify the effectiveness of employee training, and document the results for management.
While it is great to have increased ROI for security expenditures, the non-security benefits raise complex procurement and budgetary issues, especially for the benefits whose values are hard to quantify and translate into dollars. Whose budget will pay for the extensions to the security network for operational purposes - IT, Security or Operations? When CCTV cameras perform triple duty (security, operations monitoring, and training) how do you divvy up the bills for installation, ongoing maintenance and upgrades? Should Operations and HR have a say in the procurement process? Who will resolve disputes over competing departmental interests? Should security system traffic be allowed to travel on the business network for non-security purposes?
These examples only touch upon the wide array of organisational complexities that are being introduced by the information technology-based expansion of physical security systems.
Organisational problems
Four aspects of the technological convergence have created problems and conflicts for Security departments and IT departments:
* New security systems require knowledge beyond Security's domain. Electronic security systems incorporate information technology elements (such as databases and computers) and require information technology infrastructure (such as local and wide area wired and wireless networks). Most of these elements have complex configuration and set-up steps that must be performed by a knowledgeable person. Thus the procurement, deployment and maintenance of most security systems now require IT knowledge and skills. The Security department must look to the IT department for help with many aspects of security projects. There is a large communication gap, because the Security personnel do not know the IT domain, and the IT personnel do not know the Security domain. This is compounded by the fact that many companies do not have an up-to-date and plain-English Security Plan and Security Emergency Response Plan. These would help IT get an understanding of the purpose and activities involved in Security during normal business, off-hours, and emergency operations.
* Security systems offer many non-security benefits. Thus there are new stakeholders throughout the organisation, whose use of the systems requires extending the information technology elements and infrastructure of the physical security systems for non-security purposes. This introduces complex issues for budgeting, procurement, deployment and ongoing use of the systems. It also significantly expands the privacy issues.
* The IT elements of security systems are used differently than the same IT elements of business systems. For example, the usage patterns for networked security workstations are very different from what is typical for business systems of networked PCs. This leads IT departments to misestimate the requirements for information technology elements and infrastructure of the security systems. This is most apparent in the estimation of network bandwidth requirements, which is almost always significantly underestimated. Security, not being familiar with the IT domain, does not realise that these differences exist and thus cannot really educate IT about them.
* The complexities that new security technology introduces intensify the already close focus on the technology involved. Thus the people and process corners of the people-process-technology triangle fall out of view. Yet the people and process domains are often where the root of the problems and their solutions actually lie.
The common element to the problems and conflicts is that they are organisational in nature, not technological.
Security success
To achieve full success with organisational security requires being effective in recognising and handling these organisational situations. This requires knowledge of the organisation itself, and the purpose and activities of each part of the organisation. While that may sound very matter-of-fact, often Security personnel and IT personnel find it difficult to obtain this knowledge.
Stan Gatewood, the chief information assurance and privacy officer for the University of Southern California, is one of the leading experts on information security, infrastructure protection and electronic privacy. "In my experience," said Gatewood, "many executives cannot articulate their purpose and function in relation to the overall business. The purpose of security is to protect and support the functions of the business. This requires a clear understanding of each area of the business. To get a handle on security, you first have to get a handle on what each area of the business is doing. To set security priorities, you have to know the priorities of the business. You have to understand the big picture, so that you can put things in their proper perspective. Each executive must be able to correctly answer these questions, 'What are we in the business of? What are we going to do?' It is enlightening and often surprising to hear the wide variety of answers from within the same organisation.
"Additionally," explained Gatewood, "you have to understand that security is not just physical security or logical security; it includes the human element and all three elements must be addressed." This must be understood outside the security and IT departments in order for an organisation to be effectively proactive about security, which is the only way success in security will be achieved.
Security stakeholders
Those executives and managers whose areas would benefit from security technology, whether it is for security or operational purposes, are stakeholders in the deployment of security systems. Both the Security and the IT departments must be able to engage in real dialogue with them. Security and IT must be able to summarise and clearly explain the security initiatives and any technology under consideration, in terms of how it would affect each area of the organisation and the organisation overall. This includes being prepared to explain the relevant risk assessment work upon which any security recommendations are based.
