When Preston Wood, Zions Bancorporation's CISO, talks about the growing cooperation between his security team and his company's IT department, he inevitably mentions risk. Specifically, he focuses on how the two now work closely together to define acceptable levels of risk, assess the levels of threats to various systems and then mitigate those potential problems.
Increasingly, working with the corporate IT department has become very much a collaborative effort for the security professionals at the $40 billion community banking firm, he says. “We work with IT to define new security policies or modify data classes to reduce risk, and they put in controls to ensure our risks are appropriately mitigated.”
Zions Bancorporation, a Salt Lake City-based financial services company, is one of many enterprises riding the crest of a major shift in organizational politics within IT. Risk assessment and management is the meeting ground for security and IT management, according to Scott Crawford, research director for security and risk management at the research firm Enterprise Management Associates. And, as a result, these are the key forces that are breaking down the wall between IT and security operations, he adds.
“Risk underlies it all,” Crawford says. “It's difficult to build a mature approach to security without laying a foundation of security and IT management. Unless you get security risks under control, you'll have real problems in delivering reliable performance and resource integrity with high confidence.”
Wood agrees. “IT and security organizations understand their core responsibilities, and when any infrastructure or new system or application is placed into our environment, information security and IT are involved in that decision,” he explains of Zions' approach. “We come together to make sure both our needs are met.”
This convergence of security and IT operations works at several levels. Risk management and mitigation are, for instance, deeply rooted in one of the key driving forces in what Crawford calls governance/risk/compliance (GRC) management.
In a nutshell, GRC is the means by which enterprises merge networking and security to gain insight into whether they're meeting regulatory mandates, as well as internal security and legal and corporate policies, according to Crawford. It's what is driving such organizations as the TriZetto Group and the Children's Hospital and Health System of Wisconsin to merge at least portions of their security and IT operations into a single unit.
Wood notes that dealing with data classification — understanding more about where the data is and how it's being used — is one of the more pressing issues at Zions, which operates 450 branch office banks in 10 Western states, including California, Colorado, Nevada, Utah and Texas. This all relates back to the idea of ensuring control based on the risk of the system, he says.
What's important is to develop and deploy a method for assessing risk, Wood says, adding that, of course, the answer to what's at risk will be different for different organizations. In Zions' financial services space, for instance, he says a financial reporting system, or a system with customer info, is going to have a higher risk rating than a system of information not related to those categories.
Cooperation between the IT operations staff and Zions' security professionals is critical in the assessment and mitigation of the risks the organization's business-critical financial systems face, he explains. While the two groups operate separately within the company, their collaborative relationship ensures that they employ necessary security controls and, at the same time, make sure that they deploy those controls with the IT department's objectives in mind, Wood explains.
Wood's security group and Zions' IT staff are continually finding ways to expand their collaboration. As an example, he notes that the teams are striving to grant IT more and more access to security systems to effectively monitor events on the network.
“We've set up an infrastructure that enables the IT organization to quickly point to our security information management [SIM] system,” Wood futher explains. This gives IT access to security tools Wood's team enlists, enhancing their ability to troubleshoot network-specific issues not related to security. For instance, IT now can access the security team's SenSage SIM system to pull device logs into their systems, he says. This can help them look for specific error messages that might pinpoint a performance bottleneck.
While the two groups remain separate, Wood doesn't feel merging them is the real issue, anyway.
“It's not about organizational structure,” he believes. “It's more about the groups collaborating effectively and succeeding in their core objectives. If you can do that, the organizational structure is secondary.”
The question, then, is whether or not there will be even more collaboration in corporations between security and IT.
“I'm not sure I have a forward-thinking answer,” Wood says. “However, the more visibility you can grant the IT organization into the business data that they may not have had access to, I think you start seeing the benefits of data analysis and decision-making.”
Driven by compliance
It's a similar situation at TriZetto, a Greenwood, Colo.-based application service provider (ASP) of claims-processing software to major health insurance companies. That is, security and IT operate separately, but outside forces — in this case, regulatory compliance — are pushing the two groups to work together.
“For us, we're mainly trying to deal with regulatory compliance that's driving the health care industry,” says Gary Starling, TriZetto's director of enterprise security. “We're required to report a great deal of information required by regulatory controls, such as the Sarbanes-Oxley Act (SOX), the Health Information Portability and Accountability Act (HIPAA), and the credit card industry's Payment Card Industry (PCI) Data Security Standard. “Everything we've implemented
helps us meet SOX, HIPAA and PCI regulations.”
In the two groups' collaborative arrangement, TriZetto's IT group handles the physical installation of intrusion detection devices and firewalls, while the IT security division does the configuration and management of those tools. The security group has an oversight role in the relationship with IT, Starling explains.
“We come behind and monitor to make sure the infrastructure they implemented has been done in accordance with our security policies,” he says.
