CSOs say they can lead their functions to be more effective and save money at the same time. It means overcoming the challenges posed by executives who don’t buy the idea, and staff who will resist you. Here’s a guide to understanding both the upside and the hurdles to holistic security management.
Talk to Jim Mecsics about the benefits of convergence, and you’ll first have to stomach a metaphor about belly buttons. At the end of the day, says Mecsics, if there’s a security problem, the CEO is going to jab Mecsics’ belly button, hold him accountable and say, “Fix it.”
His point: In a converged security organization, there’s only one button to push—executives don’t have to contemplate whether to call the corporate security director or head of IT security or the facilities manager when they have a security issue.
Mecsics arrived on the job at credit bureau Equifax in 2002 with a mandate to create a corporate security program—to bring together previously disparate pieces of security, including physical and information security, under one roof. It didn’t take long for the reorganization to bear fruit. Some three months into his tenure, a large identity theft ring began hitting credit reporting agencies and was attempting to penetrate Equifax’s networks. Mecsics and his team went to work—they set up a plan, mapped out the bad guys’ architecture and worked closely with the FBI. Soon they pinpointed the intermediary company where the breach was taking place. (A former help desk employee at the intermediary company had stolen user codes and passwords and sold them to more than a dozen mostly Nigerian nationals in the New York City area.) At the end of 2002, the U.S. attorney’s office in New York arrested the culprits, putting a stop to what it said was the largest identity theft ring in the country (some 30,000 identities were stolen).
The Payoff: Executive-level backing and a mandate to run one operation for all security functions gives CSOs the chance to create more effective teams.
And did we mention the part about saving money? “That was a pure example of [the benefit of] us having everything under one umbrella,” says Mecsics. “I had the ability to bring the data and fraud folks and everyone else together and come up with a cohesive strategy,” he says. Mecsics didn’t have to get authorization from people’s bosses to work on the converged effort. He had the authority, he acted, and the coordinated security groups worked to the company’s benefit. (Mecsics left Equifax last year and now works as a senior security analyst at SAIC, a research and engineering company.)
Improved collaboration among security functions is just one of the payoffs of convergence. Others include better alignment of security with business operations, establishing the CSO as a single point of contact for all security issues, the opportunity to cross-train employees, increased information-sharing that leads to more efficient problem solving and, if you’re trying to convince otherwise skeptical execs of why convergence is worth doing, you can pull out your trump card: cost savings.
In this story, security executives at BWX Technologies (BWXT), EDS, Level3 Communications, Pemco Financial, Rohm and Haas, SAIC, Triwest Healthcare Alliance, United Rentals and Wells Fargo talk about why they’ve converged and the payoffs they’ve achieved from reorganizing their security departments to better meet the needs of their businesses.
Payoff #1 A comprehensive security strategy better aligns security goals with
Most CSOs these days would agree that security should dance cheek to cheek with the needs of the business. In a post-9/11 world, companies that hold onto the traditional view of security as just another cost center are failing to recognize the importance of security to day-to-day business activities.
When Marshall Sanders, vice president of corporate security and CSO (and who served as the founding director of security for President Reagan’s strategic defense initiative program in the ’80s), joined Level3 Communications in 1999, he had a mandate: establish a comprehensive security architecture. Sanders’ mission was made easier because senior executives at the company viewed security as a key enabler for the business. “We’re a network services provider—we’re all about network availability. If the network isn’t available due to a logical or physical incident, it’s a revenue-impacting event. So security was seen by our [company leaders] as an integral component of the business architecture,” he says.
A corporate risk management council, comprising Sanders and other senior executives, forms the basis for an integrated security governance structure and helps keep security top-of-mind at Level3 (see “Security Committee,” Page 28). “It’s critical to have top-down sponsorship,” Sanders says, adding that in his case, the CEO “realized security needed to be integrated into the architecture of the business.” The council, an audience for updates on physical and logical security, business continuity and disaster recovery exercises, is critical to driving this agenda, he says. “It can provide an enterprisewide perspective and accountability for managing the risks to the business; so then security becomes not just security’s problem—it’s a business concern.”
Sanders defines convergence as the integration of logical, information, physical and personnel security; business continuity; disaster recovery; and safety risk management. (Logical security focuses on the tools in a network computing environment; information security focuses on the flow of information across both the logical and physical environment.)
Payoff #2 The CSO can be a single point of contact
When there’s a single point of contact, the CFO or COO can pick up the phone and speed-dial the CSO. John Pontrelli, vice president and CSO at Triwest Healthcare Alliance, a Department of Defense contractor that manages a health-care program in the western United States for military personnel and their families, wouldn’t have left his previous job at W.L. Gore & Associates to come to Triwest unless he had that kind of accountability. Having a single point of contact also makes it easier for the CEO, board of directors, contractors, external business partners and employees to know that they can call Pontrelli if they have any questions or problems. But bringing team members into a more cohesive organization with one strategic mission and consistent goals will encourage collaboration and help break down some of the walls that can exist among people who previously had prime allegiance to their individual security function.
