Security Convergence - A Building Block of Enterprise Security Risk Management Dave Tyson, MBA, CPP, CISSP Senior Manager, IT & Physical Security City of Vancouver

1 3 rd largest city in Canada 3 rd largest city in Canada Services about 1.5 million people per day Services about 1.5 million people per day 10,000 employees 10,000 employees 4500 computer users 4500 computer users Home of the 2010 Winter Olympic Games Home of the 2010 Winter Olympic Games Departments Police Dept. (VPD) Fire Rescue (VFD) Public Library City Parks Engineering Community Services Corporate Services Community Theatres Law & HR Non-Profit Societies

2 My Background 23 Years in Security 23 Years in Security 16 yrs Physical Security 16 yrs Physical Security 7 yrs IT Security 7 yrs IT Security Certified Protection Professional (CPP) Certified Protection Professional (CPP) Certified Information Systems Security Professional (CISSP) Certified Information Systems Security Professional (CISSP) Master’s Degree in Business – Digital Technology Mgt. Master’s Degree in Business – Digital Technology Mgt. Member of the Professional Certification Board of ASIS International Advisory Board member for Alliance for Enterprise Security Risk Management (AESRM) Member of ISSA, ASIS Int., ISACA

3 The New World The world is once again flat!...or maybe round! The world is once again flat!...or maybe round! Single dimension focus Single dimension focus IP Pandemic IP Pandemic Ethernet on appliances, cars, phones, tracking devices Ethernet on appliances, cars, phones, tracking devices Global move to hold organizations accountable for security breaches Global move to hold organizations accountable for security breaches But, at the enterprise level new risks emerge But, at the enterprise level new risks emerge Centralization Centralization SSO SSO Directory Services Directory Services

4 Interesting numbers Globally, 40% of organizations have IT/Physical Security professionals reporting to the same leader – PWC 2006 Globally, 40% of organizations have IT/Physical Security professionals reporting to the same leader – PWC % of organizations have some level of integration between IT and Physical Security – PWC % of organizations have some level of integration between IT and Physical Security – PWC % of On-line Consumers are at least somewhat afraid of Identity theft – ESG % of On-line Consumers are at least somewhat afraid of Identity theft – ESG 2005

5 Convergence is a Strategic Activity Security is a weakest link discipline Security is a weakest link discipline People, processes and technology – these are about integration! People, processes and technology – these are about integration! Its about creating business value Its about creating business value Reducing costs Reducing costs Reducing risk Reducing risk Reducing duplication Reducing duplication

6 Convergence Defined the integration, in a formal, collaborative and strategic manner, of the cumulative security resources of an organization in order to deliver enterprise wide benefits through enhanced risk mitigation, increased operational effectiveness and efficiency, and cost savings. the integration, in a formal, collaborative and strategic manner, of the cumulative security resources of an organization in order to deliver enterprise wide benefits through enhanced risk mitigation, increased operational effectiveness and efficiency, and cost savings.

7 Drivers for Change Booz Allen Hamilton Survey Rapid expansion of enterprise ecosystem Rapid expansion of enterprise ecosystem Value Migration from Physical to information based & intangible assets Value Migration from Physical to information based & intangible assets New protective technologies blurring functional boundaries New protective technologies blurring functional boundaries New compliance and regulatory regimes New compliance and regulatory regimes Continuing pressure to reduce cost Continuing pressure to reduce cost

8 Changing Threat Paradigm for Physical Security Professions Physical security had been chiefly responsible for fraud, theft, harassment issues in the workplace Physical security had been chiefly responsible for fraud, theft, harassment issues in the workplace New people in the organization responsible for security “stuff” that may not have specific security backgrounds New people in the organization responsible for security “stuff” that may not have specific security backgrounds Threats are facilitated and enabled by the technology Threats are facilitated and enabled by the technology 2.1 Billion Cell phones (no security) and 850 Million IP Nodes in 2004 – When these phones become addressable under 2.5 & 3 G technologies……..well let the games begin…triple the size of the internet with less security 2.1 Billion Cell phones (no security) and 850 Million IP Nodes in 2004 – When these phones become addressable under 2.5 & 3 G technologies……..well let the games begin…triple the size of the internet with less security The average physical security professional knows very little about these issues at this time The average physical security professional knows very little about these issues at this time

9 What does this mean on the risk side of the equation? What gets worse? Fraud Fraud Harassment Harassment Stalking Stalking Identity theft Identity theft Phishing & Pharming Phishing & Pharming SPAM SPAM Viruses Viruses Delivery of Spyware, Trojan horses and Adware Delivery of Spyware, Trojan horses and Adware What gets easier? What it takes to perpetrate these activities

