Common language: IT and corporate security cooperation makes progress

CSOs share real-world tips for making physical/digital collaboration pay off

It's an old story: Different risk management functions operating in separate boxes, each oblivious to the other's existence. Security experts have been talking about the need for corporate and IT security to come together for what seems like an eternity. But real cooperation has emerged only in fits and starts.

At long last, we're starting to see evidence that the walls are coming down, albeit slowly, one brick at a time. Here are four companies that are making it happen.

The Long Struggle

Let's begin with a short history of the problem.

In the past, physical and IT security shops have had trouble working together. They were created as two separate departments, with different people, cultures and ways of thinking. By sharing skills, technology, processes and best practices, the two disciplines could more effectively defend against threats and deliver the kind of holistic security that organizations need. But change has come at a glacial pace.

Corporate security professionals have become reliant on information security tools and techniques such as identity management, log monitoring and analytics, says David Melnick, principal in the security, privacy and data protection practice at consultancy Deloitte.

[Also learn about Physical security information management (PSIM)]

"We increasingly live in a world where neither [physical nor information security] can be effective without the ability to integrate with and rely on the other," Melnick says.

Similarly, IT security pros have become more aware of the human and physical dimensions of protecting data.

The most powerful collaborations between the two disciplines take place during the response to an incident, Melnick says. Physical security "has strong practices and focus on the key issues that emerge when you have to respond to an event [for example, forensic investigation and interviewing], while information security and technology offer increasingly effective sources of intelligence and evidence around the event," he says. "While some events take place largely in cyberspace and others in the physical world, both require collaboration for the most effective response."

At ADP and Elsewhere, CSOs Bridge The Gap

The first example of genuine progress comes from Automatic Data Processing (ADP), a provider of outsourcing services for human resources, payroll and other business processes. The company finally became a "fully converged security organization" two years ago, says Roland Cloutier, vice president and CSO (and a CSO Compass Award honoree in 2010).

By creating the office of the CSO and aligning operational security, risk and privacy-service delivery teams, ADP has created a global platform for efficiently and effectively monitoring and delivering key security elements in business operations and product delivery.

Units within the organization are either considered service delivery, client management or platform support, Cloutier says, and all report to a senior leader who has responsibility for all security, risk and privacy functions at the company.

Service delivery includes programs such as information security, risk management, the company's Critical Incident Response Center, public safety and client security. Client management is responsible for ensuring that the services are delivered into each division and business unit and that functional business requirements are covered by the services offered by the central delivery teams. And the platform-support teams provide consistent internal operations support while preventing stovepiped processes, overlapping technologies and fiscal mismanagement.

"By consolidating these functions, operating on a shared services platform, enabling cross-discipline metrics, and getting functional leaders at the same table, we are able to better evaluate our security posture, better leverage our technology and capital investments, make better global and enterprise risk decisions, and more effectively make decisions and execute our strategy and daily operations," Cloutier says.

The reality is that both physical and cyber issues have huge effects on any corporation, Cloutier says.

"From intellectual property protection to cyber intrusions, privacy, protected data assurance, client funds protection, product security, and workforce safety, all impact business operations, client management and satisfaction, brand, and shareholder investment," he explains.

By merging security programs and developing cross-discipline metrics and governance functions, companies have a better quantitative and qualitative view of the efficacy of their security investments, Cloutier says.

[Read more about how CSOs can create business value]

He prefers not think of the success of the converged program just in terms of threat avoidance, but rather as a cross-disciplinary "ecosystem approach" to the prevention, detection, deterrence and management of key security, risk and privacy operations.

With this approach, "security executives now have a much better way to make risk-based decisions on the entire spectrum of critical security issues against a business, and migrate shared resources and funds to the area most critical at the time of need," Cloutier says.

Heartland's Struggle

At Heartland Payment Systems, a provider of payment-processing, payroll and other services, CSO John South has struggled to marry physical and IT security to better protect the firm's enterprise and merchant customers. It's become an important piece of the puzzle as Heartland has fought to regain its footing following a massive security breach four years ago.

Back then, a group of hackers successfully broke into Heartland's network, stealing data from more than 100 million credit and debit cards on the company's network, which handles card processing for restaurants, retailers and other merchants. (Read a detailed account in APT in action: Inside the Heartland breach.)

"With Heartland facilities located in several locations across the country, it is important to have a consolidated approach to our physical security," South says. "Physical security is a part of many of our IT compliance obligations," such as the Payment Card Industry Data Security Standard. "So it is important that it is integrated into the IT audits and policies established to protect the company," he says.

Each quarter, the firm's IT auditors review the physical security controls already in place. "This includes site reviews and some components of physical security that are basic to a secure facility, such as examining the completeness of visitor records," South says.

The most important factor driving the collaboration between physical and cyber security is the need for quick and reliable access to information about the state of physical security in Heartland's various facilities, South says. "It is important to monitor the safety and security of our employees and our facilities both during working hours as well as during off-hours when someone might be looking for a way to break in," he says.

With consolidated monitoring, the company has the ability to respond quickly to emergencies as they occur. "It's the real-time access to physical security information that strengthens our approach to security," South says.

