Hi-Tech Security Solutions recently invited three security experts and three IT experts (some of whom play both sides of the field) to participate in a round-table on the subject of convergence. This is a brief overview of the discussion.
Having heard all about the convergence of security and IT, Hi-Tech Security Solutions decided it was time to get people from both sides to talk about their experiences in the world of convergence. The round-table was not meant as a final gospel on the convergence of the two worlds of IT and security, but more of an overview of the trends people in the trenches see happening on a daily basis. We wanted the participants’ take on the state of security-IT convergence at the moment. Is it something security companies should take seriously? Is it something traditional IT companies are taking seriously as a new untapped market?
For those of us in the security industry who may be thinking convergence is something that will happen sometime soon, you’re behind the curve and falling further behind faster than ever.
Resistance is futile, you will be converged
Marius Coetzee, COO of Ideco Biometric Security Solutions (IBSS) started the discussion noting that there is still a long way to go to a fully converged world, but the industry is moving. He says IP (Internet Protocol) infrastructure is definitely the backbone of the IT platform as well as the security platform of the future. There are already large overlaps but these will grow as proprietary and legacy security solutions are mothballed.
He says there are two challenges the security industry faces. The first is the never-ending battle for skills and people who really understand how to configure an IP infrastructure to cater for all the different technologies and services running on it. The second is the need to deal with the different drivers within the customer organisation that are trying to run or specify what the application requirements are. For example, HR’s requirements are no longer restricted to HR and the things IT does with its infrastructure affect the whole company. Someone needs to keep the business flowing and integrate these different needs into common business processes.
Richard Creighton, regional general manager for Honeywell Building Solutions adds that he deals with customers in all sizes of business, small to enterprise and the issue of convergence depends very much on who you are talking to.
“Typically when we are having discussions with the big corporates, they get it, they know they have to go onto a converged platform using existing infrastructure. Also, they know they need to leverage their current skill set as well. The in-house skills are an advantage to the large corporations, but they are also very departmentalised. This means they understand the need for convergence from a strategic perspective, but getting everyone to buy in and work together can be a challenge and we often find we have to facilitate those discussions.
“Once we get the ball rolling they get the value and they get the lifecycle reductions and it makes a lot of sense to them. The reasons to go forward are actually quite simple in business terms: operational costs are reduced and risk is reduced. Even with the long-term silos and high resistance in certain areas for now, convergence will happen, it is not a question of if.”
Yugasen Naidoo, CEO of Praxis, a traditionally IT company that has recently expanded its security offerings, agrees, adding that he has experienced the difficulties different departments have in working together effectively. The nature of the various departments means that they do things differently and employ different types of people, hence, their cultures are different and they have different business drivers. The integrator and solution provider needs to tread carefully.
He does note that he has not seen all that much convergence in the hardware side of things as it is still a complex task to integrate general security equipment into IP infrastructures. The tradition of making hardware to proprietary standards is still not common in practice it seems, although, as expected, the trend is changing.
Naidoo expects to see a drive away from this in the near future, one that has already started, as vendor companies realise the need to be able to integrate their wares with the rest of the world. The issue of open standards crops up here and was a key issue to be discussed.
Another participant coming from the IT world was Julie Wagstaff from Ubusha Technologies who tackles the issue from the perspective of identity management solutions. She has seen large corporate taking the first steps in convergence, but built on identity, which then gives staff access to physical and logical assets.
IBSS’s Linda Glieman agrees, noting that more customers are starting to view identity as a tool through which they are able to control their business environment better. This not only applies to white-collar companies, but also (and possibly more so) to the large blue-collar organisations out there.
Convergence is not universal
It was here that the conversation diverged into an area where convergence could never happen. While the technology will converge and different roles within business will have to cooperate and share with each other in maintaining an overarching security solution, basic security principles will ensure that the roles and responsibilities of the various players in business will never converge.
“Segregation of duties is a must,” states Wagstaff. “You cannot trust one person to start giving you secure access to all your physical and logical property, no matter how converged your infrastructure and applications are. You cannot give a security guard rights to give anyone access to your IT systems, for example.”
“There is absolutely no business case around converging roles and responsibilities,” adds Creighton, “it is from a technical perspective where the convergence must happen.”
