Security Convergence - Security Convergence - A Building Block of Enterprise Security A Building Block of Enterprise Security
Risk ManagementRisk Management
Dave Tyson, MBA, CPP, CISSPDave Tyson, MBA, CPP, CISSPSenior Manager, IT & Physical SecuritySenior Manager, IT & Physical Security
City of VancouverCity of Vancouver
2
City of VancouverCity of Vancouver 33rdrd largest city in largest city in
CanadaCanada Services about 1.5 Services about 1.5
million people per daymillion people per day 10,000 employees10,000 employees 4500 computer users4500 computer users Home of the 2010 Home of the 2010
Winter Olympic Winter Olympic GamesGames
DepartmentsDepartments Police Dept. (VPD)Police Dept. (VPD) Fire Rescue (VFD)Fire Rescue (VFD) Public LibraryPublic Library City ParksCity Parks EngineeringEngineering Community ServicesCommunity Services Corporate ServicesCorporate Services Community TheatresCommunity Theatres Law & HRLaw & HR Non-Profit SocietiesNon-Profit Societies
3
My BackgroundMy Background 23 Years in Security23 Years in Security
16 yrs Physical Security16 yrs Physical Security 7 yrs IT Security7 yrs IT Security
Certified Protection Certified Protection Professional (CPP)Professional (CPP)
Certified Information Certified Information Systems Security Systems Security Professional (CISSP)Professional (CISSP)
Master’s Degree in Master’s Degree in Business – Digital Business – Digital Technology Mgt.Technology Mgt.
Member of the Member of the Professional Professional Certification Board of Certification Board of ASIS InternationalASIS International
Advisory Board Advisory Board member for Alliance member for Alliance for Enterprise for Enterprise Security Risk Security Risk Management Management (AESRM)(AESRM)
Member of ISSA, ASIS Member of ISSA, ASIS Int., ISACAInt., ISACA
4
The New WorldThe New World The world is once again flat!...or maybe The world is once again flat!...or maybe
round!round! Single dimension focusSingle dimension focus
IP PandemicIP Pandemic Ethernet on appliances, cars, phones, tracking Ethernet on appliances, cars, phones, tracking
devices devices Global move to hold organizations Global move to hold organizations
accountable for security breachesaccountable for security breaches But, at the enterprise level new risks emergeBut, at the enterprise level new risks emerge
CentralizationCentralization SSOSSO Directory ServicesDirectory Services
5
Interesting numbersInteresting numbers
Globally, 40% of organizations have Globally, 40% of organizations have IT/Physical Security professionals IT/Physical Security professionals reporting to the same leader reporting to the same leader –– PWC 2006PWC 2006
75% of organizations have some level of 75% of organizations have some level of integration between IT and Physical integration between IT and Physical Security Security – PWC 2006– PWC 2006
80% of On-line Consumers are at least 80% of On-line Consumers are at least somewhat afraid of Identity theft somewhat afraid of Identity theft – ESG 2005– ESG 2005
6
Convergence is a Strategic Convergence is a Strategic ActivityActivity
Security is a weakest link disciplineSecurity is a weakest link discipline People, processes and technology – these People, processes and technology – these
are about integration!are about integration! Its about creating business valueIts about creating business value
Reducing costsReducing costs Reducing riskReducing risk Reducing duplicationReducing duplication
7
Convergence DefinedConvergence Defined
the the integration, in a formal, integration, in a formal, collaborative and strategic manner, of collaborative and strategic manner, of the cumulative security resources of the cumulative security resources of an organization in order to deliver an organization in order to deliver enterprise wide benefits through enterprise wide benefits through enhanced risk mitigation, increased enhanced risk mitigation, increased operational effectiveness and operational effectiveness and efficiency, and cost savings.efficiency, and cost savings.
