Hi-Tech Security Solutions asked Paul Wenborn, technical director of innoVIZION, and Neil Cameron GM of Johnson Controls Systems Service South Africa, a few questions on the role of security in the enterprise.
Hi-Tech Security Solutions: Is security in the enterprise impacting traditionally
non-security functions, such as HR, IT or finance? What effect is it having?
Paul Wenborn: With a global focus on corporate governance and specifically governance, risk, and compliance (GRC), all aspects of an organisation are directly or indirectly impacted by heightened security policies and procedures. These new business requirements demand that non-security functions (HR/IT/ Finance/Facility/Wellness and even Production, Logistics, etc,) become directly accountable for identity management and policy enforcement.
If one applies basic real-life business processes scenarios to this data it could mean that a person/contractor’s access to site or a specific area is dependent on multiple people in an organisation providing an holistic framework for a process driven solution.
Neil Cameron: Traditionally, separate security focus areas – ie, people, data and assets – are converging and this is creating greater awareness among all line functions within the business. For instance, the security profile assigned to any staff member will depend on that person’s role and responsibility within the organisation. Among others, it will determine the level of access this person has to organisational data.
However, since data can also be physically removed (a primary concern of the IT manager), physical access to the premises needs restricted and standard security around data – eg, firewalls and passwords – needs to be driven throughout the organisation. Similarly, assets such as company laptops and mobiles need to be protected.
While 95% of organisations still run disparate systems for HR, IT and other functions, a single integrated security policy is being enabled through the implementation of an enterprise layer of information. Thus, an integrated enterprise strength version of security is coming into being.
Hi-Tech Security Solutions: Have security managers realised their need to serve the business? Do they view themselves as part of the operational processes necessary to enable the business to function properly and make a profit?
Paul Wenborn: In an integrated solutions environment, a better term for security managers should be security compliance managers. Security compliance managers with the necessary skills can have a unique perspective on an organisation’s physical/logical/policy/statutory and industry specific compliance requirements. This perspective is often overlooked and is of critical value when input of functional/system requirements to the mapping of business processes is required.
Ignoring security managers input as key stakeholders on an integrated identity and people management security solution project can result in significant requirements being excluded from the scope and have a direct impact on the bottom line and performance of a business.
Neil Cameron: Security personnel in most organisations traditionally focused on physical security. Many are becoming more IT aware and literate, and also more aligned with the goals of the business. However, security managers that are appointed at an executive level in larger organisations (eg, financial services) certainly have a greater understanding of how security impacts business risk, governance and compliance issues.
Hi-Tech Security Solutions: Where are the drivers of change in the security function coming from in business?
Paul Wenborn: Technology, governance and integration are the three main drivers of change for the security function while business process optimisation (BPO) is the key driver from businesses that are looking towards integrated solutions that enhance productivity and automate manual and regulatory processes such as HSE enforcement.
Neil Cameron: Convergence of the various business functions, driven by integration of the administration of these functions on a single technology platform is certainly playing a role. There is also the increased accountability and responsibility at a board level – as described in King III – for executives and directors to implement suitable security measures to protect the business and its shareholders, ensure that corporate governance policies are met and that business risk is mitigated.
Hi-Tech Security Solutions: Has the security function migrated, or is it in the process of migrating to board level?
Paul Wenborn: No, not the security function as such, however our general experience in the industry is that security normally forms part of the risk management function that in some instances, depending on the company size is represented at board level. However, security has evolved and has a vital role to play in contributing to a company’s strategic planning.
Neil Cameron: Security, or lack thereof, can impact the bottom line of a business and affect core business, so it certainly merits board level inputs and attention. It has become a key component of the controls of a business that facilitate risk mitigation and corporate governance. For example, the creation and implementation of a suitable health and safety policy is an important element of a comprehensive security solution and will directly influence staff wellness and operational efficiency, affecting the organisation’s risk profile.
Hi-Tech Security Solutions: What about the alternative? Are other functions, such as risk management evolving to integrate security functions, leaving traditional security officers with shrinking empires?
