Security Managers

Point of View

Security Managers: Your Livelihood Is at Stake Increasing Business Relevance While Improving Security Effectiveness By Chuck Adams, Business Resiliency Practice, and Joanne Bethlahmy, Retail Practice, Cisco IBSG

When the economy turns south, so does the professional well-being of security experts—if they aren’t able to reinvent themselves. In these times of economic uncertainty, it is imperative that everyone deliver maximum value against organizational objectives. Security personnel (physical and cyber) are no exception. Even though security spending is expected to remain strong due to evolving threats and anticipated compliance challenges,1 security organizations continue to be viewed solely as protection or loss-prevention mechanisms. Often they are considered a “necessary evil” with little value to the organization beyond security.2 This is especially true when they struggle to keep pace with industry trends and business strategies. These continuing perceptions put security resources at risk. Additionally, leadership seldom consults with the security team for new market opportunities or insights on increasing organizational efficiency. Recent developments in the security realm, however, begin to paint some interesting possibilities. Trends of particular interest are the migration from analog to digital for video surveillance, the innovation explosion in video analytics, and the convergence of traditionally isolated security functions onto a consolidated, connected platform. More interesting than any of these single-dimensional trends, however, is what they represent when converged into a consolidated risk-management function. This possibility is far beyond merely protecting and preserving assets. There are numerous applications for intelligence that can be garnered from the next-generation unified risk-management function. The possibilities are enormous and have the potential to extend throughout the value chain for every business, operation, and industry across the globe. This paper illustrates some of these possibilities.

Security Market Is Fragmented and Confusing First, it is important to understand that the security industry has existed as long as “distrust.” Some say the industry had its beginnings in the days of Judas.3 Although the vast majority of people claim to know very little about this industry, those same people employ security mechanisms hundreds of times a day. Everything ranging from seat belts and airbags to bicycle helmets and business contracts are mechanisms that relieve some level of risk.

Cisco Internet Business Solutions Group (IBSG)

Equally, cyber security was not created when Al Gore “invented the Internet.”4 The Internet and associated technologies are simply another communication medium that must also be secured. Security technologies are simply those that offer advantages of task and control automation for protecting information. It is the use of the information within the systems, however, that is often the cause of security issues. Initially, security will always be valued as supplemental to the information required by core functions. But as security practices become accepted, it is reasonable to expect they will be absorbed into the core functions themselves. By contrast, both cyber and physical security industry organizations continue to be myopic in making security investment decisions. Buying decisions are seemingly made in a disjointed manner with little consideration for interoperation or alignment with overall organizational objectives or risk-management strategies. These decisions tend to be emotional and reactionary, following a process that often is referred to as “management by magazine.”5 This occurs when a CIO or CEO happens to review the claims of the latest security product in an airplane magazine and subsequently gives the article to his security leader. Next thing you know, another disparate product is deployed, more money is spent, and the protections are no more effective at combating the real risks. Even most industry analysts—objective experts at tracking market trends—tend to follow only select segments of the security marketplace. Analysts define cyber and physical security as separate industries, and cover them as such. This is ironic for two reasons: (1) the industries have more similarities than differences, and (2) when combined, these industries represent one of the most interesting investment opportunities, with one of the best growth records.6 In effect, the analysts’ segmented focus continually pits various security and risk- management organizations against one another. They are essentially competing for the same dollars and, in some cases, duplicating resources. These disparities result in even more market fragmentation and confusion about who is doing what to protect the organization. Libraries of methods and best practices to protect and preserve physical and cyber assets already exist. The overall physical security market was estimated at roughly US$170 billion7 in 2007. The same report estimates that services make up about 45 percent of this market. This means the global spend on services such as assessments, patrol guards, viewing of video surveillance monitors, intelligence collection, integration, evidence analysis, and investigations support totals about $75 billion, with products and technologies representing the remaining $95 billion. This spending, however, seems to have had little effect. Global cyber security expenditures have topped US$20 billion8 yearly, yet losses associated with cyber security attacks exceeded US$1 trillion in 2008.9 For a physical security analog, simply look at the September 11th experiences. Although U.S. spending exceeded $329 billion10 for national defense in 2001, the country remained vulnerable to situations that resulted in thousands of casualties and untold economic losses. In addition to causing concerns about professional well-being, economic uncertainty also creates a need for organizations to make timely, high-impact decisions. These decision- making processes are often emotionally charged and seldom based on ideal information. For most technology-enabled organizations, this information probably exists in some form

within their technologies. But for some reason, it is not produced in a manner that enables this decision-making process. While much innovation is occurring in the areas of data analytics, the inability to collect and analyze data is the root cause for many of the challenges organizations face today. These dynamics lead to the conclusion that we are doing something fundamentally wrong in security; our investments are of questionable value, and the traditional security framework must change. If it doesn’t, confidence in the security industry will surely wane, placing all security resources in a position of professional vulnerability.