Working together as a team, he further explains, the two groups coordinate various audits and assessment activities, in addition to working through change-control processes.
“Because of the nature of the vulnerabilities we're seeing, we have to work closely with the network team to quickly identify and mitigate risks in our environment,” he adds.
There is a clear line of demarcation between the groups, however. “We do not substitute for network engineers, and they don't substitute for security engineers,” Starling emphasizes.
He believes that as technology changes, and new technology comes along, his team will only get closer. He points to video conferencing and instant messaging as recent examples of such new developments calling for collective attention.
“All of these traverse the network and have an impact on network performance and security, and one could lead to a major security breach,” he says. “Because the security team doesn't own the network from end to end, we have to work closely with the network team to manage those kinds of vulnerabilities.”
Unlike Wood and Starling, Chuck Klawans, the information security officer at Children's Hospital and Health System, and his two security colleagues are part of the IT group at the 240-bed pediatric center in Milwaukee, Wis. This integration has its pros and cons, he says. Although it's not unusual for security to be part of IT, Klawans believes it's not necessarily the best place for it.
“There are obvious conflicts between some of IT's interests and those of security,” he says, adding that security advocacy can get lost in the shuffle.
“It's the role of IT to get things done on schedule, and if security has concerns, there's the potential for conflict when the IT director or CIO hurries the application or device in, and security may get bumped,” he says.
On the other hand, he adds, “I deal with the IT people all day, so consequently I have a good feel for what's going on inside IT. An outside department might find it a bit more difficult.”
In addition, merging the two groups makes it easier to meet government mandates, such as HIPAA, he says.
Yet, despite that goal, he still sees a tendency within IT to deploy technology quickly and add security separately. Plus, he has felt some animosity between the two groups, Klawans says. Luckily, the working relationship has evolved, with cooperation growing between the two groups for the seven years he has worked at the hospital.
“Most of the IT people I deal with are open to input from security to make sure our systems are set up so they're appropriate for our needs,” he says.
As for the industry overall, looking ahead, it will likely become practical to separate the IT and security functions, believes Paul Stamp, the principal security analyst at Forrester Research.
“The security guys can't go forward if they've never touched a firewall, and the IT operations guys need to appreciate the importance of security in what they do.”
AT THE EXCHANGE:
Merging SOC and NOC
The ability to be proactive and head off problems before they interfere with trading is pushing the Philadelphia Stock Exchange to merge its security operations center (SOC) with its network operations center (NOC). That integration, to take place in the first quarter of 2008, will allow the Philadelphia Exchange to maintain its six-year record of 100 percent uptime, says Bernie Donnelly, the exchange's vice president of quality assurance.
The mission-critical nature of the Philadelphia Exchange's network can't be exaggerated: Five thousand trade-related messages flow through its network each second.
Downtime can lead to price-integration questions that would negatively impact the exchange's credibility, according to Donnelly. “A five-second outage means we'd miss a million quotes.” That, in turn, could lead to stock-pricing irregularities, which would put the exchange in violation of Security and Exchange Commission (SEC) technical regulations, according to Donnelly.
Integrating the SOC with the NOC will allow the Philadelphia Exchange to respond much faster to problems within its systems. “We're trying to get from reactive to proactive,” he says.
Combining the two groups will allow the exchange to better manage network uptime. It will also allow network and security engineers to tell from network patterns whether someone made a mistake to an account or whether someone distinctly tries something not allowed, according to Donnelly.
— Jim Carr
Surveillance gets tough
Physical security and networking integration is taking place at a rapid rate. Increasingly, enterprises are moving their physical security systems — video surveillance and magnetic card systems — onto the corporate IP network.
The migration from proprietary surveillance and building-access systems to those based on the ubiquitous IP technologies offers organizations increased flexibility and scalability, says Dilip Sarangan, an industry analyst for research firm Frost & Sullivan. The old generation of surveillance products forced users to rely on standalone systems based on proprietary protocols that couldn't interoperate with other vendors' offerings, he says.
That has changed dramatically with the release of products that work over the same IP technology found in corporate data networks. The move to IP began about two years ago, according to Sarangan.
In addition to greater flexibility and scalability, the new systems are also lowering costs for enterprises by as much as 15 to 30 percent, according to Tony DeStefano, director of integrated security systems with TAC, a vendor of physical security products. Much of those savings are the result of cabling costs as enterprises no longer need deploy a separate cabling infrastructure just for surveillance and building-access systems, he says.
Mainstream technology vendors, such as Cisco, EMC and IBM, now deliver products targeted to the surveillance marketplace. Cisco, for instance, sells switches and routers that allow integrating surveillance technologies into an IP network. IBM, for its part, has developed software to optimize bandwidth for video traffic, while EMC markets IP-based subsystems for storage of video surveillance images, according to Sarangan.
— Jim Carr