By: Andreas Immanuel Mulianto, SKom, MM, PMP, PSP

IP based CCTV system has been around for some time. And now it seems that IP based CCTV will become de facto standard, especially for applications in the business locations. It is now difficult to find new large scale installations of analog CCTV. Analog CCTV is only offered for the residential installations which consequently lead to smaller type of installations (e.g. residential). All of these technological stuffs will require Security department to have closer interaction with their colleagues in IT department. This paper will discuss about this interesting interaction, since all IT professionals usually are not exposed to physical security, and security professionals usually don’t have deep understanding on IT infrastructure that might be required to be able to build a solid and well thought physical security system. Convergence itself is something that will naturally happen especially because of the “imperatives” on the market. And an organization might need to learn on what kind of convergence that is happening.

If we went to the recent exhibitions such as IFSEC London 2015, we also saw that most if not all of the vendors offer IP based CCTV as their main offerings. Many big vendors such as Bosch or Pelco are now switching their specialty CCTV cameras (e.g. explosion proof) that previously only available in analog to IP based. This showed that physical security is converging with IT based security. There is obvious consequence with this. Security professionals that usually focus on security aspects that are physical in nature now will need to learn other side of thing, which is the technological aspect of security. They need to learn also about technology that is not so easy because most of the security professionals come from the non-technology background. In this situation, usually their organizations will ask the IT department to assist in the security system deployment. ISACA (2006) found that for a variety of reasons, individuals who have the best levels of knowledge and skills needed to achieve suitable integration of security systems into the IT infrastructure or the protection of these systems have frequently not been involved in the decisions related to the purchase, implementation or management of such systems and devices. IT systems personnel responsible for system management, networking and change processes are often not consulted when physical security systems are added to the IT infrastructure. In this case Security department should work together with IT department to offer converged solutions.

Bernard (2011) notes that convergence continues to evolve; he distinguishes between technology convergence and organizational convergence. He writes about technological convergence, whereby voice, data and video devices and systems interact with each other. This convergence requires a cable and wireless communication infrastructure with enough bandwidth to hold the enhanced level of data throughput. A second type of security convergence is organizational convergence, which aims to integrate IT and physical security. Bernard illustrates this type by explaining that IT security protects information as does physical security; organizations should include both simultaneously when planning their information security.

Booz Allen Hamilton (2005) argued that there are five distinct imperatives that are driving security convergence and will continue to affect companies across sectors and geographies: (1) rapid expansion of the enterprise ecosystem; (2) value migration from physical to information-based and intangible assets; (3) new protective technologies blurring functional boundaries; (4) new compliance and regulatory regimes; and (5) continuing pressure to reduce cost. Figure 1 describes the five imperatives.

The enterprise ecosystem is rapidly expanding as businesses implement new technology and practices, creating more complex organizational structure. For example, as many companies turn to third-parties to reduce cost by outsourcing, they are adding another organizational layer. Sharma (2004) found that about 73 percent of North American companies outsource some IT function, creating external business partner globally. Enterprise must now consider the integrated security implications of outsourcing specific functions to other companies and managing alliances to create competitive advantage. In Chevron, we outsource our SAP and JDE support to India. We also outsource our security guarding to security service companies. However, we have not got experience to outsource our security technology to external party. In this case, we do work closely with our colleagues in IT department to implement the security technology solutions. And it will be interesting to find a well strike balance. Our experience showed that IT professionals master the IT related matters, but not focus much on the appropriateness of the location, or even the types of the equipment installed. I had an interesting experience when I was still working for IT department and was asked to install CCTV cameras for security purpose. I did not consult security department but just focused on the IT technical matters of the projects such as bandwidth, server, storage, cabling, network devices, etc. I just contacted security department when we were about to finalize our installation. They were quite furious about this, but there was not much that they could do. They asked questions about the placement of the camera, the type of the camera (standard or thermal), lighting conditions, etc. I told them that we did not assess that, and just continued with the installation. In the end, they were proven to be right. Those cameras are only 50% effective at best; because at night, we don’t have enough lighting, and even if we do, we have fogs (it was a geothermal plant on the mountain). I learned my lessons in a hard way. The ideal thing would be for the two parties (Security and IT) always consult each other and create symbiotic mutualism. It would also be very ideal if we can have multi-skilled security professionals as suggested by Varöga (2008). This multi-skilled security professional needs to ready and capable of filling various roles, responsibilities and functions.

Companies’ assets are now increasingly information-based and intangible. Even most physical assets rely heavily on information. For example, manufacturers are dependent on receiving specific information from suppliers before the process of producing the physical products can commence. The security of this information is vital to the development of physical products. In Chevron, we heavily use SCADA technology to control our process control network for our oil and gas operations as well as our geothermal operations.

Technology is also now allowing companies to offer more information products. News service and research companies, for example, provide nothing but information to their customers. They must ensure security of information not only to their customers but also from their suppliers. As these assets become increasingly intangible, there is a greater need to integrate physical and information security, as well as security throughout the entire enterprise.

