Security Technology Executive

SEP-OCT 2017

Issue link:

Contents of this Issue


Page 20 of 69

www. • September/October 2017 • SECURIT Y TECHNOLOGY E XECUTIVE 19 a concern, and is a functional risk that should be evaluated by all security lead- ers, which gone unchecked, can interrupt the core mission and goals of the security group. Today, Information Technology (IT) Security has effectively undermined phys- ical security terms and phrases, such as "security assessment", "risk assessment", "security controls" and "intrusion detec- tion" have been assimilated by IT security professionals. This fact is corroborated by those in a physical security function reading this article that have been propo- sitioned with IT security job opportunities via LinkedIn and other avenues. More broadly, this holistic terminol- ogy has led many organizations and their respective executives to lump security into a single bucket, making decisions that can create significant impacts for the organi- zation. Take one of my client's recent re- organization of a physical security func- tion that now reports to IT. Within weeks, the IT department dealt with their first workplace violence incident – you can imagine how that went. Many security directors now find themselves having to justify or approve their technological physical security investments to IT without robust mutual- ly agreed framework or standards. This is especially true to that of computer serv- ers/head-end systems but more directly attributed to the Internet of Things (IoT), or edge devices that reside in the IT net- works and respective domains. Security directors, now seeking to implement these systems have several obstacles they must overcome, such as service level agreements. A once simplistic addition of a surveillance camera now requires multiple layers of approvals, escorts and costs by other groups than those from physical security. The writer has observed physical security departments hire people away from IT to support the security function, limit the approvals, and cross-department charges. With regards to budget, this is one thing that many IT leaders did that differentiat- ed them from their physical security coun- terparts – they created a business pro- cess for their function/systems. Though still a cost-center, the IT function is now well embedded in organizations with a cross-functional service charge model and is invariably, just hidden in new project costs, and organizational service charges making IT more self-sustaining and resil- ient to organizational change. There are security directors that may cave to the influence, fight the ever- growing influence of IT, and those that will embrace it. For those that paddle up-stream, you will find rough currents, rocks and other boaters that chose not to fight the current. Ultimately, if you choose the latter approach, you will be mentally fatigued, exhausted and more important- ly, it will be immediately apparent to those around you that you are not a team-play- er. Without a doubt, IT functions today are quite mature and generally carry high credibility in an organization. It is only sensible for a security leader to seek alignment and partnership for addressing holistic security needs, such as: • Establishing a Service Level Agree- ment (SLA) for security technology • Standardize and partner on holistic security technology that benefits both functions – Single-Sign-On (SSO) or mass notification. o Mobile credentialing • Establish network approaches for security sub-net, VLAN, and realistic goals – 100's of cameras stored on the cloud not being one. • Develop frameworks and strategies together and jointly pitch to senior management. • Align investigative and incident man- agement resources. Wait – Stop Using the Word Security The psychological stigma extends past the fundamentals and metrics of per- formance, and is inherent in the orga- nizational titles that we have adopted. Security professionals are so hung up on the use of the word "security" that many have failed to see the negative stigma associated with the word for others in a decision-making role. I have rarely been in organizations where the physical security function is accepted as equal in terms of credibility as other departments. This is a dangerous position to be in because it undermines the security program and sets a negative precedent. At the core, the term "security" does not effectively identify the value of the program to the organization. Conversely, there can be positive psy- chological effects with aligning a secu- rity mission to that of the organization and adopting something that has more of a proactive meaning such as: asset protection, resilience, surety or another value-based term. This rationale is root- ed in a hypothetical question that I have delivered over the past decade to clients, which is: "For a moment assume that you are now the chief financial officer for your organization, and the writer wants you to make a budget decision based the following statements alone. Which of the following statements are you most likely to support a budgetary allocation for: I need $100,000 for my security program or the alternative being I need $100,000 for my asset protection program. One state- ment draws upon the aspect of cost, while the other one is indicative of value and potential cost savings. This is something that the security function, which shall be henceforth, referred to as a resiliency function, should strive for - a message that communicates value and return on investment as opposed to cost. A rebranding of the security function will begin with a C- suite conversation, Beyond organizational involvement, consider proactively building plans and budget around high-impact threats that are likely to occur.

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - SEP-OCT 2017