This is the first of a series of articles that explores the convergence of physical security technology and information technology, and its impact on Security departments and IT departments. The convergence at the technology level is a natural fit, and has resulted in many security technology breakthroughs and an impressive increase in the capabilities of today’s physical security systems.

For organizations, the technological convergence doesn’t have a parallel organizational convergence. Quite to the contrary. It has resulted in what can be best characterized as “collision” – with IT and Physical Security departments butting heads and finally scratching heads, trying to figure out how to solve the problems that keep appearing.

Information Technology Is Now Critical To Security Systems

Initially the trend was for physical security technology and physical security systems to incorporate information technology components and infrastructure. Now many security technologies and systems do more than incorporate those elements, they are completely based upon them.

CCTV surveillance is a good example. I discussed this subject with Emil Marone, the Chief Technology Officer of Henry Bros. Electronics, a large-scale security systems integrator headquartered in Saddle Brook, New Jersey. “The type of CCTV cameras that are used in facial recognition have been around for more than 30 years,” explained Marone. “The introduction of computers is what has spurred the more recent advancements in their use.” Until affordable computer technology could be utilized to make CCTV monitoring and recording manageable (becoming widespread around 10 years ago), their usefulness was limited and manpower intensive. Today information processing technology has made possible video based smoke and fire detection, facial recognition, and many types of advanced situation-based alarm monitoring based upon pattern recognition.

Beyond Security

New security capabilities are also providing benefits outside the realm of security, and that has complicated the picture significantly. For example, shipping and warehousing operations can be monitored remotely by CCTV. If a critical shipment is due to go out early in the morning, the video management software can be used to point a camera at the shipment material and set an alarm that will alert a manager or executive when the containers are moved or if they are not moved within a specific time period. Card or biometric based access control systems can provide electronic time card functions, generating time and attendance records for the payroll system. Human Resources can review video recordings to verify the effectiveness of employee training, and document the results for management.

While it’s great to have increased ROI for security expenditures, the non-security benefits raise complex procurement and budgetary issues, especially for the benefits whose values are hard to quantify and translate into dollars. Whose budget will pay for the extensions to the security network for operational purposes – IT, Security or Operations? When CCTV cameras perform triple duty (security, operations monitoring, and training) how do you divvy up the bills for installation, ongoing maintenance and upgrades? Should Operations and HR have a say in the procurement process? Who will resolve disputes over competing departmental interests? Should security system traffic be allowed to travel on the business network for non-security purposes?

These examples only touch upon the wide array of organizational complexities that are being introduced by the information technology-based expansion of physical security systems.

Organizational Problems

Four aspects of the technological convergence have created problems and conflicts for Security departments and IT departments:

• New security systems require knowledge beyond Security’s domain. Electronic security systems incorporate information technology elements (such as databases and computers) and require information technology infrastructure (such as local and wide area wired and wireless networks). Most of these elements have complex configuration and setup steps that must be performed by a knowledgeable person. Thus the procurement, deployment and maintenance of most security systems now require IT knowledge and skills. The Security department must look to the IT department for help with many aspects of security projects. There is a large communication gap, because the Security personnel don’t know the IT domain, and the IT personnel don’t know the Security domain. This is compounded by the fact that many companies don’t have an up-to-date and plain-English Security Plan and Security Emergency Response Plan. These would help IT get a an understanding of the purpose and activities involved in Security during normal business, off-hours, and emergency operations.
  
  
• Security systems offer many non-security benefits. Thus there are new stakeholders throughout the organization, whose use of the systems requires extending the information technology elements and infrastructure of the physical security systems for non-security purposes. This introduces complex issues for budgeting, procurement, deployment and ongoing use of the systems. It also significantly expands the privacy issues.
  
  
• The IT elements of security systems are used differently than the same IT elements of business systems. For example, the usage patterns for networked security workstations are very different from what is typical for business systems of networked PCs. This leads IT departments to misestimate the requirements for information technology elements and infrastructure of the security systems. This is most apparent in the estimation of network bandwidth requirements, which is almost always significantly underestimated. Security, not being familiar with the IT domain, doesn’t realize that these differences exist and thus can’t really educate IT about them.
  
  
• The complexities that new security technology introduces intensify the already close focus on the technology involved. Thus the people and process corners of the People-Process-Technology triangle fall out of view. Yet the people and process domains are often where the root of the problems and their solutions actually lie.
  
  The common element to the problems and conflicts is that they are organizational in nature, not technological.

Security Success

To achieve full success with organizational security requires being effective in recognizing and handling these organizational situations. This requires knowledge of the organization itself, and the purpose and activities of each part of the organization. While that may sound very matter-of-fact, often Security personnel and IT personnel find it difficult to obtain this knowledge.

Stan Gatewood, the Chief Information Assurance and Privacy Officer for the University of Southern California, is one of the leading experts on information security, infrastructure protection and electronic privacy. “In my experience,” said Gatewood, “many executives can’t articulate their purpose and function in relation to the overall business. The purpose of security is to protect and support the functions of the business. This requires a clear understanding of each area the business. To get a handle on security, you first have to get a handle on what each area of the business is doing. To set security priorities, you have to know the priorities of the business. You have to understand the big picture, so that you can put things in their proper perspective. Each executive must be able to correctly answer these questions, ‘What are we in the business of? What are we going to do?’ It is enlightening and often surprising to hear the wide variety of answers from within the same organization.”

