White Papers
       
  Does Security Matter? (continued 2)

The Changing Security Environment

Click for further information about this quotation
“It is when we all play safe that we create a world of the utmost insecurity.”
Dag Hammarskjold

Strategic Interest in Security

The security environment in commercial organizations has historically changed quite slowly. The pace of change has been limited not only by the conservative nature of most security professionals, but also by the maturity of the requirements that have been placed upon the security function itself. Additionally, security was historically seen as addressing limited tactical issues; this has led to a proliferation of a variety of point solutions (e.g. access control, fire monitoring, asset tracking) with little investment in the infrastructure that would permit an efficient integration of these functions. Over the past five years, however, security has emerged as a critical strategic issue for organizations that must be addressed much more holistically.

Traditional security systems have demonstrated the ability to meet specific security needs for many years. While it could always be argued that newer systems could provide additional functionality or could marginally improve efficiency, in most cases it was not possible to rationalize a significant capital investment based on these benefits. As an illustrative example, for a $400,000 capital investment to exceed an Internal Rate of Return (IRR) hurdle rate of 20% (a typical level for this type of capital purchase) it would have to produce annual savings equivalent to the reduction of one full time equivalent staff position. This is a relatively high bar in environments in which requirements are not changing significantly and the primary motivation for an investment is operational efficiency.

The security environment, however, has changed drastically over the past five years. A combination of world events, technological advancement and a natural concentration of business risks have served to elevate security to the level of a strategic imperative for many organizations.

Although the security risks resulting from the necessary use of the Internet by nearly all organizations has garnered a great deal of publicity over the past few years, most security threats (even to IT systems) still come from within and effective access control and physical asset management represent the first line of defense.

One example of the challenge organizations face today is that records that once would have literally occupied buildings now are routinely stored on a single disk drive that weighs less than one pound. Various techniques are used to provide access to this data and to protect the data against the failure of the disks, but these techniques invariably have the effect of producing multiple copies of the records distributed throughout the organization. Providing security for these multiple copies of critical data has proven to be a major challenge and this security is a major issue not just for operational management, but executive management and company directors as well.

Existing Security System Environment

Most security environments have evolved over a considerable period of time and use. They therefore represent a significant investment in both capital assets, training and operational experience. While many of these systems do not represent the optimal solution to today’s security challenges, they typically meet traditional security needs. Due to the time periods over which these systems were implemented, particularly within distributed organizations, they typically represent a collection of point solutions to site-specific requirements (access control, monitoring, etc.). The technologies in the systems have not been amenable to combining these individual systems into an integrated solution as, for example, as has typically been done with isolated IT systems, for either functional consolidation or operational efficiency.

Identity Management

From a security perspective, Identity Management (IM) has been an access control function that often reflects significant site-specific characteristics. Over the past decade, leading access control systems have incorporated highly integrated interactions with other personnel management systems (such as Human Relations databases) to IM in an efficient and effective manner. Over the same time period, IT systems have developed a, limited form of IM to control access to various elements of the information infrastructure. These two components of IM have historically not been integrated.

At the present time there are two important drivers that are obliging organizations to seriously address the integration of these separate aspects of IM. The first has already been discussed under Background: since the value of information assets in organizations far exceeds the value of physical assets, management has begun to demand the same degree of advanced management for information identity management that it has for physical identity management. The second driver for the integration of IM, at least in the US is HSPD-12 (Homeland Security Presidential Directive 12), which requires a comprehensive IM implementation with substantially new requirements for both physical and information identity management. This directive calls for an implementation by late 2006 by many agencies of the federal government and by those organizations dealing with these agencies.

By most accounts, IM is going to be the area in which the most significant new requirements for physical security are going to arise over the next few years.

Implications for Corporate Infrastructure

The location of the security function in most organizational structures reflects the tactical attitude that these organizations have had toward security. Security, however, has emerged as a strategic threat to organizations over the past five years. The level of expectation for security implementation has increased significantly and many organizations have elevated the executive security responsibility to a Chief Security Officer (CSO) who operates at parity with the COO, the CIO and the CFO. It is important to note that, while security is often characterized as the management and response to external threats, a recent survey by TheInfoPro™ found that 72% of corporate decision-makers considered that internal threats posed a greater challenge to the organization than did external threats.

At the same time, cost-effective implementation of new, highly consolidated security solutions will require that these solutions share corporate infrastructure with other critical functions such as IT. It is no longer a question of whether or not security can take advantage of resources such as networks, managed storage and communications nominally managed by other organizational functions, but rather where the optimal allocation of these resources should be from both an operational and a financial perspective.

