1. Taking Lessons from End Users, “Convergence” Rises from the Ashes
Bassam Al-Khalidi
Co-CEO and Principal Consultant
Axiad IDS
ISCW April 6, 2017 (10:00-11:00am PT)

2. Convergence: A New Day “Convergence”: what has changed
Why we need convergence more than ever
What went wrong
Lessons learned are the new benchmarks
IT & Corporate Security are in this together: Impacting success or failure
Issuance and personalization
Lifecycle events leading to success or failure
Policies
Bandwidth/Skills and Resources
From Understanding to Action )

3. CONVERGENCE Lots of buzz Deployment teams didn’t embrace
1-click build
CONVERGENCE
Lots of buzz
Deployment teams didn’t embrace
Adoption failed
A negative experience for all
Skepticism abounds

4. auto build
ALIVE OR DEAD?
Is the convergence of physical and logical identity credentials just a relic of the past?

5. And the stakes are higher.
2-click build
Convergence is NOT dead.
We’ve learned many lessons.
And the stakes are higher.
The way it was delivered didn’t work.
We’ve been listening.

6. A New Reality We can’t ignore it. Convergence is NOT dead.
auto build
A New Reality
We can’t ignore it.
Convergence is NOT dead.
We’ve learned many lessons.
Align with Corporate & IT security needs and today’s risks.
The way it was delivered didn’t work.
We’ve been listening. .

7. A lot has changed and the stakes got higher.
auto build
A lot has changed and the stakes got higher.

8. Engine and dash computer systems
A lot has changed: The stakes are higher No
Industry is
immune
Broader
avenues of attack
Everything is connected (IoT)
Mobile-everything
24/7 web connections
Troublesome
consequences
The Usuals: Brand | Financial | Identity | Legal
Auto
Engine and dash computer systems
Healthcare
Medical devices
New breed:
Government
Cyber terrorism
Financial
Point of Sale

9. A lot has changed: We need converged solutions more than ever
People AND connected devices must be protected…across the physical and logical spectrum.

10. Where did we go wrong? IT had misconceptionsHR
LEGAL IT
SECURITY
IT vision of ‘leapfrogging’ to a converged solution wasn’t achievable (software upgrades not the same for PACS)
Functional silos led to security gaps
Issuance and personalization impacted

11. What round 1 taught us Round 1 challenges
Lessons learned = new benchmarks
Frustrated both Corporate Security and IT Security functions
The experience of deployment team matters
Gaps in Security
One size fits all
Piecemeal
Infrastructure not considered
Must address gaps and frustrations
Customized
Comprehensive
Match skill set/resources
Complex to install, upgrade, maintain
Less complex – more manageable
Inefficient lifecycle management
Maintainable across the lifecycle
Security business objectives not met
Must achieve multiple business objectives
Reduced costs & inefficiencies
Improved controls
Compliance 1 2 3 4 5

12. Elements of an Integrated Solution
auto build
Elements of an Integrated Solution
SECURE
EVERYTHING
MONITOR
EVERYTHING
NOTIFY
EVERYTHING

13. Recap: State of Convergence
auto build
Recap: State of Convergence
New
reality
Higher
stakes
Affects all
industries

14. IT and Corporate Security: Shared Concerns
Security: Reduce risk of breach Cost-effective: Implement and manage a mix of user credentials Flexibility: Choose from a range of assurance and authentication levels Customized: Map to unique needs (protection, workflow, reporting, policies) Business value: Prove security to stakeholders Compliant: Meet compliance needs and mandates Unified: Approach as a single organization (HR, Legal, IT, Facilities) Efficient: Leverage limited cyber-expert resources and skills

15. Decisions Impacting Success or Failure:
Policies
Issuance & Personalization
Lifecycle Management
Bandwidth and Skill Sets

16. A New Vision for Issuance and Personalization
IT approach must integrate with Corporate Security reality
Credentials must be future-proofed to upgrade with Corporate Security changes
Must align with processes and procedures
must align with business objectives/ compliance needs of organization
INTEGRATION
ALIGNMENT
IT and Corporate Security must each have control over day to day domains
Don’t want disruptions/ownership questions (provisioning/de-provisioning)
Compliance needs differ
Each needs proper tools
RESPECTING
FUNCTIONAL ROLES

17. Lifecycle Management Impacts Success or Failure
FUTURE PROOFING
ASSESSMENT
Is the platform extensible?
Understand current situation and future needs?
ENABLEMENT
METHODOLOGY | PLANNING
Have all uses been considered? the door wasn’t fully analyzed . . not fast enough)
Strategy - use best-of-breed products or single solution?
Bandwidth/skill set – host in-house or prefer hosted solution?

18. Converged Project Approach
BUSINESS
ANALYSIS
OPERATIONAL
ASSESSMENT
PROGRAM
DEFINITION
DEPLOYMENT
ONGOING
SERVICES

19. Policies and Compliance
auto build
Policies and Compliance
External Policies
Internal Policies
Obtain
Support
Find Balance
Enforce Policies
HIPAA
800-53
PCI
Access rights, permissions, data retention etc.
Across all stakeholders
Realize ties between internal and external - what’s achievable
Deploy solutions. Internal training

20. CONTROL Audit and Accountability Access Awareness Control and Training
Identification and
Authentication
Configuration
Management
Incident Response
CONTROL
Maintenance
Media
Protection
Personnel
Security
Risk
Assessment
Physical
Protection
Security
Assessment
System and
Information
Security
System and
Communication
Protection

21. From Understanding to Action
STILL NEED to refine
Understand the benefits of a converged approach and position it to your executive team
Determine the effort and investment required for your organization
Look at the value vs complexity of a converged program and understand trade-offs for your organization
Map out a phased approach on the back-end
Embrace best practices that help ensure success; and avoid common pitfalls that undermine projects

22. Thank You