Paul Wenborn: Once again, our experience is that in most corporate organisations security is already part of the risk management function. The acronym SHERQ has been around for many years which incorporate the security function. Integrated identity and access management solutions that form part of a larger integrated people management solution (IPMS) have definitely created a perception and practice of merging functions and job titles.
In our experience the traditional security empire can grow or shrink dependent on individual competencies – this could either mean a larger portfolio for the security manager taking on risk control or security being added to the risk manager’s portfolio.
In either scenario the individual is generally swamped with multiple responsibilities and without an integrated process driven access and identity management solution (both physical & logical) whereby various disparate systems are seamlessly integrated and then crafted to work as a single entity, the security/risk officer will be inundated with administrative tasks instead of enforcing and enhancing policy utilising the information provided by the solution.
Neil Cameron: The empire of the security manager is not dwindling; it is becoming more significant. It is today a key part of business rather than a grudge spend. Because security addresses such a wide range of issues – physical assets, data and personnel – I believe that while security policy and IT execution will become more of a board-level issue, the function itself will not be usurped by related functions, but remain a subset of those functions requiring some oversight.
Hi-Tech Security Solutions: What about the influence of technology? Will IT and its technicians usurp the work previously done by security technicians?
Paul Wenborn: The pace of technology has significantly influenced the market. ICT companies added physical access control as a logical extension to their existing integrated identity management (IIM) solutions. IT staff are tech savvy and can quickly gain the necessary skills required and due to their IT background are technically proficient at fault finding 'from the scanner to the database'.
This has placed a large onus and significant challenge on traditional access control companies and security technicians. Companies will increasingly be looking to single-point-of-contact vendors to partner with and add value to their overall HR/IT and security strategies and goals.
Neil Cameron: Technology is undoubtedly an increasingly important part of implementing security on a number of levels – ie, access, CCTV monitoring, reporting, integration into building management systems, etc. However, the field of enterprise security implementation is wider than IT alone as security systems often need to integrate to electrical or mechanical (eg, airconditioning) systems. While it is not impossible that the IT technician will skill up to also manage security technologies, security is becoming more complex and specialist maintenance may be required.
Hi-Tech Security Solutions: What should security managers and personnel do to ensure they are an integral part of their corporations’ going forward?
Paul Wenborn: Security personnel should position themselves to add value through the effective application of technology to enhance delivery and enforcement of company policies and procedures while ensuring compliance with governmental and regulatory authorities. A zero incident safety record and effectively managed people management systems can have a significant positive impact to many companies where Safety First cultures are promulgated.
Neil Cameron: It is important that organisations keep up with changes in this field – and these changes are rapid at present – in order to add value to the organisation. Security managers should ensure they are utilising the latest systems, functionality and technology to accurately align security to business needs – and adequately protect the company against new threats. Ox-wagon technology will only negatively impact perception about the security function.
Hi-Tech Security Solutions: How should the security function expand to become an integral function of the enterprise?
Paul Wenborn: Knowledge is the key – this does not necessarily mean becoming a subject matter expert on integrated security solutions, but of vital importance is to understand the business requirements and unique needs of the various individual stakeholders in your organisation and be able to translate that into meaningful input during a facilitated blueprinting process.
The focus should be on functioning as a security compliance manager vs. a technical expert on a moving target of technology that continuously changes. Rather partner with a company/systems integrator who adds value to your business processes and facilitates delivery of the process using technology as an enabler as opposed to a company punting a technology (features and benefits) to solve people-related process issues.
A sustainable solution is 90% to do with proper up-front blueprinting, systems integration and process optimisation and 10% about hanging a reader on a wall.
Neil Cameron: The security function is already growing. It is also receiving more air-time at a strategic level. The security function in business needs to lead change rather than being pulled along by change. The function is evolving and so must security staff. Upskilling personnel, becoming more aware of the role of technology in enabling security, and developing a vocabulary that will allow board-level communication and interaction are crucial.
© Technews Publishing (Pty) Ltd | All Rights Reserved