“Additionally”, explained Gatewood, “you have to understand that security isn’t just physical security or logical security; it includes the human element and all three elements must be addressed.” This must be understood outside the Security and IT departments in order for an organization to be effectively proactive about security, which is the only way success in security will be achieved.

Security Stakeholders

Those executives and managers whose areas would benefit from security technology, whether it’s for security or operational purposes, are stakeholders in the deployment of security systems. Both the Security and the IT departments must be able to engage in real dialog with them. Security and IT must be able to summarize and clearly explain the security initiatives and any technology under consideration, in terms of how it would affect each area of the organization and the organization overall. This includes being prepared to explain the relevant risk assessment work upon which any security recommendations are based.

If executives and managers have requested the use of specific security system features or technology, they must be able to explain their objectives for their use and outline the organizational benefits (including the quantification of any direct financial benefits). They must also establish relative priorities for the items that they are requesting, and provide input to the overall organizational prioritization of security items.

Thus the dialogs that Security and IT engage in with the rest of the organization are part education and part exploration.

Technology Blinders

Its very important when engaging in security analysis, and when discussing security with people outside of Security and IT, that enthusiasm for new high-tech security systems and products doesn’t create blinders that keep low-tech solutions out of view. This is a risk for those in both IT and Security who are immersed in technology on a daily basis.

Emil Marone relates one situation where a client called him in to discuss a problem they were having with night intruders onto their property. The intruders would dress in black, and could not easily be seen against the black asphalt and dark grounds of the perimeter under the existing lighting. They were considering a new CCTV system that could “see in the dark”, and were also considering a complete renovation of their outdoor lighting. Both measures would be expensive and disruptive, but these improvements seemed to be needed to solve their problem.

“Once I had an understanding of the situation,” said Marone, “I advised against making either change. Cameras that can see in the dark won’t help the security officers on foot patrol, and there was a better solution available.” Marone suggested that they simply paint the grounds white on both sides of the perimeter fencing. Intruders dressed in black would be clearly visible. Even in white clothes they would still create obvious shadows under the existing lighting. It was a very inexpensive solution and was implemented immediately with great success. This approach enabled both the foot patrols and the personnel monitoring the CCTV images to see what they needed to see.

Solutions this simple and inexpensive are not available for every security need. When they are, they are often obvious only in retrospect. This underscores the value of consulting with people outside the Security and IT departments, and even outside the organization, who can view things in a fresh perspective. This is one antidote to the “can’t see the forest for the trees” phenomenon.

Basic Measures

“It is also important to go after ‘low hanging fruit’,” asserts Stan Gatewood. “First, use what you have now. Discover what you can do right away with existing resources. Usually there are very basic measures that can be taken. Second, go after things that are less immediate and take more time and effort.”

Gatewood also cautions not to underestimate the value of taking small steps. “Taking baby steps is a good way to get started. Don’t always go for the big initiatives.” Small steps are less disruptive, and are also less demanding on organizational resources.

Security Evangelist

It should be no surprise that the companies who are most effective in implementing good security programs are those companies who have an executive at a high level that is a “security evangelist”. It requires a high-level address to organizational security issues to set priorities for items that extend across the entire organizational spectrum, especially when non-security benefits are involved. Security leadership must be strong, active and ongoing in order to achieve real results. Whether the label “security evangelist” is used or not, someone at executive level has to take on that role. It’s not an option or a temporary involvement. The consideration and establishment of organizational security requires participatory collaboration. It sometimes requires “executive muscle” to provide the needed support to Security and IT.

Additionally, it often takes executive savvy to deal with competing resource allocation issues and to set appropriate budget priorities. Executive insight can be required to evaluate security measures and initiatives in light of the big picture, and to envision the optimum scenarios for their implementation. Sometimes there are campaigns that can be utilized to introduce or support an initiative, that will help to align the efforts with overall business objectives.

Experience shows that there is no adequate replacement for having a security-minded senior executive.

Knowledge and Responsibility

For most organizations, the roles and responsibilities regarding security must be expanded not just for Security and IT personnel, but for most managers and executives. To make sure that security initiatives are fully accomplished and that security policies and procedures also remain in place requires that managers and executives have enough security knowledge that they can exert effective control in their own areas where security issues are involved. The also need the knowledge to be able to evaluate the relative importance of security issues. Sometimes lapses in security are a result of people not really understanding the role that a security measure plays, and why it is important. Informed managers and executives must see to it that their people are adequately informed, whether this occurs through formal training or ad hoc briefings or instructions.

Personnel performance reviews should include a security element. People should be acknowledged for upholding security, and even commended where appropriate.

Reaping the Benefits

Whatever your own responsibilities are in the security picture, it’s your job to see that you know what you need to know to carry them out.

There are amazing benefits to be obtained from the impressive advances that stem from the convergence of physical security and information technology. They will help you to the degree that your organization obtains the right knowledge in the right places, so that each person can be effective and can easily carry out his or her role in support of the organization’s security objectives.

Also see the sidebars:

Effective Meetings Require Overcoming The Language Barriers

Share Your Knowledge

From Security Technology & Design Magazine, April, 2003.