If executives and managers have requested the use of specific security system features or technology, they must be able to explain their objectives for their use and outline the organisational benefits (including the quantification of any direct financial benefits). They must also establish relative priorities for the items that they are requesting, and provide input to the overall organisational prioritisation of security items.
Thus the dialogues that security and IT engage in with the rest of the organisation are part education and part exploration.
Technology blinders
It is very important when engaging in security analysis, and when discussing security with people outside of Security and IT, that enthusiasm for new high-tech security systems and products does not create blinders that keep low-tech solutions out of view. This is a risk for those in both IT and Security who are immersed in technology on a daily basis.
Emil Marone relates one situation where a client called him in to discuss a problem they were having with night intruders onto their property. The intruders would dress in black, and could not easily be seen against the black asphalt and dark grounds of the perimeter under the existing lighting. They were considering a new CCTV system that could 'see in the dark', and were also considering a complete renovation of their outdoor lighting. Both measures would be expensive and disruptive, but these improvements seemed to be needed to solve their problem.
"Once I had an understanding of the situation," said Marone, "I advised against making either change. Cameras that can see in the dark will not help the security officers on foot patrol, and there was a better solution available." Marone suggested that they simply paint the grounds white on both sides of the perimeter fencing. Intruders dressed in black would be clearly visible. Even in white clothes they would still create obvious shadows under the existing lighting. It was a very inexpensive solution and was implemented immediately with great success. This approach enabled both the foot patrols and the personnel monitoring the CCTV images to see what they needed to see.
Solutions this simple and inexpensive are not available for every security need. When they are, they are often obvious only in retrospect. This underscores the value of consulting with people outside the Security and IT departments, and even outside the organisation, who can view things in a fresh perspective. This is one antidote to the 'cannot see the forest for the trees' phenomenon.
Basic measures
"It is also important to go after 'low hanging fruit'," asserts Stan Gatewood. "First, use what you have now. Discover what you can do right away with existing resources. Usually there are very basic measures that can be taken. Second, go after things that are less immediate and take more time and effort."
Gatewood also cautions not to underestimate the value of taking small steps. "Taking baby steps is a good way to get started. Do not always go for the big initiatives." Small steps are less disruptive, and are also less demanding on organisational resources.
Security evangelist
It should be no surprise that the companies who are most effective in implementing good security programmes are those companies who have an executive at a high level that is a 'security evangelist'. It requires a high-level address to organisational security issues to set priorities for items that extend across the entire organisational spectrum, especially when non-security benefits are involved. Security leadership must be strong, active and ongoing in order to achieve real results. Whether the label 'security evangelist' is used or not, someone at executive level has to take on that role. It is not an option or a temporary involvement. The consideration and establishment of organisational security requires participatory collaboration. It sometimes requires 'executive muscle' to provide the needed support to Security and IT.
Additionally, it often takes executive savvy to deal with competing resource allocation issues and to set appropriate budget priorities. Executive insight can be required to evaluate security measures and initiatives in light of the big picture, and to envision the optimum scenarios for their implementation. Sometimes there are campaigns that can be utilised to introduce or support an initiative, that will help to align the efforts with overall business objectives.
Experience shows that there is no adequate replacement for having a security-minded senior executive.
Knowledge and responsibility
For most organisations, the roles and responsibilities regarding security must be expanded not just for security and IT personnel, but for most managers and executives. To make sure that security initiatives are fully accomplished and that security policies and procedures also remain in place requires that managers and executives have enough security knowledge that they can exert effective control in their own areas where security issues are involved. The also need the knowledge to be able to evaluate the relative importance of security issues. Sometimes lapses in security are a result of people not really understanding the role that a security measure plays, and why it is important. Informed managers and executives must see to it that their people are adequately informed, whether this occurs through formal training or ad hoc briefings or instructions.
Personnel performance reviews should include a security element. People should be acknowledged for upholding security, and even commended where appropriate.
Reaping the benefits
Whatever your own responsibilities are in the security picture, it is your job to see that you know what you need to know to carry them out.
