Geeks and guns: Major financial institution converges physical and IT security departments
DELRAY BEACH, Fla.—As electronic technology becomes increasingly vital to physical security, there has been a growing need for collaboration between physical and IT security. But should corporations be striving to converge these two departments into one?
Gareth Webley, chief information security officer for Eaton Corp., a $13.7 billion diversified power management company that provides electronic components for the aviation and transportation sectors, said that there are a surprising number of synergies between these two departments during his keynote address at TechSec Solutions on Feb. 14.
Before joining Eaton Corp. last year, Webley was the chief security officer of National City Corporation (now PNC), which was one of the largest financial holding companies in the country. During his tenure with NCC, Webley led the effort to consolidate security and IT. “In 2003, we were one of the first corporations in the country to bring together physical and IT security under one officer, which was myself,” he said.
This organizational convergence resulted in some surprising synergies. Both departments dealt with assessing risk, developing policies, investigating and deploying technology. “When we aligned under a common strategy we found there was not a lot of difference. It’s about protecting assets, response and managing risk,” he said. While these two departments were different disciplines, they involved similar thinking: Something happens and you take action, he said.
Webley said it was just a matter of finding those synergies and figuring out how to maximize efficiency. For example, physical security operators were fairly busy during business hours responding to alarms, but during the overnight hours there wasn’t much to do. “What we started doing was cross training operators to respond to firewall alerts and intrusion alarms on the electronic side,” he said. “They were similar responses. We realized the benefits and discovered that responding to a physical alarm or an intrusion alarm wasn’t all that different from responding to an attack on the network in terms of policies and procedures.”
One of the biggest challenges in the effort to align IT with physical security was in the social structure of the organization, he said. This “geeks and guns” approach leant itself to an interesting working dynamic in the company and it took time for these departments just to learn how to talk to each other. “That cross pollination was key and we invested a lot of time in learning what the other discipline did,” he said.