Executive Summary

Security has historically been considered a tactical, if necessary, function of most organizations. However, a large number of changes in both the nature of organizations themselves and the environment in which they operate have, over the past several years, come together to make the implementation of an effective security solution a strategic consideration for the efficient operation of the organization, its competitive position and even its very survival.

Three areas in which the pace of change is particularly rapid are: the distribution of an organization’s value between physical and information assets; the scale, nature and scope of the threats to the organization; and the technology available for collecting, processing and communicating information. All of these changes have significant implications for an organization’s security.

In this white paper we review key security issues and assess their impact on the organizational security function. Our overall conclusion is that this dynamic security environment is leading to significant changes in organizational responsibilities, investment priorities and the utilization of shared infrastructure. We expect these changes to continue for a considerable period of time as the expectations for security, the threat environment and the technology available for security solutions continue to evolve.

While other elements of the organization may be undergoing similar changes, security is unique not only because of its impact on the integrity – and possibly the survival – of the organization, but because of the central role that the human decision-maker plays in the security function.

How an organization responds to these security challenges over the next several years will have a significant influence on the organization’s operational, financial and competitive performance. The approach to security will serve to differentiate organizations in the first decade of the 21st century.

Overview

In 2003, Nicholas Carr shook up the Information Technology (IT) world with an article in the Harvard Business Review (later a book) entitled Does IT Matter? Although worded provocatively, the question that Carr was asking wasn’t “Is IT important?”, but rather “Does IT serve to distinguish good companies from others?” While Carr’s analysis is not without its critics, he drew a number of illuminating conclusions from this open-minded approach to the question of IT value summarized in his overall assessment that “IT doesn’t matter.”

Three years later we would do well to ask the same question of security. When we do so, we conclude that, unlike IT, security does matter. It matters not because security is intrinsically more important than IT or financial processes or any of a number of functions that today’s corporations engage in; it matters because security today is in a great state of flux and those organizations that get security right are able to achieve and maintain a significant competitive advantage over those who do not.

In this whitepaper we will address why this is so – why security does matter and what the implication of this is. Specifically we will speak to what expectations are being placed upon the security function, how these have changed and what is likely to happen over the next several years.

Central to the conclusions we draw in this whitepaper is the observation that the security challenge has been expanding in many dimensions over the past five years and our expectation that that expansion will continue for a significant time to come. This expansion is both in the requirements for security – as a result of new threats and new vulnerabilities arising from the changing structure of organizations and changes in the environment in which they operate – and in the implementation of security – as a result of the information revolution and the commoditizing effect of shared digital infrastructure.

As a primary example, physical security and information security have developed independently in most organizations. This has typically led to separate, and very different, approaches to these two challenges. However, as an organization’s value shifts between physical and information assets and as both technology and economics oblige a greater use of shared infrastructure (such as digital networks), these two security issues necessarily become much more interdependent. While we can see the beginning of this trend, we expect the pace of change to pick upsubstantially over the next few years.

The choices that organizations take to meeting these challenges are strategically important. The operational and economic consequences of these choices will serve to distinguish leading organizations and will provide competitive advantages while, at the same time, shielding the organization from an exposure to significant disruption or regulatory sanction.

While we will speak to specific technological and organizational issues, the essential conclusion of this whitepaper is that organizations today need a systematic plan for security that provides the basis for the technical, structural and investment choices necessary to establish and maintain a security environment that will meet the organization’s strategic requirements.

While technology plays a critical role in this process, security remains an essentially human endeavor. Many routine tasks can, and should, be automated, but the most critical security decisions will remain the responsibility of individuals because the highly innovative nature of threats precludes a meaningful ability to predict them and, therefore, automate a response. Because of this, we believe that a powerful decision-aiding system is a critical element in any systematic security solution. We discuss one such system (The EndPoint Security Management Framework) in Section 7 as an example of how technology can leverage existing assets to address the most complex security challenges.

In summary, all organizations can benefit from a strategic review of their security needs and a measured adoption of technology to address these needs. The existing organizational security function is in an excellent position to motivate this review and to lead the process to address, and even anticipate, evolving organizational security needs.

Background

Click for further information about this quotation:
“There is no security on this earth, there is only opportunity.”
General Douglas MacArthur

The systems, the technology and the culture of security and IT have evolved independently over the past several decades. In particular, electronic security as we know it today traces its roots back to dedicated analog systems that were developed to address the need for providing cost-effective control of increasingly complex facilities by managing the growth of guard forces and dedicated security personnel. As the demands and expectations for electronic security grew, the role of corporate security management emerged from its origins within the facilities management function and began to acquire a separate identity.

