Making the (Up)Grade

When businesses combine, security enhancements are often necessary – and beneficial

Three main drivers compel an organization to upgrade or connect legacy systems. Organizations make changes when they need to save money, reduce risk or comply with evolving regulations. Just one of these factors can have an impact on the organization as a whole, which is why the role of the security manager is ever-changing. Security technology is now playing a more critical and broader role in organizations than ever before. As a result, security managers are challenged to think creatively, engage with other departments and balance their existing technical infrastructures with today’s cultural expectations of tighter, yet frictionless, security.

How Has Security Changed?

In the distant past, an organization’s security personnel often reported to the facilities department. Occasionally, there were dedicated security teams, but they rarely interacted with other departments. Today, legal, finance, IT, cyber and human resources (HR) have a vested interest in security operations. Much of that interest is driven by a need to meet compliance policies and the relationship that each department has in that compliance process.

Some of that interest results from a better understanding of how the security systems we use today can affect departmental operations. An example of this is a physical identity and access management (PIAM) system. In large organizations, the onboarding and offboarding of employees, contractors and vendors can be extremely difficult. Many people are involved in approving building and secure area access, all working in different departments at different locations, each with their own processes and requirements. No single individual has all the knowledge to ensure that the right people have the right access to secure areas at the right time and have the skills and/or certifications to prove it. Granting access often entails multiple emails and phone calls across the organization, so it can take days for a new employee to get an access card.

All of these manual, disjointed processes bog down the organization in emails, running reports and data entry. They also introduce risk to an organization because humans make mistakes. Today, a PIAM system can streamline operations, increase efficiency and manage identities seamlessly. Automating onboarding and offboarding and implementing a distributed model throughout the organization make turnaround times faster and bring less risk. When a new employee is hired, the HR system acts as the authoritative data source, and the PIAM system initiates the approval workflows and automatically provisions the employee record into the access control system. What used to take days now takes minutes.

As the economy has grown, we have seen an increase in merger and acquisition activity. Multinational companies are buying smaller companies and expanding into new markets. The security manager’s job is now more complex than ever. Tasked with managing the entire security program, this person now must consolidate different types of security technologies, including multiple access control, video, audio, intrusion and incident management systems. Often these systems are standalone. They do not communicate with one another, much less communicate with systems already in use at the parent company.

In recent years, this has been especially true in the health care industry, where large health care organizations have bought local hospitals. Similarly, in the data center industry, larger companies have bought smaller data storage facilities, and in the utility sector, there has been a trend towards consolidating utility plants. When legacy security systems are upgraded and connected to one another, physically or operationally, companies are able to manage the security programs efficiently and consistently across multiple facilities and geographies. The challenge is how to get there. How do security managers plan not only for tomorrow, but also for the next three, five or 15 years in a world of constant technology innovations?

Security teams are under pressure to streamline systems and adapt their policies to meet evolving industry regulations. The risk of non-compliance is too high, since it can negatively impact the bottom line and the reputation of the organization. In the health care industry, legacy systems may become an issue when complying with Joint Commission and Health Insurance Portability and Accountability Act regulations. Data centers and financial institutions must report on security-related metrics related to Sarbanes-Oxley Act mandates. In the utilities sector, security managers may face greater scrutiny when under audit as a result of North American Electric Reliability Corporation and critical infrastructure protection requirements. How can a security manager bring the entire security program into compliance while improving operational efficiencies? When security systems talk to one another across an organization, security teams can automatically produce the reports and assessments required when they are audited for compliance.

The reputation of a business is essential to its survival. In today’s world of social networking and reliance on the internet and instant communication, a business must be conscious of their reputation on a continual basis and must be responsive to any crisis that may have an impact on its brand. The security manager is under greater pressure to protect facilities, employees and company assets. Having systems that are future-proofed with automated processes can help to mitigate crises and thereby help to protect reputation. Advanced reporting, for example, can help a security manager be proactive at preventing security incidents before they happen. And it can help to prepare for what could come after a critical incident, such as the inevitable investigations. Quickly and effortlessly proving that the company enforced compliant policies and protocols and did everything it could in a time crisis is what will save the bottom line.

How Should Upgrades Be Approached?

First, it is important to invest the time to fully understand the security ecosystem. How should the various systems work with one another? What departments have a vested interest in security operations, and how can the security ecosystem better help them? What are the relevant regulations and standards? A security director should take the time to fully understand and maximize the performance of the current technology. Often, a technology has capabilities that are not fully understood. For example, how many people know what every single button and command in Microsoft Word  does? Is it possible that, if a person took the time to learn more about Microsoft Word, he or she could learn some tricks that would lead to increased speed and productivity when using that software? Leveraging manufacturer information could be of great assistance in understanding an existing security system. No one knows the intricacies of the platform more than the developers themselves. Maybe there is a built-in visitor management system.  Maybe intrusion capabilities exist that are all the company needs. Maybe the system does not require an upgrade. Maybe it can be integrated with other systems across the network.

There are tools designed to connect security systems to one another. Physical security information management (PSIM) software can provide a platform to integrate multiple unconnected security applications and devices and control them through one comprehensive user interface. But PSIM software can be expensive and sometimes difficult to deploy and maintain. Another alternative is command and control software, which is a more affordable platform that captures alarms from all systems in a single window.

Unified and connected systems can save a substantial amount of money on alarm response. Before embarking on a new system design, a security director should take the time to study the hard and soft costs of the current alarm management program. What manual processes are followed when responding to an alarm?  What processes are followed in the aftermath of an alarm? If any of the processes involves opening and sharing multiple spreadsheets or programs or worse, three-ring-binders, time and money are being wasted. Policies and procedures should be automated. The same can be said for implementing identity and access management systems that will streamline processes, save money and ease compliance.

Security integrators and consultants can help to assess an organization’s security program and design solutions to solve issues with legacy systems and unconnected networks. There can be an upfront cost for this work, but these experts can identify areas for improved efficiency. In addition, they can help to ensure that the system meets industry requirements and is future-proof.

Machine learning and artificial intelligence are growing trends in security technology. It may be worth the time and investment to upgrade older systems to new technologies that apply data analytics to alarms and events, identifying which types of events are more important than others. What if a system could look beyond the alarm and distinguish behavioral anomalies in employees? Pairing this sort of technology with an insider threat program can be highly effective and can enable a more effective allocation of resources. Manufacturers, integrators and consultants can help with the necessary research.

Lastly, outsourcing elements of a security program in a managed service model can be a cost-effective way of managing capital expenses and ensuring that a program will not soon be obsolete.

Conclusion

A risk assessment will provide an understanding of an organization’s security ecosystem and whether or not it is sufficient to address current and future needs. It will help to identify both the obvious and hidden costs that are required to manage the current program. Before upgrading a legacy system, the critical issues must be diagnosed, and once a new system is deployed, the results should be measured. This process can not onl,ly enhance security, but also improvce  improve overall business operations.

Kami Dukes (kami.dukes@amag.com) is director of business development at AMAG Technology.

This article appeared in the spring 2019 edition of SIA Technology Insights.