Security convergence can be defined as a set of processes which bring together all those dedicated to security and the protection of people, information and property.
In many organisations, physical security and information security are managed by two separate departments. However, those same organisations are increasingly vulnerable to blended threats. That being the case, it’s absolutely crucial to be in a position to prioritise risks and respond effectively in the face of threats to system performance.
Spreading awareness that people are able to exploit technology to their advantage has caused information security leaders to join forces with traditional security professionals and develop strategies designed to combat these new risks.
For some facilities managers this kind of collaboration is pretty familiar, but for others it’s not in their scope. The benefits for all are clear as the ever-increasing need for all areas of security to work together becomes more obvious.
Ultimately, for those tasked with security and facilities management remits it’s absolutely vital they prevent catastrophic damage to assets, both tangible and intangible. Hence it makes good sense for a facilities manager to ensure that all areas of security are working together on building management systems, video surveillance and access control systems.
Since he or she often has responsibility for the safety of the people on site it’s also critical that these systems are secure and stable. Unfortunately, though, the reality of the situation is not always as encouraging as we might like. Sometimes, those responsible for security don’t ensure the technical side is updated effectively and the systems are corrupted. This may be due to malicious intent from an insider or system failure.
System failure: perhaps the biggest concern for FMs
It’s perhaps system failure which causes most concern to a facilities manager. If the building management system is run over the company network then the possibility of adequate lighting, air conditioning and safety being compromised is of great importance.
Therefore IT security can ensure that the systems are patched and maintained with the latest updates. If they are not involved and the Physical security team is left to manage the system alone there is a real danger that an accident could occur.
In addition to the obvious Health and Safety benefits there are many other advantages of a more holistic approach to security management. These range from significant cost savings when a company uses its own IT resources and infrastructure rather than outsourcing it to third party providers through to faster response times achieved by way of more effective communications in a crisis.
With the formation of a single security function there could be up to 50% fewer meetings and a confidence that all areas of security are now more effectively managed.
A common line of reporting may be established that enables experts from each security area to examine vulnerabilities together and ensure all incidents receive the necessary attention they deserve. As a consequence one report will be produced. This would help prioritise the most important risks and realise a single view of key threats and vulnerabilities
.
Integration and effective collaboration of process
Fred Kloet of Villa FM writes: “From a facilities management perspective convergence is about process integration and the search for effective collaboration between mental, physical and virtual facilities and facility services.
“Over the past 25 years, facilities management has grown from a pack of single services into an umbrella for business services. The profession evolved along the principles of Maslow). Security and safety is – like real estate, cleaning and catering – one of the basic needs of individuals and organisations.
“Through a series of process integration steps, the FM sector managed to combine the various views on safety and security coming from experts, industries and researchers, etc. As ‘integration’ is at the core of what a facilities manager does, security expertise and safety was included in every next growth step.
“Due to the fact that clients, customers and end users always have an integrated question or complaint, their demand for convergence has always been driving the integration of processes. This has led to the current phase of ‘integration of processes’ coming from the physical world (space and infrastructure), the mental world (people and organisation) and the virtual world (IT and software).
“The European definition of facilities management, EN15221, is very broad and holistic in nature. The history, culture, law, market structure and language is very diverse. As a result, aspects of – and needs for – security and safety can be found in a very wide area of facilities and facility services.
“One could say the European approach allows for a broader and more diverse perspective on where security convergence could begin. The starting point in today’s facilities management has become the requirement the ‘community’ demands. Some communities are more workspace-oriented while others tend to focus on technology.
“The importance for facilities managers is to understand the set of connections and the required effects on the facilities and facility services at play. If facilities managers understand the culture of the community they serve, they will then be able to analyse and develop the most suitable security convergence strategy.
“To help FMs prioritise the most important risks and help search for key threats and vulnerabilities, the EN15221 definition of facilities management includes a matrix combining the various focal points of FM with the Plan-Do-Check-Act approach developed by Deming.”
Engaging with IT security functions
Sarb Sembhi comments: “There are several things facilities managers can do which will build trust and credibility with their colleagues in the IT security realm (as, equally, there are things that IT security functions can do to build trust and credibility with their FM colleagues).
“The end goal of both functions is to protect the business and its people. To that extent, there are distinct areas where they can work together.
“When considering new technology for any FM activity, facilities managers should engage with IT security professionals as they may have the skills to research how vulnerable that technology would be within the rest of the technology currently used in the business.
“Also, they may have a better understanding of the likely pitfalls of going with one technology rather than another.
“For example, they may be able to tell you the difference between using wireless network technology (801.11) compared to wireless broadcast technology (the same as that used by cordless home phones) in CCTV systems. There are advantages and disadvantages to both, but although your supplier will be able to tell you as well, they will not be able to tell you from the aspect of how easy each is to access for the would-be attacker.
“The risk can better be explained by the IT security team than any supplier who’s trying to sell you equipment that will fit in with your/their budget.
“Once the technology has been purchased it’s always useful to involve IT. Experience shows that installers of technology related to security often only have a few days of networking (and even less in attacking and protecting equipment on a network). So, to ensure that a new installation doesn’t introduce unintended vulnerabilities into a network, the more you work with the IT security team the better.
“This close working is not just relevant for new technology: it’s also relevant for new processes. Many IT security teams have experience of looking at security control processes from an attack and/or defence perspective.
“On a day-to-day basis, both teams should be sharing information with each other and not just on obvious breaches (or attempted breaches) but also on anomalies. These should be shared whether they can be explained logically or not. Experience shows that these are often early signs of reconnaissance by attackers.”
Strategic meetings high on the agenda
Strategic meetings should also be high on the agenda with all teams responsible for security in order to agree the right things are being protected appropriately and according to agreed risk management approaches. These will assist in strategic future budgeting, thus ensuring that you all get the best out of the budgets you have. It may even be appropriate to combine budgets.
Further, there’s a great deal of expertise in investigations in many teams related to security, and there is much that can be learned from each other.
Since this discourse is not about how to manage converged security management, the above is but a selection of areas that can be addressed. There’s much more involved in effective converged security management. That’s a topic for a future article.
James Willison MSyI is vice-chairman of ASIS’ European Security Convergence Sub-Committee and founder of Unified Security
Sarb Sembhi is chairman of ISACA’s Europe and Africa GRA Sub-Committee and director of consulting services at Incoming Thought
Fred Kloet is director of Villa FM and a representative partner of the PROCOS Group
*James Willison MSyI and Sarb Sembhi will be speaking on the subject of convergence at this year’s IFSEC International 2012 Exhibition. The conference session at Birmingham’s NEC takes place in the Centre Stage Theatre on 16 May from noon-1.00 pm and is titled ‘Convergence and the Future of Security’.
Chairman for this session at conference is Chris Northy-Baker CSyP FSyI
For further information on the Centre Stage Theatre programme at IFSEC International 2012 click here