New Expectations – New Thinking

“A problem can't be solved with the same thinking that created it.”
Albert Einstein

Strategic Interest in Security

Most of today’s security solutions were designed to solve a problem that was qualitatively different from the one faced today. It requires new thinking to effectively address today’s security challenge.

The first aspect of the new thinking is a recognition that the security challenge today consists of an intimate blend of three elements. While the specifics will vary from organization to organization, the three primary elements for security are information management, real-time decision making and implementing a response based upon the decision. All three of these elements must be considered in order to implement a security function that will meet both today’s expectations and the emerging requirements for both enhanced functionality and greater operational efficiency. It is therefore essential to assess the implementations of technologies such as IP surveillance within the context of the whole security challenge to make conscientious investment decisions for security.

The second aspect of the new thinking is the relationship between security and the rest of the organizational infrastructure. Where it was once considered acceptable, even desirable, for security to be implemented as a standalone function, both the pervasive nature of the security challenge and the resources required to accommodate the real time delivery of the information required to make effective security decisions oblige a high level of integration with major organizational infrastructure. This integration with organizational infrastructure and other functional areas, of course, brings with it the risk of deleterious interactions – both on a technical and on an organizational level. These issues must be anticipated and managed on a pro-active basis in order to meet the operational and fiscal requirements of the organization. The cost of organizational turf battles is high; the result of attempting to avoid the integration challenges is highly sub-optimal implementations with both performance constraints and economic penalties. The leadership for this integration process may come from the CEO, the CFO, the CSO or the CIO but, in any case, it must have corporate-wide support to implement the necessary technical, operational and cultural change.

The final aspect of the new thinking is a recognition that the security challenge is to implement a process that can accommodate evolving security requirements and capabilities over a considerable period of time. Since the threat model is neither completely known nor static, security solutions need to be flexible enough to respond to both quantitative and qualitative changes in both requirements and expectations. Additionally, the continued development of an organization’s technical infrastructure means that objectives that cannot be technically or economically addressed today may become very practical as the supporting infrastructure evolves. As one example, wide area connectivity at ¼ T-1 bandwidth (roughly 350KB/s) was only economically viable for large facilities five years ago; today with DSL technology, this bandwidth is practical for even the smallest of facilities.

These three aspects can be summarized as:

• Consider the whole security challenge,
• Understand all of the implications of integration with the organizational infrastructure, and
• Recognize that the solution must evolve to adapt to changing requirements and environments.

The EndPoint Security Management Framework

Over the past several years, MAXxess has focused on analyzing the organizational security challenge in the context of emerging technologies, evolving corporate economics, new expectations for security and the new thinking on the approach to addressing this challenge. As a result of this analysis, MAXxess undertook the development of a security management solution that was responsive to both the evolving security challenges and the technical infrastructure available in a wide range of security environments. We called the new solution EndPoint to emphasize its role at the nexus of information, decisions and actions related to security.

The primary objectives of the EndPoint development were:

• Integration of traditional security and other data sources at the information level to minimize the complexity of accommodating a wide range of data sources from legacy security, fire detection and building management systems to information infrastructure systems such as ERP, CRM and IT security monitors
• Organic use of IP infrastructure, including LANs, WANs, organizational intranets as well as the Internet, not just for data transport, but as a source of contextual information
• Consistent, structured, virtualized, visual presentation of all information that is compatible with hierarchical management structures and that can be tuned to enhance human decision-making and minimize cross-training requirements
• Preservation of critical contextual information (situational awareness) from the highest to the lowest operating level of the system
• Distributed processing and information management architecture that permits affordable centralization of critical security management functions while minimizing bandwidth costs
• Ability to control, not just monitor, critical systems in response to events
• Capability to scale and adapt to accommodate evolving organizational structures
• Compatibility with redundant management, computation and communication architectures.
• Equally important, the EndPoint development was focused upon producing a practical solution for a very broad range of organizations so the implementation costs needed to be minimized by:
• A standardized, replicable software structure that can be configured, rather than redesigned, to meet unique organizational requirements
• Modularization of critical functionality and the ability to scale an existing implementation with little or no operational interruption so that configurations can be tightly tuned to immediate organizational requirements
• The ability to utilize standard Windows-based platforms for all computing requirements
• A minimization of the operational bandwidth requirements to accommodate distributed resources

