Every business has an almost unending list of points at which its security is vulnerable to attacks of some sort, whether physical or technical in nature. The traditional method of dealing with these vulnerabilities was to task whichever department was responsible for a particular point to deal with it in the manner they thought best.
This way of thinking led to a silo approach to security, where everyone did their own thing, irrespective of what anyone else in the company was doing. And from a departmental perspective, it was sufficient since managers were sure their domains were safe.
Given that 21st century criminals could be after a company's physical assets, its intellectual property, even its IT infrastructure (which could hold critical information such as customer databases or new product information), dealing with these threats in the traditional manner is not an effective solution since a silo mentality always leaves gaps nobody wants to take responsibility for.
"The result of this approach was that companies have always been in reaction mode, waiting for the next emergency," says Richard Creighton, business leader at Honeywell. "Moreover, the silo mentality can have a negative impact on business culture, heighten employees fear, reduce employee productivity and can be cumbersome and difficult to manage and maintain since nobody knew what their neighbours were doing."
Creighton suggests that the optimal security solution is to develop an integrated solution that incorporates all existing security policies and processes under one central management interface. This 'integrated building system' would be managed by a single risk manager, who would be tasked solely with managing the corporate risk instead of focusing on security as one aspect of his/her department's responsibilities.
In this scenario, all security mechanisms would feed data through a common standardised layer of technology which would ensure the data could be presented to the risk manager on a single graphical interface, or dashboard. In addition, because the data is in a standard format it could also immediately be made available to the relevant IT systems (such as HR to find out if a person is allowed access to specific areas or files, for example).
"More importantly than standardising formats, this integrated approach will ensure that every security system the organisation has can be incorporated into the overall solution, whether it is a hardware device, controller or even permissions in the ERP (enterprise resource planning) system," explains Creighton. "When implemented correctly, this solution leaves no gaps in security and no place to shift the blame to since one person is ultimately responsible for all things security-related."
Integration also has other business benefits:
* It provides a safe and secure workplace.
* It maximises the use and control of resources.
* It puts the company back in control of its environment.
* It helps address cost control issues.
* It enables the introduction of digital archiving for security events and thereby enhances protection from litigation.
Creighton adds that the integrated system will ultimately extend beyond a particular building and will collect information from manufacturing plants, branches and any locations that need protection. The status of the broader enterprise will be immediately visible on the dashboard, with any anomalies, be they security, environmental or whatever the risk manager feels it necessary to measure immediately highlighted.
"This proactive approach will raise the alarm before a situation gets to the stage of being an emergency, allowing the appropriate people to be dispatched timeously to resolve it," he says. "This means an alarm raised by a smoke detector will be as visible as an unauthorised attempt to access the company's accounting system. And the system will automatically know who the appropriate contact person or people are to deal with each situation."
For this type of solution to work it is critical the company appoints a single point of control. As noted, a generic risk manager is necessary because he/she will need to stand above the operational and tactical mindsets departmental managers must have if they are to do their jobs effectively. The risk manager will take a broader, enterprise view of the risks the company faces and design the appropriate policies and processes to make it happen.
The integrated enterprise approach will not only deliver better and more cost effective security processes across the organisation, it will also enable better, more reliable security services at reduced costs. And that is the type of security business leaders want.
In future articles in this series, we will be taking a closer look at integrated security from the perspective of various departments within organisations, examining the changes they will be facing and the benefits integration will deliver.