Security Organizations Are Skilled in Data Collection and Analysis As described, the security industry is both complex and confusing. There are no magic wands—just a lot of hard work that requires vested leadership, focus, and strong convictions. It is solely up to security leadership to determine the right strategy, define objectives, and choose which products and services are most important to accomplish their objectives. They must also continuously manage inaccurate perceptions between the current security posture and worst-case scenarios, while continuing to justify investments and build credibility for security. Security technologies continue to evolve to fill gaps in the existing “problem-scape.” But the security group’s ability to use them to benefit the business remains the key. When security issues occur and resources are impacted, organizations lose productivity, resource availability, and, potentially, brand value. These issues—physical or logical—have the potential to detrimentally affect the resources on which an organization relies to deliver against its objectives. Therefore, all risks to the organization must be evaluated in a manner that assures a level of resilience aligned with organizational objectives. Mature security organizations thrive when challenged to find the proverbial “needle in a haystack.” Their data collection and analysis methods, when oriented to problems being considered by leadership, can deliver considerable value. Additionally, the digitization and networked ability of next-generation video surveillance technologies create the opportunity to enhance the quality and volume of information available for analysis. This approach also introduces potential enhancements and efficiencies that can be achieved by consolidating security resources across physical and logical functions. With the advent of IP video, physical security can surely benefit from traditional cyber security analysis methods, and vice versa. Organizations must work closely together, share models, and integrate their functionality to complete the overall risk-management picture. But the most significant opportunity for security is somewhat hidden in the implications of these technology trends. Keep in mind the estimated annual size (about US$75 billion) of the services portion of the overall security market as it begins to define the opportunity for thinking a little differently about the security organization. The most interesting and closely related technology trend is the migration from analog to digital for video surveillance. When you couple this with the innovations concurrently occurring in video analytics and the ability to store and retain digital video on a standard, open communications platform, you have the ingredients for transformation. Digitization of video surveillance cameras and advances in encoding and compression enable distribution and storage of video on a data network. In

turn, this unlocks the potential to develop codified, automated analysis that emulates tasks previously left to humans. At a glance, the efficiencies of digital video and automated analytics are extremely attractive, as is the potential for reducing the need for certain security resources by consolidating resources across physical and logical security functions. This would be true if everything else stayed the same and organizations simply automated video analysis. But history suggests something different is required to keep pace with the industry and effectively combat new and evolving threats. These efficiencies present an ideal opportunity to redefine the way security dollars are spent, to enhance risk management effectiveness, and to boost the value of security to the rest of the organization. Organizations currently employing video surveillance as a detection and prevention mechanism can essentially exchange traditional service budgets for more comprehensive and effective video surveillance. Doing so, in a manner designed to realize a vision of unified risk management, will assure a significantly improved, more resilient risk posture. Knowledge is power. When the unified risk-management vision is achieved by consolidating traditional security functions (such as identity, access control, surveillance, and cyber security), the result is a single information-harvesting and analysis center. This security organization, due to pre-existing processes for data collection, management, and analysis, is uniquely positioned to become an executive intelligence powerhouse.

Security Organizations Must Evolve Security organizations must become more integral and pervasive. Fault for historic performance primarily rests on both the perceptions of security management and on the security function’s ability to manage these perceptions with accurate, actionable intelligence aligned with mainstream operations. For security to become more effective, influential, and relevant across the organization, it must begin to act in an all-encompassing manner. All traditional security functions must evolve toward a consolidated, unified risk-management function. When something unexpected happens that negatively impacts the organization, security leadership must take accountability and work to improve the processes. Organizations must learn to hold security accountable for awareness and continuous improvement. Conversely, they must also seek insights from security for problem solving. This is best accomplished by initially working with peers and leadership groups to redefine an organizational resiliency strategy. Security leadership should oversee development of an all-encompassing unified risk-management strategy aligned with all functional areas to accomplish core organizational objectives and to preserve the confidentiality, integrity, and availability of critical resources. The strategy must empower the unified risk-management function to consider all potential hazards, focus on measures that control the impact of events, and produce timely insights for strategic decision-making, regardless of the source of intelligence. While working with leadership to define the strategy, it is important to understand, accept, and inform others of the limits of the security leadership position. Security leadership often assumes too much responsibility. The role is not designed to control risk single-handedly, but to educate the organization about the risks resulting from decisions and the implications