Payoff #3 Information-sharing among disparate security functions increases
Richard Loving is reaping the benefits of a more collaborative environment at BWX Technologies, which manages and operates nuclear and national security facilities. For years, the company, which runs or helps run facilities for the U.S. government in nine states, organized its facility teams as self-contained units. “We were able to bring an expert from each site together to talk about the changes in regulations, how they were going to protect media and share that information back and forth so that as one site found a new and different way to control something, they would share that information the same day,” says Loving. Contributing to the vulnerabilities is that these networks are generally managed by process control engineers, whose job has been to make sure the systems run day and night, not to worry about hackers or other cybercriminals. For Keith Antonides, corporate information security director at Rohm and Haas, a large specialty chemical manufacturing company, convergence has meant establishing a closer working relationship with the process control engineers.
Payoff #4 Convergence gives you a more versatile staff
Although the unified security theme resonates today at Wells Fargo, it wasn’t long ago that the message was a little more garbled. Previously, external and internal investigations operated separately. That led to inefficiencies, where two separate teams could be investigating the same case. And if the case happened to be in Boise, Idaho, Wipprecht spent money to send somebody from the corporate office in San Francisco to work with the regional agent.
That changed in February 2004, when Wipprecht brought external and internal investigations into his new, converged organization and began cross-training most of his agents. Now the regional agent, trained in external and internal investigations and physical security, can run the case from Boise solo, giving security more bang for its buck and improving response time. Cross-training has also made his agents more aware of areas that weren’t previously part of their job descriptions.
In the past, the physical security folks thought a lot about homeland security but not investigative issues; investigators, conversely, were less observant about homeland security. Now the security organization is more cohesive, with different divisions pursuing similar goals. “The cross-training is an awakening of what they ought to be looking at internationally, nationally and locally,” says Wipprecht.
Triwest’s Pontrelli and Pemco’s Telders cross-train their physical and infosec staff. “It’s mostly a people cost savings,” says Telders. “I can take someone trained in CPR and have them do e-mail filtering and password accounts. I can cross-train staffs so they can cover each other, so my staffing costs are down. People assigned to projects can get cross-trained on the job,” he says. Pontrelli also likes the fact that cross-training gives his team members greater career opportunities.
Payoff #5 You save the company money
OK, you’d like to be converged, you’ve talked up the benefits of single points of contact and holistic strategies and aligning security operations with business goals—and you’ve met with glassy eyes, thinly disguised yawns and general apathy from senior execs. Now’s the time to pull out your trump card: Cost savings. One area that’s generating savings is technology convergence, the intersection of physical and information security.
That’s what Telders at Pemco Insurance has found. Telders has put smiles on the suits at Pemco by replacing proprietary systems with a centralized, IP-based security management system for both field offices and headquarters that encompasses closed-circuit TV, door controls, access card controls, sensors, alarm monitoring and panic buttons. The system has obviated the need for local security guards; instead, guards monitor the system 24/7 from a central location. Burglar alarm monitoring is also done from that location, so outside contracts with third parties have, for the most part, become unnecessary. And video recording takes place on server disks, not on local digital video recorders. “If a DVR goes out, it could cost five grand. If a disk goes out, it costs $150,” he notes. Telders says the system saved Pemco on the order of $2 million in the first year. (Most came from eliminating the guards; bringing burglary and security monitoring services in-house saved more.)
The company can also use the surveillance cameras in the various locations to hold teleconferences at no additional cost. And Pemco has tied building control systems such as HVAC and lighting into the centralized system, which allows the real estate staff to remotely manage some building systems, largely freeing them from having to install their own network or wiring.
Stephen Baird, vice president of corporate security at United Rentals, North America’s largest equipment rental company, is similarly using CCTV improvements to reduce costs. Baird joined the company last July and has become the single point of contact for security. (Previously the top security role wasn’t as clearly defined.) He reports to the company’s president and CFO. Since coming on board, he’s been working on upgrading the company’s digital CCTV systems to make them motion-based. That will save his staff major chunks of time when conducting investigations—using the old system, watching the DVR could take hours; now it takes minutes. He plans on rolling it out in the company’s corporate facilities first and hopes to roll it out in stores eventually. He’s also looking to save money by standardizing DVRs across the company and by buying those DVRs in bulk.
Stephen Baird, VP of corporate security at United Rentals, is the company’s single point of contact for all security matters. Another technology Baird is exploring is global positioning systems, or GPS, which the company was prototyping before he arrived. One application would involve putting GPS systems on large pieces of equipment, such as light towers. GPS systems would allow security to track where the tower is, how long it’s been there and even if it was turned on. “We’ve had theft of everything,” says Baird. But rolling out a GPS system won’t happen automatically—as with any big project, Baird will first assess the risks and the costs before he and his fellow execs give a thumbs-up or thumbs-down.
But if you’ve done the due diligence and believe that convergence can enhance your security posture and bring more value to the business, the CSOs in this story will tell you that you can converge and not just survive, but prosper.
http://www.csoonline.com/read/041505/payoffpain.html