Over this same time period, the corporate IT function evolved significantly as well; but in a very different manner. By the late 1960’s, corporate IT was well-established as a significant functional, and cost, center within most substantial organizations. At this time, small organizations were unable to compete in the IT realm because of the prohibitive cost and expertise involved. Over the last three decades, however, IT technology developments have led to a substantial diffusion of the IT resources away from a tight central resource to a much more distributed IT environment, originally from the perspective of processing and applications, but increasingly today from a data perspective as well. While the IT organization retained a centralized purchasing and policy role, the services it provided increasingly became the networks and processes that permitted localized applications to function efficiently to meet corporate objectives. This transition actually happened in two waves; first the users moved into the network and, more recently, the storage has moved into the network.

Over the past several years, two separate drivers have begun bringing the IT and security functions of organizations closer together. The first of these is technical the second, however, represents a basic change in the security function itself.

Networking

The technical driver is the extensive use of networks – especially networks using the Internet protocol (IP) – to replace dedicated point-to-point wiring and limited bus structures such as RS-485. Much of the early use of IP networking has been for video sources (cameras and DVRs), but networking has very wide application within security systems.
Some of the current uses of IP networking for security are much like those for IT a decade ago in which capacity and conflict issues led to strict partitioning or even replication of network infrastructures. The use of IP networks for video applications, for example, is problematic since these applications typically have high bandwidth requirements and can create many issues, particularly when the networks are shared with applications other than security. IT networks today, in contrast, are widely shared, highly flexible and dynamically managed to provide not only connectivity, but guaranteed quality of service to critical users. Very few “IP-based security systems” today have been designed to participate in these managed IP networks.

IP networks are typically thought of as local structures (Local Area Networks, or LANs), but they are also becoming the dominant protocol for use in truly distributed networks (Wide Area Networks, or WANs). One of the great advantages of IP networks is that, in many ways, it doesn’t matter what the network topology is; the procedure for using the network is the same. In the area of cost, however, it does matter whether one is dealing with LANs or WANs. The capacity of a network is primarily determined by its bandwidth. Most LANs today have a bandwidth between 100 Mb/s and 1,000 Mb/s although legacy networks may have bandwidths as low as 10 Mb/s and very high performance networks can have bandwidths of 10,000 Mb/s. The cost of this bandwidth is quite low and is typically absorbed within the overall IT infrastructure costs. In contrast, the annual cost for a 100 Mb/s IP WAN is approximately $350,000. This cost disparity betweens LANs and WANs is the primary reason that most organizations provide only about 1% as much bandwidth in their WANs as they do in their LANs.

While use of LANs for security provides meaningful operational and economic benefits, many of the greatest advantages of IP networking for security in both areas involve utilizing both LANs and WANs. Only those security solutions that manage the use of the network bandwidth, therefore, can participate in the shared IP networks that are currently controlled by the IT community. While it could be argued that, for LANs, it is possible to avoid this integration by providing dedicated IP LANs for security, this approach is not practical for the WANs. It is, therefore, critical to design IP-based security solutions for compatibility with these shared networks.

It is interesting to note that the challenge of sharing IP networks with a new, high bandwidth user is not unprecedented. In fact, the greatest growth of networks over the past decade has been the result of the migration of storage out of server platforms and into the network. In this case, the added demands upon the networks were very severe, but the economic and operational benefits were shown to be high enough to rationalize the expansion of the network requirements in order to support this new functionality. IP-based security solutions will need to address similar issues over the next five years.

Information Security

If the first driver can be characterized as the need for IT and security to live together in IT’s house for economic and operational reasons, the second driver can be characterized as a growing realization that IT can no longer live without security – even if it chose to. There has been a great deal of attention focused lately on the vulnerability of IT systems because of the high concentration of information and the exposure of that information resulting from wide internal and external connectivity (brought about by the same networks discussed earlier). However, this is only one aspect of rapidly expanding need for information security.

The historical separation of physical security (that is, security for tangible assets) and information security (that is, security for intangible assets) was manageable so long as most information assets also had a corresponding physical object. Thus, for example, when customer orders came in via mail or fax the loss of corporate ERP records was an issue because of the time and effort necessary to recreate the electronic records from the hard copy (physical) records. Many companies today, however, operate in a world of electronic commerce in which transactions have no physical records; in these cases, loss of the electronic records could be disastrous.

In a recent study, the School of Information Management and Systems (SIMS) at UC Berkeley estimated that 92% of the information created by business today is born digital; that is, it is created and used electronically without any physical source record. Clearly, securing these information assets is not optional; it is every bit as important as important as securing a company’s physical assets. The cost of information security has been increasing significantly over the past few years and, at the present time, as assessed by Information Security Magazine, averages 11% of IT spending across all organizations; ranging from nearly 20% for small IT organizations to 5% for large ones.

More recently, there has been a great deal of interest in what is being called the convergence of physical security and information security. What is meant by convergence varies widely, ranging from relatively simple incorporation of IT security monitors into physical security infrastructures to very sophisticated functions such as integrated identity management for both physical and logical access control.

Whatever its form, the growing interdependence of physical security and information security has provided the second key driver for bringing the security and IT functions closer together.

Continued on second page