10

11

12 Docupen

13 Key Concepts of Security Convergence Both departments bring strengths to the table – those strengths must be capitalized on to address the inherent challenges in the other groups business Both departments bring strengths to the table – those strengths must be capitalized on to address the inherent challenges in the other groups business IT Security has technical expertise but not large numbers of staff, physical security generally has the opposite: Both groups can benefit from each other! IT Security has technical expertise but not large numbers of staff, physical security generally has the opposite: Both groups can benefit from each other! Convergence needs to be slow and measured Convergence needs to be slow and measured Groups must start by first speaking a common language Groups must start by first speaking a common language

14 Changes at City of Vancouver Interest in shared services approach began discussion Interest in shared services approach began discussion Governance Governance Changed reporting structure given my skills Changed reporting structure given my skills Risk Management Risk Management Combined a primarily operational group with a more tactical group Combined a primarily operational group with a more tactical group But many cracks existed in compliance, investigations, risk assessment, BCP, metrics But many cracks existed in compliance, investigations, risk assessment, BCP, metrics Over shadowing unknown Over shadowing unknown 2010 Winter Olympics 2010 Winter Olympics

15 Initial Integration Points Strategic Strategic Strategic Approach Strategic Approach Cost reduction Cost reduction Tactical Tactical Risk Assessment Risk Assessment Training Training Policy Policy Security Awareness & Compliance Security Awareness & Compliance Policy Development Policy Development Operational Operational Geeks and Guards working together Geeks and Guards working together Risk Mitigation Risk Mitigation Weakest Link Weakest Link

16 Initial Changes Trained the corporate guard force to assist in IT Security Compliance reviews Trained the corporate guard force to assist in IT Security Compliance reviews Equipped nightshift S/O staff with new detection tools Equipped nightshift S/O staff with new detection tools Began cross training investigators with IT security analysts Began cross training investigators with IT security analysts IT Security staff reviewed security of physical security department technology IT Security staff reviewed security of physical security department technology ITS staff briefed new colleagues on what we really do & what information we store in in our offices – our office quickly got a new level of security ITS staff briefed new colleagues on what we really do & what information we store in in our offices – our office quickly got a new level of security

17 Outcomes in the first 90 days 54% reduction in IT Security Policy violations 54% reduction in IT Security Policy violations Identification of 2 rogue wireless devices Identification of 2 rogue wireless devices Increase in customer satisfaction of the security officer force: the exact numbers are not in yet! Increase in customer satisfaction of the security officer force: the exact numbers are not in yet! Increased morale and attendance of S/O staff Increased morale and attendance of S/O staff Hardening of camera servers, access control server etc. Hardening of camera servers, access control server etc. New team round table led to changes in the control room New team round table led to changes in the control room

18 Moving ahead Reporting incidents and risks in a combined format to identify risk in a more comprehensive manner Reporting incidents and risks in a combined format to identify risk in a more comprehensive manner Teams are working together to be creative and innovative in defining benefit opportunities Teams are working together to be creative and innovative in defining benefit opportunities CCTV storage moving to SAN infrastructure CCTV storage moving to SAN infrastructure Maximize any opportunity to get the security message to the customer TRA’s are becoming more integrated Security Awareness training becoming more integrated Security training becoming more integrated

19 Convergence continues to roll out Integrating metrics collection and reporting Integrating metrics collection and reporting Starting a security dashboard project for executive mgt. team Starting a security dashboard project for executive mgt. team Integrating investigations methodology in 2006/07 Integrating investigations methodology in 2006/07 Integrating Risk Assessment methodology in 2006/07 Integrating Risk Assessment methodology in 2006/07 CCTV deployment process integration CCTV deployment process integration Re-architecting physical security systems environment Re-architecting physical security systems environment

20 Lessons learned Pick off the low hanging fruit to build team support and belief Pick off the low hanging fruit to build team support and belief Successes must be communicated religiously to all levels of the organization Successes must be communicated religiously to all levels of the organization Accept that not every part of each group is best converged, but try and work around it Accept that not every part of each group is best converged, but try and work around it Start with initial discussion – benefits arise from resolving mutual challenges Start with initial discussion – benefits arise from resolving mutual challenges Take as much convergence that is right for the organization Take as much convergence that is right for the organization

21 Convergence: So far Convergence is generally led, not directed Convergence is generally led, not directed People have an easier time with enterprise wide risk than convergence People have an easier time with enterprise wide risk than convergence Culture and training are the primary barriers to function integration Culture and training are the primary barriers to function integration Benefits Benefits Costs Costs Risk reduction Risk reduction Efficiency Efficiency Cycle time Cycle time Duplication Duplication Recovery Recovery

22 Essentials Components to Convergence Executive level sponsor Executive level sponsor Vision Vision The courage to lead The courage to lead Change management Change management Senior Management buy in Senior Management buy in Strategic Inventory of assets Strategic Inventory of assets $$ $$ People People Technology Technology Ability to leverage value created Ability to leverage value created

23

24 Questions? Dave Tyson MBA, CPP, CISSP Senior Manager, IT & Physical Security City of Vancouver (604)