The resulting solution, the EndPoint Security Management Framework, was introduced late in 2005 with its first operational installations implemented early in 2006. As might be expected, these early implementations have focused on the integration of traditional security (primarily, access control) systems with limited integration of auxiliary information sources. As these solutions evolve, we anticipate that they will expand their use of information sources external to the traditional security space to meet more sophisticated security requirements.

Most of the early EndPoint implementations are providing centralized management of a distributed security environment. While this need not necessarily be the case, the economic benefits of EndPoint are strongest in these distributed environments.

The purpose of this white paper is not to describe EndPoint in detail, but rather to use the EndPoint example to illustrate the characteristics of solutions that can effectively address today’s complex security challenges. Further information on EndPoint can be found at www.maxxess-systems.com.

Meeting the Expectations

“It is not necessary to change. Survival is not mandatory.”
 W. Edwards Deming

Many organizations have demanding new expectations for security. These expectations are driven by real business imperatives and operational necessities and have become a critical element in the strategy of the organization. There are, in many cases, technological approaches available to meet these expectations, but a systematic solution environment is required to both address these expectations in an economically viable manner and to accommodate the continued evolution and growth of these expectations over the next several years.

The necessary changes are often as much organizational as they are technical. At the present time, it is rare for one function to have cognizance of the entire set of security requirements for the organization; for example, in most organizations the responsibilities for physical security and information security are currently split between the security function and the IT function. While it is clearly possible to extend the segmentation of security responsibilities to meet new requirements, the need for economic efficiency will drive a trend toward more integrated solutions. The home for these integrated solutions can either be within the IT function (which currently has control of much of the necessary technical infrastructure and some of the security budget) or the security function (which currently has the security mission, has control of major dedicated security systems and has some of the security budget). The organizational choice will often reflect the relative strength of leadership between these functions. In any case, the function that steps up to the new security challenge will necessarily impose on the charter of other functions in the organization.

While organizations will rationally strive toward meeting their new security expectations while minimizing both economic and organizational costs, the strategic nature of the security challenge ensures that they will accommodate those changes that are necessary to meet these challenges.

Executives that are currently charged with the organizational security function are in an excellent position to lead the change process necessary to enable the organization to meet its new challenges in this area. The extension of the security function into new operational and infrastructure areas is an unavoidable consequence of the need to address these challenges in a coherent and integrated manner. Alternatively, It is possible for other functional areas to step up to the integrated security function. In this case, however, it is critical that these functional areas adopt the full mission and culture of the security responsibility, not just the technical solution.

Summary and Conclusions – Security Does Matter

In summary, we come to the conclusion that, unlike Nicholas Carr’s assessment of IT, security does matter. It matters in the sense that an effective approach to meeting new security expectations will serve to differentiate organizations in the market over the next several years. Those organizations that do not step up to the new security challenges will place themselves at risk and will be exposed to the very real threat of the loss of significant assets (tangible or informational) or disruption or loss of operational functionality for a significant period of time which, in many industries, can be even more damaging. It also matters in the sense that the economic implications of how these challenges are met are significant enough to impact the organization’s competitive position in the market.

Technology is becoming available that will enable organizations to address new and emerging security requirements in a rational, affordable manner. In considering these technologies, however, it is critical to keep in mind that in security solutions, the major criterion for assessing these technologies is the degree to which they support the most critical and the most expensive component of the overall security function – the human decision-maker.

MAXxess Systems – March 2006

Return to first page