8
Drivers for ChangeDrivers for ChangeBooz Allen Hamilton Survey - 2005Booz Allen Hamilton Survey - 2005
Rapid expansion of enterprise ecosystemRapid expansion of enterprise ecosystem Value Migration from Physical to Value Migration from Physical to
information based & intangible assetsinformation based & intangible assets New protective technologies blurring New protective technologies blurring
functional boundariesfunctional boundaries New compliance and regulatory regimesNew compliance and regulatory regimes Continuing pressure to reduce costContinuing pressure to reduce cost
9
Changing Threat Paradigm Changing Threat Paradigm for Physical Security for Physical Security
ProfessionsProfessions Physical security had been chiefly responsible Physical security had been chiefly responsible
for fraud, theft, harassment issues in the for fraud, theft, harassment issues in the workplaceworkplace
New people in the organization responsible for New people in the organization responsible for security “stuff” that may not have specific security “stuff” that may not have specific security backgroundssecurity backgrounds Threats are facilitated and enabled by the technologyThreats are facilitated and enabled by the technology
2.1 Billion Cell phones (no security) and 850 Million IP 2.1 Billion Cell phones (no security) and 850 Million IP Nodes in 2004 – When these phones become addressable Nodes in 2004 – When these phones become addressable under 2.5 & 3 G technologies……..well let the games begin…under 2.5 & 3 G technologies……..well let the games begin…triple the size of the internet with less securitytriple the size of the internet with less security
The average physical security professional The average physical security professional knows very little about these issues at this timeknows very little about these issues at this time
10
What does this mean on the What does this mean on the risk side of the equation?risk side of the equation?
What gets worse?What gets worse? Fraud Fraud HarassmentHarassment StalkingStalking Identity theftIdentity theft Phishing & PharmingPhishing & Pharming SPAMSPAM VirusesViruses Delivery of Spyware, Delivery of Spyware,
Trojan horses and Trojan horses and AdwareAdware
What gets easier?What gets easier? What it takes to What it takes to
perpetrate these perpetrate these activitiesactivities
14
Key Concepts of Security Key Concepts of Security ConvergenceConvergence
Both departments bring strengths to the table – Both departments bring strengths to the table – those strengths must be capitalized on to address those strengths must be capitalized on to address the inherent challenges in the other groups the inherent challenges in the other groups business business IT Security has technical expertise but not large IT Security has technical expertise but not large
numbers of staff, physical security generally has the numbers of staff, physical security generally has the opposite: Both groups can benefit from each other!opposite: Both groups can benefit from each other!
Convergence needs to be slow and measuredConvergence needs to be slow and measured
Groups must start by first speaking a common Groups must start by first speaking a common languagelanguage
15
Changes at City of Changes at City of VancouverVancouver
Interest in shared services approach Interest in shared services approach began discussionbegan discussion
GovernanceGovernance Changed reporting structure given my skillsChanged reporting structure given my skills
Risk ManagementRisk Management Combined a primarily operational group with a Combined a primarily operational group with a
more tactical groupmore tactical group But many cracks existed in compliance, But many cracks existed in compliance,
investigations, risk assessment, BCP, metricsinvestigations, risk assessment, BCP, metrics Over shadowing unknownOver shadowing unknown
2010 Winter Olympics2010 Winter Olympics
16
Initial Integration PointsInitial Integration Points StrategicStrategic
Strategic ApproachStrategic Approach Cost reductionCost reduction
TacticalTactical Risk AssessmentRisk Assessment TrainingTraining
PolicyPolicy Security Awareness & ComplianceSecurity Awareness & Compliance Policy DevelopmentPolicy Development
OperationalOperational Geeks and Guards working togetherGeeks and Guards working together Risk MitigationRisk Mitigation Weakest LinkWeakest Link
17
Initial ChangesInitial Changes Trained the corporate guard force to assist in Trained the corporate guard force to assist in
IT Security Compliance reviewsIT Security Compliance reviews Equipped nightshift S/O staff with new Equipped nightshift S/O staff with new
detection toolsdetection tools Began cross training investigators with IT Began cross training investigators with IT
security analystssecurity analysts IT Security staff reviewed security of physical IT Security staff reviewed security of physical
security department technologysecurity department technology ITS staff briefed new colleagues on what we ITS staff briefed new colleagues on what we
really do & what information we store in in really do & what information we store in in our offices – our office quickly got a new level our offices – our office quickly got a new level of securityof security
18
Outcomes in the first 90 Outcomes in the first 90 daysdays
54% reduction in IT Security Policy violations54% reduction in IT Security Policy violations Identification of 2 rogue wireless devicesIdentification of 2 rogue wireless devices Increase in customer satisfaction of the Increase in customer satisfaction of the
security officer force: the exact numbers are security officer force: the exact numbers are not in yet!not in yet!