Wagstaff agrees, noting that roles and responsibilities are not defined by IT or security, they are and must be defined at a business level.
Getting back on the convergence track, Paul Webel, ISM business unit manager at Novell South Africa, says the common denominator globally, across industries is the threat landscape. Everything continually changes and as a result of these changes in risks compliance issues are driven down into the operational areas of business. The South African market is slightly behind the US, for example, where they have had the Homeland Security Presidential directive issued after 9/11, which has had the effect of driving some of this convergence to enforce better managed security.
“We in South Africa do not have that kind of legislation, however our corporates have realised that from a governance perspective they need to start controlling and ensuring compliance.”
He expects the trend to continue and as the readiness across organisations increases we will see an increase in the implementation of one identity management system, for example, starting to control who goes where, for what and can access what, irrelevant of whether the what is a physical asset or not.
“We are going to see open standards enforced across technology and across software solutions that are being installed,” Webel adds. “But one certainty is it is going to be an identity driven solution. At the end of the day, the individual’s identity is going to govern security and what access and rights a person has from a physical and from a logical environment.”
HP’s ProCurve country manager, Lorna Hardie adds that while technology convergence is a reality, one of the major factors that comes into play across the board within all the industries is the fact that there is no one-stop solution. “You have to look at multiple factors within the IP environment or within the networking space, which is obviously the replay of the security convergence market. We will be seeing systems that empower visibility across the enterprise, not only of users and what they are trying to access, but also assets across the organisation. You have technology from a physical security perspective that will now allow you to track where devices are located within the building, set off automated alarms that will let you know if they have gone out of their jurisdiction in terms of areas. These are converged solutions that deliver value from the start.”
If one looks at the benefits of a converged environment in this context, you have a situation where you can improve your visibility across the enterprise of the user and physical assets, and a security perspective in terms of physically managing your devices from a common management platform.
Historically, for example, security was very much a reactive response. A video camera would record an incident and you would have to go back to look at the video tape to see what happened and to track the problem. Now with the converging environment, you have alarms that will track behavioural patterns in your environment and raise an alert to allow the company to react proactively to the threat.
Legislation and governance issues are driving this forward from an auditing perspective. Companies are expected to know what is in their environment, where it goes and who uses it and so forth. Companies generally buy into this, but often they do what is necessary without considering the ultimate benefits of integrating the enterprise – mainly due to the scary costs that are presented when ideas like that are tabled.
Proving and delivering value
At this point Creighton notes that the ROI (return on investment) on security is a difficult sell because it is so intangible. All business leaders know they are at risk, but it is difficult to quantify the risk. Boards want to know what the 2-year saving will be or what the 10-year payback is and it is difficult in security.
Put simply, it is easy to say improved access control and surveillance systems will prevent a criminal from entering the premises and stealing a laptop – that has a cost. Retailers can justify their security by a decrease in shrinkage, also easily measurable. Buddy clocking can be stopped and payroll savings measured. But how does one put a value to larger systems that integrate everything, boost security productivity and effectiveness, but do not have an easy rand value?
Here again, Webel adds that audit reports are helpful because all reports have to take losses into account and these days, good governance as well. New corporate governance standards will force management to at least look at ways to reduce losses and gain a better understanding of the workings of their operations.
Webel refers to the PricewaterhouseCoopers 2007 Employee Fraud Survey where the company reports that 43% of global companies experience employee fraud. In South Africa the figure is 72%. Proactive measures must be taken, but cost issues will prevent a reinvention of the wheel. Well designed and converged solutions can ease the burden without too great a cost shock.
“If we look at the recent banking scam by people at Vodacom where over R2 million was stolen, the cellular provider was not part of the scam, did not make a profit or loss from it, but what is the reputational cost to the company? These are the intangible risks converged solution providers can change with the appropriately designed solutions.”
When it comes to convergence, as the IT industry found out a few years ago, the big issue is standards. Proprietary systems just do not cut it anymore and even the most closed IT companies had to at least pay lip service and some sort of attention to the standards debate. The same is happening in security.
Nearly everyone is looking at the common mechanisms to approach solutions from an open standards perspective in order to enable compliance going forward. This does not necessarily mean a plug-and-play scenario for all security solutions, but it will become easier to connect systems from diverse vendors and incorporate them into a single solution. Today, there are some companies that make their customers jump through hoops to connect 'foreign' devices. In the near future, customers will insist on some form of openness to give themselves options.