of those risks. As credibility and influence rise, the ability to proactively influence decisions will also increase. Also important is the development of new methods of meeting or exceeding the organization’s current risk-management expectations, and of gaining organizational consensus regarding their necessity. Once a consolidated strategy is defined, every dollar spent must be scrutinized and maximized, with a laser focus on interoperability and the ability to feed appropriate analysis methods that turn data streams into actionable information for more accurate, unified, risk- based decision-making. To realize this vision, all security mechanisms must be designed and implemented in a manner that is consistent, follows industry standards, and is conducive to cross-technology analysis methods. They must also generate alerts when issues occur, regardless of the device responsible for detecting the event. Additionally, processes designed to control behaviors and/or respond to issues must be synchronized to enforce common policies, whether they are physical or logical. Security leadership should also begin to educate the organization on the vision and significance of unified risk management. It must start to redefine expectations of security to prepare for the transition to broader information collection and analysis. Additionally, security leadership must determine the requirements of consolidating the physical and cyber security functions. Budgets should also be closely scrutinized to determine the ability to introduce technologies that offset the need for select service expenses. This must be executed carefully, as any alterations to the existing capability will directly affect the current risk profile. One candidate for analysis—due to recent innovations in video surveillance and analytics—is the area of video surveillance monitoring. This is true regardless of whether surveillance functions are conducted in-house or externally. Monitoring of service practices should be assessed for accuracy of detection, reliability of dispatch, and alignment with unified risk-management objectives. These results should be closely compared to those achieved by technologies in an effort to decouple select services and replace them with appropriate technologies. This action will subsequently enable the repurposing of budgets to continue the overall risk-management unification process.

Moving Beyond Security Because digital video camera surveillance and embedded analytics can be a major investment, it may be difficult to justify a purchase based solely on “prevention.” The potential uses for video analytics, however, go far beyond traditional security. Digital surveillance camera investments can now be translated into revenue and profit. Major retailers, hotel chains, transportation companies, and other consumer service organizations are starting to employ video analytics to track customer traffic patterns to improve operational efficiencies, increase promotional effectiveness, and deliver better customer service. Among other applications, video analytics can monitor queue lines at cash registers and indicate how long customers are waiting to be served; observe customer movements in a store, casino, or airport to enable improved product or display placements; monitor out-of- stock products on shelves; or measure the effectiveness of digital display advertising. Alerts can be sent to correct situations in real time; analytics can calculate the ROI of changes to staffing or promotions; and employees can be observed and trained.

Security executives should become familiar with the breadth of uses for video analytics and present these opportunities to operations, merchandising, or marketing. By demonstrating value and relevance to the core of the organization, security can increase its influence and improve the business case for a proposed digital camera investment.

Conclusion Every risk decision-maker and security manager should begin to evaluate the overall risk- management model and prepare to transform his or her role and organization. This can be accomplished by taking the following steps:

● Evaluate the benefits and advantages of networked, digital video surveillance for detection, and to enable digital, automated analytics

● Transform displaced service budgets into funding allocations for unified risk- management consolidation programs

● Consolidate physical and cyber security resources

● Transform risk-management procurement processes and purchasing criteria to focus on interoperability and alignment with the unified risk-management strategy

● Become familiar with uses of digital video surveillance analytics beyond security to enhance core company operations and gain additional financial justification for investment

Endnotes 1. Homeland Security Research Corp. (HSRC) report, “Global Homeland Security, Homeland Defense & Intelligence Markets Outlook 2009-2018” (launched in November 2008). 2. Information World Review, Martin Courtney, IT Week, June 2007 (quoting Accenture survey). 3. According to the Bible, Judas was one of Jesus' 12 disciples. When Jesus arrived in Jerusalem at the end of his ministry, Judas went to the chief priests and offered to betray him for 30 pieces of silver. 4. In a 1999 interview with Wolf Blitzer, Gore said, "During my service in the United States Congress, I took the initiative in creating the Internet," which was subsequently misquoted prior to the 2000 presidential election. 5. Phrase coined by Harry Starkman, IBM sales engineer, 2000. 6. Security services and equipment stocks outperformed the market every year except one over the last six years; 2007 Security Industry Annual, Lehman Brothers, November 2007. 7. 2007 Security Industry Annual, Lehman Brothers, November 2007. 8. Global estimate developed by gathering projections across major market segments of content and network hardware and software security, VPN, and services. Source of information is InfoWorld, Infonetics, and Gartner articles published in 2007. 9. “Unsecured Economies: Protecting Vital Information,” McAfee, January 2009. 10. Report published by Homeland Security Market Research, February 2006.