Three main drivers compel an organization to upgrade or connect legacy systems. Organizations make changes when they need to save money, reduce risk or be in compliance with evolving regulations. Just one of these factors can have an effect on the organization as a whole, which is why the role of the security manager is ever-changing. Security technology is also always changing. Security is playing a more critical and broader role in organizations than ever before. As a result, security managers are challenged to think creatively, engage with other departments and balance their existing technical infrastructures with today’s cultural expectations of tightened, yet frictionless security.
How has the security industry changed?
In the distant past, security frequently reported to the facilities department. Occasionally there were dedicated security teams, but they rarely interacted with departments outside of their own. Today, legal, finance, IT, cyber and human resources have a vested interest in security operations. Much of that interest is driven by a need to meet compliance policies and the relationship that each department has in that compliance process. Some of that interest is due to a better understanding of how the security systems we use today may impact their departmental operations. An example of this is a physical identity and access management system. In large organizations, the onboarding and offboarding of employees, contractors and vendors can be extremely difficult. Many people are involved in approving building and secure area access, all working in different departments at different locations, each with their own process and requirements. No single individual has all the knowledge to ensure that the right people have the right access to secure areas at the right time and have the skills and/or certifications to prove it. Granting access often entails multiple emails and phone calls across the organization and can take days for a new employee to get an access card. All of these manual, disjointed processes bog down the organization in emails, running reports and endless data entry. They also inherently introduce risk to an organization because humans are simply just humans and make mistakes. Today, a physical identity and access management system streamlines operations, increases efficiency and manage identities seamlessly. Automating on- and offboarding and implementing a distributed model throughout the organization make turnaround times faster and bring less risk. When a new employee is hired, the HR system acts as the authoritative data source, and the physical identity and access management system will initiate the approval workflows and automatically provision the employee record into the access control system with confidence that it is accurate and compliant. What used to take days now takes minutes.
As the economy has grown, we have seen an increase in merger and acquisition activity. Multinational companies are buying smaller companies and expanding into new markets. The security manager’s job is now more complex than ever. Tasked with managing the entire security program, the security manager is now faced with the difficult task of having to consolidate different types of security technology, such as multiple access control, video, audio, intrusion and incident management systems. Often these systems are stand- alone. They do not communicate with one another, much less communicate with systems already in use at the parent company. In recent years, this has been especially true in the health care industry, where large health care organizations have bought local hospitals. In the data center industry, larger companies have bought smaller data storage facilities. In the utility sector, there has been a trend towards consolidating utility plants. When legacy security systems are upgraded and connected to one another, physically or operationally, companies can manage the security programs efficiently and consistently across multiple facilities and geographies. The challenge is how to get there. How do security managers plan not only for tomorrow, but also for the next three, five or 15 years in a world of evolutionary technology innovations and progressions?
Security teams are under pressure to streamline systems and adapt their policies to meet evolving industry regulations. The risk of non-compliance is too high and can severely impact the bottom line and reputation of the organization. In the health care industry, legacy systems may become an issue when there is a requirement to adhere to the Joint Commission and the Health Insurance Portability and Accountability Act. Data centers and financial institutions must report on security-related metrics relative to Sarbanes-Oxley Act, the payment card industry or Statement on Standards for Attestation Engagements No. 16. In the utilities sector, security managers may face greater scrutiny when under audit as a result of North American Electric Reliability Corporation and critical infrastructure protection requirements. How can a security manager bring their entire security program into compliance while improving operational efficiencies and have it centralized so that they can manage requirements through policy and procedure? When security systems talk to one another across the organization, security teams can automatically produce the reports and assessments required when being audited for compliance to regulation.
The reputation of a business is essential to its survival. In today’s world of social networking and reliance on the internet and instant communication, businesses must be conscious of their reputation on a continual basis and they must be responsive to any crisis that may have an impact on their brand. The security manager is under greater pressure to protect their facilities, employees and company assets. Having systems that are future-proofed with automated processes can help to mitigate crises and thereby help to protect reputation. Advanced reporting, for example, can help a security manager be proactive at preventing security incidents before they happen. It can help to prepare for what could come after a critical incident, such as the inevitable investigations and forensic activity. Quickly and effortlessly proving that the company enforced compliant policies and protocols and did everything it could in a time crisis is what will save the bottom line.
How should you approach upgrading and connecting legacy security systems?
Once you have identified the need, how should you approach upgrading and connecting legacy systems?
First, it’s important to invest the time to wholly understand your security ecosystem. How should the various systems in your security program work with one another? What departments have a vested interest in your operations, and how can your security ecosystem better help them? What compliance requirements are necessary in your industry? Take the time to fully understand and maximize the performance of the technology you have now. Often there is capability inherent in what you have that you may not fully understand. For example, do you know what every button in your Microsoft Word program does? Is it possible that if you took the time to learn more about Microsoft Word, you could learn some tricks that would make you faster and more productive at word processing? Leveraging your manufacturer could be of great assistance in understanding your existing security system. No one knows the intricacies of the platform more than the developers themselves. Maybe there is a built-in visitor management system of which you were unaware? Maybe intrusion capabilities exist that are all you need for your company? How are you handling alarms and activities? Maybe your system doesn’t require an upgrade? Maybe it can be integrated with other systems across your network?
There are tools designed to connect security systems to one another. Physical security information management (PSIM) software can provide a platform to integrate multiple unconnected security applications and devices and control them through one comprehensive user interface. But PSIM software can be expensive and sometimes difficult to deploy and maintain. Another alternative is command and control software, which is a more affordable platform that captures alarms from all systems in a single window. Research what works best for your organization and budget.
Unified and connected systems can save you a substantial amount of money on alarm response. Before embarking on a new system design, take the time to study the hard and soft costs of your current alarm management program. What manual processes are you following now when responding to an alarm? What processes are you following in the aftermath of that alarm? If it involves opening and sharing multiple spreadsheets or programs or worse – a physical three ring binder – you are wasting precious time and money. Don’t waste time writing and enforcing policies and procedures that you cannot automate. The risk is just too high. The same can be said for implementing identity and access management systems that will streamline processes, save money and help you meet compliance.
Security integrators and consultants can help assess your security program and design solutions to solve issues that you may have with legacy systems and unconnected networks. There can be an upfront cost for this work, but they may help you see areas for efficiency that you didn’t know were there. They will help you manage to industry requirements and ensure that your system is future-proof.
Stay in tune with growing trends in the security technology industry, and understand what value they can bring to your organization, but only at a time that it can serve a functional purpose in your organization. Machine learning and artificial intelligence are growing trends in security technology. It may be worth the time and investment to upgrade your older systems to new technology that applies data analytics to alarms and events, enabling you to isolate which types of events are more important than others in your environment. What if you could look beyond the alarm and easily distinguish behavioral anomalies in employees. Pairing this sort of technology with an insider threat program is a force to be reckoned with and will help you allocate resources more effectively. Manufacturers, integrators and consultants can help with your research.
Lastly, outsourcing elements of your security program in a managed service model to a third party can be a cost effective way to managing capital expense and ensuring that your program is future-proof.
Security managers typically invest in upgrading legacy systems when they need to save money, reduce risk and/or be in compliance with a regulation. Through a risk assessment, you can understand your current security ecosystem and whether or not it is sufficient to address your current and future needs. It will help you understand the obvious and less obvious costs that exist now to manage your current program. Diagnose your issues first before upgrading a legacy system and, once deployed, measure the results you achieve. The role of a security manager is changing, but that’s a good thing. Embrace that change and engage with your colleagues to improve overall business operations.
Kami Dukes is the director of business development at AMAG Technology.