A close collaboration between physical and cyber security could help prevent a physical attack or breach that might be coupled with a cyber component, either as a part of the attack itself or to obfuscate the physical penetration of the company, South says. "With combined monitoring, we can shorten the reaction time between an attempted breach and our response," he says.

Cybersecurity Becomes a Physical Challenge

Another company aiming to link physical and IT security is YRC Worldwide, a holding company that oversees shipping businesses such as YRC Freight and Reddaway.

"The number of successful hacks into corporations around the world is the force that is driving our physical and IT security organizations to partner closely and work as one," says George Kather, CIO of YRC Worldwide.

"Cyberattacks have shifted from the harmless antics of bored teenagers to professional hackers sponsored by foreign entities that can bring corporations down."

Part of what's made the collaboration so successful is the absence of the turf battles that go on at some organizations, CSO Butch Day says. "It's amicable, a great working relationship."

Kather works closely with CSO Butch Day, who's in charge of physical security initiatives at YRC. The company has created a cyberattack section in its Crisis Response and Communications Plan. The plan dictates what actions to take if the company experiences an attack, such as what to shut down to prevent any damage from spreading (led by IT security); who to notify, including partners, law enforcement agencies and customers (led by physical security); and what to communicate (led by physical security).

The physical and IT security teams also partner on internal security concerns, Day says, such as guarding against an attack from within by a disgruntled employee. In early 2012, YRC deployed an intrusion-prevention system (IPS) that not only lets the company know if it's under attack externally but also helps it detect improper use of its computer and network-based assets.

"If management identifies an employee [who] is acting suspiciously, the physical security team will be engaged to investigate," Day says. "As part of that investigation, the physical security team can request IT support to review the employee's computer, Web and phone logs to affirm or disprove the suspicious activity" by using tools such as IPS.

Day's team has a large contingency of former law-enforcement officials who have a variety of specialties in security and investigations. They often work in conjunction with the IT security group.

"When they identify something, we look at all the evidence they compiled and take it from there," Day says. "Our CEO has made it clear that anytime we need anything, we can draw on [IT] resources, and it's worked very well."

Part of what's made the collaboration so successful is the absence of the turf battles that go on at some organizations, Day says. "It's amicable, a great working relationship," he says.

One of the recent initiatives undertaken by the groups is a move to IP video surveillance technology, and the physical security group is working with IT to choose and implement video equipment.

Airport Trades Silos for Teamwork

Los Angeles World Airports (LAWA) also aims for close cooperation between the law enforcement and security group and the IT organization.

Physical security systems that use IT components (access control devices, closed-circuit TV, radios, and so on) are primarily used by law enforcement and are managed by the Information Management and Technology Group (IMTG), says Dominic Nessi, deputy executive director and CIO.

[Take a peek inside LAWA's disaster recovery exercises]

"[Usage] policy is established by law enforcement and IMTG sees them as the stakeholder and decision-maker," Nessi says. "IMTG keeps abreast of technology advancements and works with the law enforcement organization to determine whether or not they would be of value to LAWA."

Over the past five years, law enforcement and IMTG have worked together to plan and implement a number of technology improvements, including a new digital trunked radio system, mobile data computers in vehicles, and a new 911 call system.

Ongoing projects include a nearly completed replacement of the physical access control system at Los Angeles International Airport (LAX) and a major replacement of LAX's CCTV and video-storage system.

"In all of these initiatives, law enforcement has been the project sponsor with IMTG being the delivery mechanism," Nessi says.

LAWA has implemented an internal network upon which security systems, airport systems and back-office systems ride, Nessi says. "Though they are one physical network, they are logically separate to provide each with the appropriate cybersecurity measures," he says.

"The primary factor driving this scenario is efficiency in the delivery approach. One network uses less physical infrastructure, is more cost-effective to operate and maintain, and requires only one network-management staff."

To increase collaboration between physical and IT security, some enterprises might need to reorganize their security operations.

[Learn how companies are Organizing for enterprise risk management]

"Strategic organizational design questions often become the brick wall that stops the convergence conversation," says Melnick of Deloitte.

"Partly this is because most organizations still bury information security within IT much like how traditional security lives within HR, finance or operations."

The answer might lie in combining these organizations, partly "to elevate the reporting relationship of the resulting integrated capability, as either one on their own [has] trouble making it to the C-suite level," Melnick says.

The value of integration is becoming increasingly clear, Melnick says, but the organizational design questions are not as clear.

"Ultimately, some combination of responsibilities will need to be brought together to elevate the capability to the C-suite, and this will likely require the partnering with compliance, risk-management, privacy or other functional areas--depending on the industry and organization--before we have true convergence," he says.

Read more about data protection in CSOonline's Data Protection section.

Other stories by Bob Violino

Join the CSO newsletter!

Error: Please check your email address.

Tags DeloitteLos Angeles World AirportssecurityYRC WorldwideAutomatic Data ProcessingIT managementHeartland Payment Systems

More about APTAutomatic Data ProcessingCSOIPSRolandTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Violino

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place