Many corporations focus their security efforts on network protection, believing that firewalls and other technical tools will protect their hard earned intellectual capital. Corporations also tend to compartmentalize their security efforts by function, addressing physical network and organizational security as separate programs. This results in imbalanced security performance as over 70% of all information security breaches are caused by human elements.

THE SOLUTION:

A balanced information security program that manages technical and human vulnerabilities collectively within the context of broader business goals and real world threats.

Converged security is new to many yet not to the professionals at DC Associates.  Our team of experts has been involved and leading the way in the converged world for some time now.  Our team has participated and led research, assessments and global projects in the area of converged security.

Here is what we think....

Security is going through many changes and is morphing quickly.  The biggest push that IT security has received is through implementation of regulations focused on prevention of fraud and confidential information breaches.  Regulations such as SOX, HIPAA, GLB etc have created an industry of must have’s that were none existent in the past.  What used to be a "nice to have" has grown to become a "must".  

As a result of the regulations controls have become a major factor in the administration and procedures that an organization undertakes.  In the mid 1990’s the first major control that provided a breakdown of the specific tasks to be launched within an organization was BS 7799 (later ISO 17799).  Today we are seeing ITIL as a control that is all encompassing and being well implemented especially in the “global organization”.  There are three major controls that are common in commercial organizations:

    1.    ISO 17799;
    2.    Cobit 4.0; and
    3.    ITIL

Most of these controls overlap substantially and the choice is usually linked to the regulation (e.g. SOX – Cobit 4.0) and may even contain two controls that have been meshed or used together.  

Converged security has been affected by these controls and is moving in the direction of these regulations.  The issue we are facing now is, how do you create a Center for Security (CFS) in the organization and who owns security in the organization once it is converged.  There  are power struggles between the staff of both physical and cyber security professionals each believing that the other has no idea of how to make this all happen.  The truth is, the converged world is in need of a sponsor within the organization.

Regulations have brought and are bringing the sponsor along, he is a pragmatic thinker that cares less about who knows what and when and more about the organizations exposure to risk.  He is the Chief Risk Officer (CRO) and he will answer to the CEO and the Board of Directors.  The CRO will be the source of reason and rational and will have a very important position to fill.  

Converged security will cross reference events in IT and physical security and start to correlate these events, creating remediation tasks that will lower risk and hopefully prevent attacks on organizations.  This is being done through the use of IP security solutions in the physical world in collaboration with the IP network and application world.  

Reality though has shown us that we are still some ways away from this integrated world.  One reason is that the most popular component used in physical security (cameras) is for the most part still analog (not IP).  The unofficial statistic is 80% of new cameras are still analog while 95% of existing cameras remain analog meaning that we have a long way to go to create effective "converged" solutions.  

The future will be interesting and we will see many blended solutions coming from the infrastructure players such as Cisco, Juniper etc…The world of IDP (Intrusion Prevention and Detection) will also play a major role.  We believe that the key players in this world will start to create a more complete solution and integrate more boxes (i.e. cameras working with the traditional IT IDP solutions) providing their clients with a complete blended threat product.  

For Example 

If major infrastructure (CISCO, Junpier etc.) provided their clients with an IDP solution that worked with their IT security products and integrated IP cameras as well as biometric readers you will see the following solutions: 

    1.    Entry point to the building – Smart card with a biometric reader, you will be watched by an IP camera linked to the same system.  

    2.    You will log on at your terminal using the system with two level authentication, smart card and biometric solution combination. The card you will carry will also work as a RFID tracker that will know where you are in the building at any given moment.  

    3.    If you try and enter an area that is restricted to you the camera will take your picture (as it does today if you are speeding) and create a security event that will be entered in the security log file and start a progression of alerts that will be dealt with by the reaction team in place and filed in your HR record.  

All this exists today and can be integrated quickly…the future is not far away.