Figure 1 Imperatives

New security needs are blurring functional boundaries inside an organization. For example physical access control technology is now merging with network access technology, requiring physical and information security groups to integrate their strategies. The smart card is an example of a technology that is integrating once disparate parts of security, by verifying a person’s identity and tracking his or her physical location. Chevron has been using smart card technology from HID for many years. We use our smart card (we rebranded it into SmartBadge) for physical access card and information access card. So we use the card to get into our offices all around the world, and use the same card to login to our computer.

As new threats emerge and business transactions become more intricate, it follows that adherence to regulations and compliance guidelines become more complex. For example, Sarbanes-Oxley gives a framework under which risk must be assessed, but falls short of mandating how to assess that risk. These laws only serve as a baseline for security professionals requiring minimum levels to be met. The complexity results in the managers’ ability to be forward sensing when assessing an enterprise’s security needs. In Chevron, since the Sarbanex-Oxley was made effective, we had been working with our internal auditors to find and share best practices that can be used to improve our compliance.

Enterprises will always grapple with balancing risk/reward tradeoffs. As risks become increasingly complex, enterprises must take a systematic, pragmatic approach to security that maximizes resources while adequately managing risks. In an era of rapidly changing risks, efficient allocation of security resources requires a risk based approach and greater transparency related to security strategy.

As argued by Booz Allen & Hamilton (2005), security convergence is pushing companies to focus beyond functional dimensions to include all parts of the security and business life-cycle, creating a need for a unified security framework. The study indicated that the framework for converged security must incorporate and recover from a security incident. Appreciation of this transformation can significantly increase an organization’s competitive advantage: two prominent examples center around cost and people leverages. Cost advantages can be realized through the migration of security as a cost center to one of a value add – reducing costs, providing of cost efficiencies, and achieving certain cost avoidances. People advantages can in turn be realized through the transformation of narrowly focused functional security staff to broad based multi-disciplinary business assurance agent-with exponentially increased impact over the mere summation of the individuals.

Booz, Allen and Hamilton (2005) found that the public and private sectors also realize that security convergence is necessary in the current dynamic environment, and are investing resources to integrate security. In 2005, the private sector in North America and Europe is expected to spend more than $300 million on convergence efforts.

Purpura (2013) argues that advantages of the convergence of IT and physical security include enhanced data, remote monitoring, less travel time, and fewer expenses. Disadvantages include a virus that may affect physical security when sharing a single server; downtime (from various causes, such as maintenance, a threat, or hazard), and an organization’s bandwidth may reach its limit from the requirements of video surveillance.  IT specialists in organizations are playing a larger role in physical security decisions. They want to ensure that physical security technology is compatible with the network. An organization’s physical security purchasing decision often consist of a committee of personnel from security or loss prevention, IT, and operations, as happened with Chevron as well. We ensured that we have complete perspectives from all of the parties like Security, IT, Operations and other relevant things in our Decision Review Board of our security projects. This will ensure that we have captured all of the important considerations, and also gain greater support from all the things involved.

It is hard to deny that IP-based CCTV will become the standard. But this is only a small part of a bigger story. The fact is that information security and physical security are converging. And this is not only because it is pushed by the manufacturer but mostly because of the imperatives of security convergence (Rapid Expansion of the Enterprise Ecosystem, Value Migration from the Physical to Information-based and Intangible Assets, New Protective Technologies Blurring Functional Boundaries, New Compliance and Regularly Regimes, Continuing Pressure to Reduce Cost). In other words, convergence is unavoidable. This is realized by many organizations and they had been investing in the security convergence efforts. It is very important to note that while convergence is happening on the technology part, we also need to be aware of the importance of the convergence on the organizational part. Security department will need to involve IT department in the security projects. With the passing of time, security professionals will be more and more exposed to the technology part and will gain more and more fluency in the technology side. It would not be surprising, if in the future, one of the requirements of recruiting security personnel is an understanding of information technology or simply called multi-skilled security personnel.

References

1. THE ALLIANCE FOR ENTERPRISE SECURITY RISK MANAGEMENT (2006). Convergent Security Risks in Physical Security Systems and IT Infrastructures.
2. AXIS COMMUNICATIONS (2010). Total Cost Comparison Study of Analog and IP-based Video Surveillance. [pdf]. Available at: Axis website http://www.axis.com/files/whitepaper/wp_cost_comparison_41264_en_1012_lo.pdf

3. BERNARD R. (2011). The State of Converged Security Operations. Security Technology Executive.
4. BOOZ ALLEN HAMILTON (2005). Convergence of Enterprise Security Organizations.
5. GARCIA, MARY LYNN (2001). The Design and Evaluation of Physical Protection Systems Paperback.
6. LASKY, STEVE (2013). The turning point of IP video’s tipping point. Security Info Watch, Aug 9. Available from: http://www.securityinfowatch.com/blog/11081025/ip-video-revenue-expected-to-surpass-analog-by-2014 [Accessed 12 August 2015]
7. NORMAN, THOMAS L. (2014). Integrated Security Systems Design: Concepts, Specifications, and Implementation.
8. PURPURA, PHILIP (2013). Security and Loss Prevention, Sixth Edition: An Introduction, Butterworth-Heinemann.
9. VARGÖGA, ROLAND (2008). Personal Protection Strategies and Tactics 101, Lulu Enterprises, UK Ltd.