280 likes | 629 Views
Security Convergence - A Building Block of Enterprise Security Risk Management. Dave Tyson, MBA, CPP, CISSP Senior Manager, IT & Physical Security City of Vancouver. 3 rd largest city in Canada Services about 1.5 million people per day 10,000 employees 4500 computer users
E N D
Security Convergence - A Building Block of Enterprise Security Risk Management Dave Tyson, MBA, CPP, CISSP Senior Manager, IT & Physical Security City of Vancouver
3rd largest city in Canada Services about 1.5 million people per day 10,000 employees 4500 computer users Home of the 2010 Winter Olympic Games Departments Police Dept. (VPD) Fire Rescue (VFD) Public Library City Parks Engineering Community Services Corporate Services Community Theatres Law & HR Non-Profit Societies City of Vancouver
23 Years in Security 16 yrs Physical Security 7 yrs IT Security Certified Protection Professional (CPP) Certified Information Systems Security Professional (CISSP) Master’s Degree in Business – Digital Technology Mgt. Member of the Professional Certification Board of ASIS International Advisory Board member for Alliance for Enterprise Security Risk Management (AESRM) Member of ISSA, ASIS Int., ISACA My Background
The New World • The world is once again flat!...or maybe round! • Single dimension focus • IP Pandemic • Ethernet on appliances, cars, phones, tracking devices • Global move to hold organizations accountable for security breaches • But, at the enterprise level new risks emerge • Centralization • SSO • Directory Services
Interesting numbers • Globally, 40% of organizations have IT/Physical Security professionals reporting to the same leader –PWC 2006 • 75% of organizations have some level of integration between IT and Physical Security – PWC 2006 • 80% of On-line Consumers are at least somewhat afraid of Identity theft – ESG 2005
Convergence is a Strategic Activity • Security is a weakest link discipline • People, processes and technology – these are about integration! • Its about creating business value • Reducing costs • Reducing risk • Reducing duplication
Convergence Defined • the integration, in a formal, collaborative and strategic manner, of the cumulative security resources of an organization in order to deliver enterprise wide benefits through enhanced risk mitigation, increased operational effectiveness and efficiency, and cost savings.
Drivers for ChangeBooz Allen Hamilton Survey - 2005 • Rapid expansion of enterprise ecosystem • Value Migration from Physical to information based & intangible assets • New protective technologies blurring functional boundaries • New compliance and regulatory regimes • Continuing pressure to reduce cost
Changing Threat Paradigm for Physical Security Professions • Physical security had been chiefly responsible for fraud, theft, harassment issues in the workplace • New people in the organization responsible for security “stuff” that may not have specific security backgrounds • Threats are facilitated and enabled by the technology • 2.1 Billion Cell phones (no security) and 850 Million IP Nodes in 2004 – When these phones become addressable under 2.5 & 3 G technologies……..well let the games begin…triple the size of the internet with less security • The average physical security professional knows very little about these issues at this time
What gets worse? Fraud Harassment Stalking Identity theft Phishing & Pharming SPAM Viruses Delivery of Spyware, Trojan horses and Adware What gets easier? What it takes to perpetrate these activities What does this mean on the risk side of the equation?
Key Concepts of Security Convergence • Both departments bring strengths to the table – those strengths must be capitalized on to address the inherent challenges in the other groups business • IT Security has technical expertise but not large numbers of staff, physical security generally has the opposite: Both groups can benefit from each other! • Convergence needs to be slow and measured • Groups must start by first speaking a common language
Changes at City of Vancouver • Interest in shared services approach began discussion • Governance • Changed reporting structure given my skills • Risk Management • Combined a primarily operational group with a more tactical group • But many cracks existed in compliance, investigations, risk assessment, BCP, metrics • Over shadowing unknown • 2010 Winter Olympics
Initial Integration Points • Strategic • Strategic Approach • Cost reduction • Tactical • Risk Assessment • Training • Policy • Security Awareness & Compliance • Policy Development • Operational • Geeks and Guards working together • Risk Mitigation • Weakest Link
Initial Changes • Trained the corporate guard force to assist in IT Security Compliance reviews • Equipped nightshift S/O staff with new detection tools • Began cross training investigators with IT security analysts • IT Security staff reviewed security of physical security department technology • ITS staff briefed new colleagues on what we really do & what information we store in in our offices – our office quickly got a new level of security
Outcomes in the first 90 days • 54% reduction in IT Security Policy violations • Identification of 2 rogue wireless devices • Increase in customer satisfaction of the security officer force: the exact numbers are not in yet! • Increased morale and attendance of S/O staff • Hardening of camera servers, access control server etc. • New team round table led to changes in the control room
Reporting incidents and risks in a combined format to identify risk in a more comprehensive manner Teams are working together to be creative and innovative in defining benefit opportunities CCTV storage moving to SAN infrastructure Maximize any opportunity to get the security message to the customer TRA’s are becoming more integrated Security Awareness training becoming more integrated Security training becoming more integrated Moving ahead
Convergence continues to roll out • Integrating metrics collection and reporting • Starting a security dashboard project for executive mgt. team • Integrating investigations methodology in 2006/07 • Integrating Risk Assessment methodology in 2006/07 • CCTV deployment process integration • Re-architecting physical security systems environment
Lessons learned • Pick off the low hanging fruit to build team support and belief • Successes must be communicated religiously to all levels of the organization • Accept that not every part of each group is best converged, but try and work around it • Start with initial discussion – benefits arise from resolving mutual challenges • Take as much convergence that is right for the organization
Convergence: So far • Convergence is generally led, not directed • People have an easier time with enterprise wide risk than convergence • Culture and training are the primary barriers to function integration • Benefits • Costs • Risk reduction • Efficiency • Cycle time • Duplication • Recovery
Essentials Components to Convergence • Executive level sponsor • Vision • The courage to lead • Change management • Senior Management buy in • Strategic Inventory of assets • $$ • People • Technology • Ability to leverage value created
Questions? Dave Tyson MBA, CPP, CISSP Senior Manager, IT & Physical Security City of Vancouver dave.tyson@vancouver.ca (604) 871-6147