Today’s Security Challenges

“As a rule, he or she who has the most information will have the greatest success in life.”
 Benjamin Disraeli

Security managers today, therefore, face a challenge shaped by a number of dynamics: some internal to the organization and others external; some reflective of the technical environment of the organization and others reflective of the security environment; some driven by organizational changes and a shift of resources or responsibilities; some representative of the growing recognition of the criticality of protecting information assets in a manner more consistent to that used for physical assets; but all driven by an overarching economic pressure to make most effective utilization of corporate infrastructure assets and to minimize on-going operational costs. At the same time, the recognition of security as a strategic requirement for the organization brings with it a expectation of greater functionality and flexibility than had previously been the case.

While it could be argued that this type of change applies to all significant organizational functions and not just security, the critical operational nature of security presents some unique aspects of the strategy necessary to accommodate the organizational and requirements changes. In particular, some of the changes arising from new technological options can make the core security challenge more – rather than less – difficult.

As one example, consider the ubiquity of video and, in particular, networked video (often called, inaccurately, “IP surveillance”). While it may appear obvious that the addition of high quality video significantly aids the process of security decision making, this is strictly only true in an environment free of constraints on critical resources such as bandwidth and human attention. In many practical situations, the addition of video can reduce the quality of service for other users of shared networks (including other security users) and distract, rather than enhance, the time-critical decision process. The issue isn’t whether IP video is good or bad for security but rather that the manner in which this technology is integrated into a security solution will have a dominant impact on its ultimate utility.

Video, in fact, is an example of a larger trend that security system architects face. With the profusion of digital networks and the economic imperative toward not only digital, but networked digital sensing, the amount of data that can be presented to the security decision maker in real time has expanded tremendously – to the point of saturating, and even overwhelming, the ultimately critical element – the human element – in the system. When viewed from a human factors perspective, there are two critical issues that must be addressed: the needle in a haystack issue and the tunnel vision issue.

The needle in a haystack issue comes from the fact that most of the time security sensors provide data that has very little important information. They occasionally provide data that has very important information but, unless it can be characterized to the security decision maker as such, it can easily be ignored or lost. This issue, of course, has been an element of security management for a considerable period of time, but the growth of cost-effective sensing technologies has tremendously increased the scale of the issue.

The tunnel vision issue arises from the scope of the security challenge. Effective resolution of security events often requires detailed analysis of very specific systems and records; at the same time, the response to an event must be made with full awareness of the context in which the event occurs. If the process of detailed analysis of events obliges the security decision maker to lose the context of the big picture context, those decisions will be at best sub-optimal and at worst invalid or ineffective.

One dimension of today’s security challenge remains unchanged; the need to make and implement critical, often unstructured, decisions in real time. Security analytics, therefore, are different from the analytics of other functional areas in the organization in that the timeliness of the decisions is of paramount importance. Technology has enabled us to increase the amount of data available for making these decisions and has increased the speed with which that data is collected, communicated and processed – up to the final stage of the process which is necessarily human decision-making. Unless we are prepared to utilize the available technology to enhance the effectiveness of this last step, we will have very little impact on the quality of the resulting decisions.

In summary, we are placing much higher expectations on security in terms of both scale and scope Security has new tools and technologies to support its implementation and, in many cases, the effective uses of those technologies require a much higher level of integration between security and other functional areas of the organization. The need to respond to new threats – both real and perceived – has led to a rate of change in requirements for security that is much higher that we have historically seen and, finally, we expect security to respond to all of these challenges in an environment in which the economic implications of the solution will be examined much more strategically than has been done in the past.

Continued on third page

 

  

 
       
 

Home

Company | The MAXXESS Difference | About Us | News | Technology Partners | Careers | Contact Us

Products
 Product Overview
 Event Management Software | eAXxess |ViewPoint | WebPoint | Badging Module
 Modular Event Management Software | eFusion | Modules | Access Control | Integrator | EndPoint | ViewPoint | eBuilding | WebPoint | RemotePoint | eTour | eROAM | Badging | High Availability Option
 Information Frameworks | EndPoint
 Hardware | eMAX Hardware | netEDGE | eRAM | BLP Processor
 Video Badging | Badging Software | Badging Printers | Badging Cameras
 Download Datasheets Download Page

Applications | Industry Solutions | Application Briefs | White Papers | Case Studies | Command & Control

Contact | Worldwide Sales | Support | Dealer Log-In

All content copyright © 2010 MAXXESS Systems, Inc.