DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 31, Issue 4

Full Contents Now Available!

What does 'security' really mean to your organization? Some of us think of guards and alarm systems, while others think of computers and firewalls. All are correct, but time has quickly leap-frogged over the more traditional connotations of security in today's business environment ' and some of us are not keeping up.

To define security, we must ask, 'What is being protected?' In our fast-paced, network-centric, Y2K-crazed world, we must look at security in terms of corporate survivability. We are protecting our organization's ability to keep the doors open for business. So when we are relying on a critical component within our organization, how do we complete our mission if that facility or technology or information is inaccessible for a period of time?

Separate plans to protect the physical and information assets of an organization are no longer enough. Today's successful and cutting-edge companies are realizing that a complete security plan is one that truly protects the company's ability to do business.

Security Redefined

No longer is it acceptable or wise for two separate security teams to exist independently of each other, says Bill Boni, director of information protection services at Coopers & Lybrand.

'The focus use to be on tangible assets for the physical security manager, and on information for the information systems manager, but the importance of intellectual property to an organization necessitates a merger between the two,' Boni says. 'You have to understand that your major values are now your intellectual property, trade secrets and other proprietary information. That requires legal, investigative and systems skills in a collaborative environment.'

Protecting intellectual property is tricky, because it includes every level and every facet of an organization.

'In the traditional structure, the physical security manager says everyone wears a badge, so we're done. The traditional IS manager says everyone has a password, so we're done. The lawyers say everyone signed a nondisclosure, so we're done. Each one of those is necessary, but cannot really protect the company's intellectual property information assets because information moves between the different environments so quickly,' Boni notes. 'If these groups maintain their segregation and are not part of some sort of cross-organizational team, the losses begin where each one's boundaries end.'

To truly protect your intellectual property, it is clear that these two security teams must work closely together. But that is more easily said than done. Training differences, cultural differences, and a long history of working independently make this kind of cross-functional cooperation difficult to institute.

WarRoom Research LLC, an Annapolis, Md. systems security company and thinktank, has just released a report that finds that physical security personnel and information security personnel simply do not communicate.

'There are literally no communication pipes. This is a serious problem, because as our economy becomes more digital, we run into a situation of data information and corporate knowledge being more accessible over cyberspace links than over traditional dumpsters and Xerox machines,' says Mark Gembicki, president of WarRoom Research. 'It is more accessible over the Internet and by intercepting somebody's e-mail and phone conversations than the physical security of somebody coming in with a false ID or somebody jumping over a barbed wire fence.'

But even though it is difficult, it is crucial for the two sides not only to communicate, but to work together seamlessly. Moreover, there is no time like the present to get your house in order. If you wait for a disaster to occur, it is simply too late. 'Forming an organization and having it work together before there is an incident to contend with is very important,' Boni says. 'It is almost inevitable that there will be a security breach of some type. Typically, it will be a theft or loss of a trade secret or intellectual property.'

Risky Business

By avoiding the inevitable melding of physical and information security, companies are opening themselves up to tremendous risk, says Dan Withers, president of the Santa Clara, Calif.-based High-Tech Crime Investigative Association. Even though physical security personnel may be able to stop the crime, intellectual property may already have been stolen through electronic means. If there is no input from the information security team, the efforts of the physical security team may be for naught, Withers says. 'They really open themselves up from a liability standpoint,' Withers says. 'Companies can really have their reputations destroyed by certain types of security breaches. Once information gets into the wrong hands, it can adversely affect your business. You may never fully recover.'

This type of integrated approach pays dividends in all types of businesses, but perhaps more so in high-tech leading edge organizations that have a significant amount of intellectual property.

'In these types of businesses, your biggest risk is an insider who will try to walk off with information,' Boni says. 'If security is strictly an information systems function, (information security personnel) may detect the incident and do nothing more than suspend that person's logon ID. If it is a physical security person, the guard might be looking for the guy to walk out the door with a box of tangible product, but that probably won't be how he does it. He is more likely to use the Internet to transmit source code or files. It is that kind of organization that needs the coordinated, cross-organizational perspective the most.'

Security = Survivability

A guard behind a desk and a couple of network passwords probably do not protect your company's ability to function.

Take a hard look at your security procedures and ask a few eye-opening questions:

  • Are you protecting the things that keep your doors open for business ' not just facilities, equipment, and data, but critical processes?
  • Can you complete your mission in a crisis - be it a security breach, power outage, LAN failure, or a natural disaster?
  • Can you afford the resulting losses (in dollars, lost customers, other resources) if you couldn't function for an hour? a day? a week?

Your company is not secure unless you are protecting all of the things you need - people, places, and processes - to get the job done.

Restructuring your security plan to minimize losses in times of crisis creates survivability - the key to comprehensive security for any business.

Getting Your House in Order

Here are some key steps to follow in assembling a comprehensive security plan for your organization.

  • Assign value to your intellectual capital. If you are a toy manufacturer that has control of a $4 billion toy market with a popular toy, you might put a high value on all e-mail transmissions that have anything to do with that toy, for example.
  • Form a cross-organizational security team made up of physical and information security personnel, under the direction of the CFO, CIO or general counsel, depending on the company. Make sure that members of this team truly communicate with each other.
  • Develop your plan. This might seem like a no-brainer, but 'there are more companies than you might imagine without plans in place,' Withers says. 'And if you don't have a plan, you can't recover from a disaster.' Withers notes that more than 40 percent of the companies that operated from the World Trade Center building went out of business after the bombing, primarily because they had no disaster recovery plan.
  • Make friends with your legal team. The legal team generally has better access to the executive staff than anyone else, making it the best place to go when you see an impending disaster. 'If you walk into the lawyer's office and tell him there is a problem, he will immediately look at it from a shareholder liability standpoint and a criminal standpoint. They will back up the security team,' Gembicki says. If you don't have that relationship in place, everybody loses.
  • Take into account this new paradigm when hiring security personnel. 'The days of having a retired police officer running the physical security side and an IT guy running the information security side are over,' Boni notes. 'Instead, look for savvy business people who understand the core business of the enterprise and whose skills are complementary, so together they are stronger than either one of them individually.'
  • Spend what it takes to protect your intellectual property. 'We estimate that companies spend five times as much money on competitive intelligence, where executives try to collect intelligence on what the competition is doing, than they do protecting the intelligence they collect,' Gembicki says. 'They are spending boatloads of money to capture information on where their products are headed, who is the next CIO they should try to steal away, what patents other companies are filing for, and they are spending a fraction of that budget protecting existing intellectual property.'


 Michael Braham is Director of CommGuard, Enterprise- Wide Continuity Services at Bell Atlantic Federal Systems. Braham serves on the National Board of Directors of the Association of Contingency Planners and is Sub-Committee Chair for the Leadership Coalition for Global Business Protection.