Increased morale and attendance of S/O staffIncreased morale and attendance of S/O staff Hardening of camera servers, access control Hardening of camera servers, access control
server etc.server etc. New team round table led to changes in the New team round table led to changes in the
control room control room
19
Moving aheadMoving ahead Reporting incidents Reporting incidents
and risks in a and risks in a combined format to combined format to identify risk in a more identify risk in a more comprehensive mannercomprehensive manner
Teams are working Teams are working together to be creative together to be creative and innovative in and innovative in defining benefit defining benefit opportunitiesopportunities
CCTV storage moving CCTV storage moving to SAN infrastructureto SAN infrastructure
Maximize any Maximize any opportunity to get the opportunity to get the security message to security message to the customerthe customer TRA’s are becoming TRA’s are becoming
more integratedmore integrated Security Awareness Security Awareness
training becoming training becoming more integratedmore integrated
Security training Security training becoming more becoming more integratedintegrated
20
Convergence continues Convergence continues to roll outto roll out
Integrating metrics collection and reportingIntegrating metrics collection and reporting Starting a security dashboard project for Starting a security dashboard project for
executive mgt. teamexecutive mgt. team Integrating investigations methodology in Integrating investigations methodology in
2006/072006/07 Integrating Risk Assessment methodology in Integrating Risk Assessment methodology in
2006/072006/07 CCTV deployment process integrationCCTV deployment process integration Re-architecting physical security systems Re-architecting physical security systems
environmentenvironment
21
Lessons learnedLessons learned Pick off the low hanging fruit to build Pick off the low hanging fruit to build
team support and beliefteam support and belief Successes must be communicated Successes must be communicated
religiously to all levels of the organizationreligiously to all levels of the organization Accept that not every part of each group Accept that not every part of each group
is best converged, but try and work is best converged, but try and work around itaround it
Start with initial discussion – benefits Start with initial discussion – benefits arise from resolving mutual challengesarise from resolving mutual challenges
Take as much convergence that is right Take as much convergence that is right for the organizationfor the organization
22
Convergence: So farConvergence: So far Convergence is generally led, not directedConvergence is generally led, not directed People have an easier time with enterprise wide People have an easier time with enterprise wide
risk than convergencerisk than convergence Culture and training are the primary barriers to Culture and training are the primary barriers to
function integrationfunction integration BenefitsBenefits
CostsCosts Risk reductionRisk reduction EfficiencyEfficiency
Cycle timeCycle time DuplicationDuplication RecoveryRecovery
23
Essentials Components to Essentials Components to ConvergenceConvergence
Executive level sponsorExecutive level sponsor Vision Vision The courage to leadThe courage to lead Change managementChange management Senior Management buy inSenior Management buy in Strategic Inventory of assetsStrategic Inventory of assets
$$$$ PeoplePeople TechnologyTechnology
Ability to leverage value createdAbility to leverage value created
25
Questions?Questions?
Dave Tyson MBA, CPP, CISSPDave Tyson MBA, CPP, CISSP
Senior Manager, IT & Physical SecuritySenior Manager, IT & Physical Security
City of VancouverCity of Vancouver
[email protected]@vancouver.ca
(604) 871-6147(604) 871-6147