Security must embrace IT

27 April 2012

The convergence of physical and IT security is a product of our age, but some Facilities Managers and their organisations are not ready accept or deal with this combined threat. An ISACA team of James Willison, Fred Kloet and Sarb Sembhi, describe the problem and the first steps FMs need to take

Security Convergence can be defined as a set of processes which brings together all those dedicated to security to protect people, information and property. In many organisations physical security and information security are managed by two separate departments. Organisations are increasingly vulnerable to blended threats and so it is absolutely crucial to be able to prioritise risks and respond effectively to threats to system performance.

The awareness that people are able to exploit technology to their advantage has led Information Security leaders to join forces with traditional security professionals and develop strategies designed to combat these new risks. For some Facilities Managers this kind of collaboration is pretty familiar but for others it is not in their scope. However the benefits for all are clear, as the need for all areas of security to work together becomes more obvious. As those who wish to protect our organisations from harm it is vital that we prevent catastrophic damage to assets, both tangible and intangible.

Hence it makes good sense for a Facilities Manager to ensure that all areas of security are working together on Building Management systems, video surveillance and access control systems. Since he or she often has responsibility for the safety of the people on site it is critical that these systems are secure and stable. Unfortunately the reality is not always as encouraging as we might like. Sometimes those responsible for security do not ensure the technical side is updated effectively and the systems are corrupted. This may be due to malicious intent from an insider or system failure. It is perhaps system failure which causes most concern to a Facilities Manager. If the Building Management system is run over the company network then the possibility of adequate lighting, air conditioning and safety being compromised is of great importance. Thus IT security can ensure that the systems are patched and maintained with the latest updates. If they are not involved and the Physical security team is left to manage the system alone there is a real danger that an accident could occur.

In addition to the obvious health and safety benefits there are many other advantages of a more holistic approach to security management. These range from significant cost savings when a company uses its own IT resources and infrastructure rather than outsourcing it to third party providers to faster response times achieved through effective communications in a crisis. With the formation of a single security function there could be up to 50% fewer meetings and a confidence that all areas of security are now more effectively managed. A common line of reporting can be established that enables experts from each security area to examine vulnerabilities together and ensure all incidents receive the necessary attention they deserve. As a consequence one report would be produced. This would help prioritise the most important risks and give a single view of key threats and vulnerabilities.

From a facility management perspective convergence is about process integration and the search for effective collaboration between mental, physical and virtual facilities and facility services. Over the past 25 years facility management has grown from a pack of single services into an umbrella for business services. The profession evolved along the principles of Maslow. Security and safety is, like real estate, cleaning and catering one of the basic needs of individuals and organisations. Through a series of process integration steps the FM sector managed to combine the various views on safety and security coming from experts, industries, researchers, etc. As ‘integration’ is at the core of what a facility manager does, security expertise and safety was included in every next growth step. As clients, customers and end-users always have an integrated question or complaint, their demand for convergence has always been driving the integration of processes. This has led to the current phase of integration of processes coming from the physical world, space and infrastructure, the mental world, people and organisation, and the virtual world, information technology and software. The graphic (Fig 1) shows this.

The European definition of facility management, EN15221, is very broad and holistic. The history, culture, law, market structure and language is very diverse. As a result, aspects and needs for security and safety can be found in a very wide area of facilities and facility services. One could say the European approach allows for a broader and more diverse perspective on where security convergence could start from. The starting point in today’s facility management has become the requirement the ‘community’ demands. Some communities are more workspace oriented, others tend to focus on technology. The importance for facility managers is to understand the set of connections and its required effects on the facilities and facility services at play. If facility managers understand the culture of the community they serve, they will be able to analyse and develop the most suitable security convergence strategy. To help facility managers prioritise the most important risks and help search for key threats and vulnerabilities the EN15221 definition of facility management includes the matrix combining the various focal point of FM with the Plan-Do-Check-Act approach developed by Deming (Fig 2).

Engaging with IT Security Functions

There are several things that FM managers can do which will build trust and credibility with their colleagues in IT security, (as equally there are things that IT security functions can do to build trust and credibility with FM colleagues). The end goal of both functions is to protect the business, and its people, and to that extent where they can work together include the following:

- When considering new technology for any FM activity, engage with IT security professionals, as they may have the skills to research how vulnerable that technology would be within the rest of the technology currently used in the business. Also, they may have a better understanding of likely pitfalls of going with one technology rather than another. For example they may be able to tell you the difference between using wireless network technology (801.11) compared to wireless broadcast technology (the same as that used by cordless home phones) in CCTV systems. There are advantages and disadvantages to both, but although your supplier will be able to tell you as well, they will not be able to tell you from the aspect of how easy each is to access by an attacker. The risk can better be explained by your IT Security team than any supplier who is trying to sell you equipment to fit your / their budget.
-
- Once the technology has been purchased it is always useful to involve IT, experience shows that installers of technology related to security often only have a few days of networking (and even less in attacking and protecting equipment on a network). So to ensure that a new installation doesn’t introduce un-intended vulnerabilities into a network, the more you work with the IT Security team the better.
-
- This close working is not just relevant for new technology, it is also for new processes, many IT security teams have experience in looking at security control processes from an attack / defence perspective.
-
- On a day to day basis, both teams should be sharing information with each other, this isn’t just on obvious breaches, or attempted breaches, but on anomalies. These should be shared whether they can be explained logically or not, experience shows that these are often early signs of reconnaissance by attackers.
-
- Strategic meetings should also be high on the agenda with all teams responsible for security, to agree the right things are being protected appropriately according to agreed risk management approaches. These will assist in strategic future budgeting, thus ensuring that you all get the best out of the budgets you have, and if appropriate to combine budgets.
-
- Further, there is a great deal of expertise in investigations in many teams related to security, and there is much that can be learnt from each other.
-
Since this article is not about how to manage converged security management, the above list is just a selection of things that can be done. There is much more involved in effective Converged Security Management, and a possible topic for a future article.

James Willison, Vice Chair, ASIS European Security Convergence subcommittee and Founder of Unified Security Ltd.
Fred Kloet, Director Villa FM, Partner PROCOS Group
Sarb Sembhi, ISACA Chair of Europe & Africa GRA Sub-Committee, and Incoming Thought Limited Director of Consulting Services.