Another issue affecting both standards as well as the benefits or ROI is the integration with other aspects of the business environment, be it power management, health and safety, HVAC (heating, ventilating, and airconditioning) etc. Some of these areas are tightly controlled by legislation and security companies will need to come to the party with its own standards that meet the requirements of health and safety demands, for example, if full convergence is to be achieved.
An overly simplified example would be the ability to prevent people from accessing certain areas at certain times in a manufacturing or mining operation to prevent them from entering life threatening situations. In this case the various systems at work to control the situation inside and external to the restricted area need to work together to, at the very least, prevent loss of life and that is an ROI companies have to pay for.
Of course, there are less serious returns companies need to understand. A common example is buddy-clocking savings. A client of one of the speakers changed from traditional card-based clocking systems to biometric access controls, linked to time and attendance solutions – and directly to payroll. This company has a large workforce and by using this new biometric security technology integrated into its business systems was able to prevent buddy clocking and other fraud made easy by card systems, saving R42 million per year by simply being 15 minutes more accurate in its clocking times.
“What we are seeing in the market is customers asking for identity management technology at points of sale to manage and ensure their revenue is protected,” adds Coetzee. “In the retail sector they need to know that the person they are dealing with is the person who is supposed to be signing this credit card or is supposed to be opening the account. Almost every industry has similar issues related to reliably identifying people.”
Creighton concurs, citing a mining group that has to feed its campus of over 10 000 people daily. Because of false clocking and ghost employees, the company was throwing away significant quantities of food per month. Biometrics solves the problem as dead people and ghosts generally do not register when scanning their fingerprints.
Overcoming the hurdles
So now, in a perfect world, we have all these pieces of technology and best practices that can offer identity-driven converged solutions with a mixture of tangible and intangible returns to companies, how does one get the various players to work together, appreciate their turf being a shared space and build a solution that meets the corporate need?
The consensus is that this is a major problem in today’s business world, even harder in some instances than the technical convergence aspects of the business. “You do not build an ocean,” is Creighton’s advice, “you take a phased approach and build little bits at a time.”
Most importantly, all agree, is that the organisation needs someone who is ultimately responsible for all risk, whether logical, physical, financial and so forth. This risk officer’s job is not to come up with solutions for each area of the business, but to facilitate discussions between all the relevant parties so that the right people do the right things and agree on the right solutions. The reality is that every person or department still has a role to play in the converged world, but their role forms part of a larger, more effective, holistic solution.
The only way to effectively accomplish this, says Glieman, is for security integrators and solution providers to understand the business you are approaching, learn the pain points they have to deal with and offer a solution. Even if starting with a simple access control, time and attendance solution, you can show the benefits and then move onto more complex solutions, eventually getting to the ones that do not have such easily measurable returns.
A risk officer is an ally in this situation as he/she can pinpoint the areas of vulnerability and help the solutions provider navigate the political waters. At the end of the day, this employee will still have to sit around the table with the financial director or CFO and justify the decision and the spend.
So who is the risk officer? Does he need a technical or perhaps a security qualification? The consensus is that a risk officer needs to be a businessperson who has the ear of the C-level executives, perhaps even an auditor who will examine all aspects of the business through a microscope.
Technology and convergence aside, says Naidoo, it is a business decision after all that will impact processes and a degree of productivity at the end of the day. The people who run the money are the people who need to know why.
In the political environments, however, you need to talk to the operational people as well before you go to their financial bosses, adds Webel, or better still, go to the finance chiefs with the operational people. It avoids a lot of politics.
In the past, the driver for security solutions was to reduce risk. Today the drivers are the same, but the broad concept of reducing risk includes the need to reduce costs or manage them better, meet legislative demands, reduce or prevent fraud and other criminal activities, and to protect revenues. The only way for security companies to accomplish this is to move away from being security companies and towards becoming solution providers, says Glieman. They need to understand business, it is no longer a piece of hardware or software that has to be installed and that is the biggest challenge facing security companies.
Basically, says Webel, they have to become consultants and approach business in a consultancy capacity, understand the pains, understand what is available, structure a solution, offer a proposal and make it work.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version