There are amazing benefits to be obtained from the impressive advances that stem from the convergence of physical security and information technology. They will help you to the degree that your organisation obtains the right knowledge in the right places, so that each person can be effective and can easily carry out his or her role in support of the organisation's security objectives.
Share your knowledge
The convergence of physical security and IT is having widespread impact on organisations of all sizes. The larger the organisation, the larger the impact. Have you been successful in addressing convergence issues? Have you come up with an organisational model that takes this convergence into account? Do you have a particularly troublesome issue that will not resolve?
If so, please contact HSS at [email protected]. Ray Bernard will be addressing solutions to common problems in future articles in this series.
Effective meetings require overcoming the language barriers
Many discussions and meetings between security and IT personnel go awry because of a terminology problem that is peculiar to the realms of physical security and IT. Because IT includes security elements, the world of physical security shares many words with the IT world. The words are similar conceptually - but different in specific meaning.
Security personnel can think that IT's discussion about an Access Control List means a discussion about authorisations for the security cards used to access the building and parking lot. The IT term is a parallel concept, but actually refers to a list that tells a computer operating system which access rights each user has to a particular system object, such as a file directory or individual file.
Does 'security breach inside the perimeter' mean that someone forced a door open in the facility, or that a network breach originated on the inside of the firewalls that protect the network? Does 'traffic level' mean the amount of people that go through a security revolving door, or the number of packets being transmitted on a network?
Meeting fog
It is very common for people to get hung up on a particular point due to this terminology issue. They thought they were tracking with the speaker and then they realise they are not. Not wanting to appear ignorant, or out of concern for being ridiculed, they sit there and try to look alert even though they are fighting a heavy mental fog. It can put people to sleep.
Managers and executives can have the worst time of it, because just as they think a new word or phrase means one thing - it seems to mean another.
IT personnel would be amazed at the number of people who do not know the meaning of the word bandwidth. People can get all kinds of strange ideas when they hear words that they do not understand or for which they have different definitions. Overhearing a sentence like, "Look at the screen, you can see there is not enough bandwidth," can give someone the idea that the width of the visual image on the screen is what is meant by bandwidth. This has actually happened. And there are people who think that CCTV refers to some cable television station like MTV rather than the camera surveillance system - closed circuit TV.
Meeting guidelines
Here are some guidelines that can be applied to all meetings, but which are especially important for meetings where both physical security and IT topics will be discussed:
* List the topics to be covered. At the start of the meeting, list the various knowledge domains that will be covered in the meeting. Ask for a show of hands if a domain is not a primary subject of expertise. If any hands go up, emphasise the importance of not going past any point that is not completely understood. Explain that the success of the meeting and the follow up actions is important enough to take the time to clear up any questions.
* Schedule attendance for mixed agenda meetings. Try scheduling the topics so that people will not be unnecessarily subjected to domain-specific discussions. Someone from accounting should not be expected to sit through a lengthy technical discussion. Skip the technical discussion and give a plain English summary, or schedule the technical discussions first with a limited group and bring others into the meeting at a later point.
* Specify who can answer questions. Sometimes people can think they understand something, to find later that they do not. By the conclusion of any meeting, make sure you have identified who should be contacted about questions specific to each topic of discussion.
* Check for questions. At the conclusion of each topic, not just at the end of the meeting, check for questions. If being considerate of questions is something new in your organisation or department, you may have to overcome the reluctance of some people to ask questions.
* Clearly define terms. Be sure to define each topic term clearly when you first use it, and make it obvious when you are switching topics. You should have definitions written out in advance, that use plain language and avoid references to other words that would not be known to the meeting attendees.
* Be brave. Ask a question when you do not understand. Often others will have the same question. Lead by asking. Others will follow your example.
* Be considerate. Be patient in helping someone else understand what you are saying. It is your responsibility as the person speaking to make sure that you get your message across. This means you have to take the steps necessary to clearly explain what you are saying at the level of the listener. Remember what Einstein said: "If you cannot explain it to a six year old, you do not understand it well enough yourself."
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version