IEN: What are the major security concerns facing industry? How can they be addressed?
Nickell: What concerns "industry" depends on the particular industry in question. In any event, I don''t think that the events of 9/11/01 have reprioritized security concerns in most industries. What concerned manufacturers 5-10 years ago probably is still the main concern. To be sure, I''m certain that architects are mindful of the lessons learned in tall building design and construction. The rebuilders of the World Trade Center property are particularly mindful not to build something that, if hit by a large airplane, would have the same results as 9/11. As a percentage of GNP, however, these concerns are hardly detectible.
From my perspective, if there is any definable trend, it is an increasing awareness of and attention being paid to identity theft. Identity theft plays a significant role in the financial, retail, and counterterrorist sectors and appears to be increasing at a noticeable rate. Solutions, however, are slow to emerge. Although credit card fraud, for example, now measures in the billions of dollars annually, the loss is spread out over tens of thousands of merchants, banks, and insurance companies, but the real pain is being felt by hundreds of thousands of individuals. Effective countermeasures are hard to come by, however, because of the resistance to national ID cards or anything that might be construed as one (e.g., a national drivers license), and as the result of indifference on the part of companies whose losses are covered by insurance. If I were an insurance company looking for a new product, Identity Theft Insurance would bear some investigation and evaluation.
IEN: Where are strides being made: In risk management? Integrated systems design? Emergency response? Hazard controls? Computer security? Elsewhere?
Nickell: I can only give a very limited and parochial answer as I am only really involved in integrated systems and computer security. There seems to be a trend toward an integration of systems to safeguard institutions. In physical security, access control and intrusion detection systems are emerging that are fully capable of providing a full range of facility monitoring and control, not just access control, but temperature, humidity, elevators, parking, and many other subsystems.
Computer security and physical security use pretty much the same language in describing threats, vulnerabilities, and solutions: intrusion detection, motion detection, access control, and so on. Not only is there a linguistic sharing, but more sophisticated resource managers are using a mix of hardware and software to secure both. For example, manufacturers of iris recognition equipment can integrate access control to information systems as well as the buildings they sit in, using the same enrollment and user database.
IEN: What innovations are in store for users in security equipment and systems, software, training, and other areas?
Nickell: There are several fronts of development. One is the graphical display options available to security managers who maintain command posts. 3-D and hologram-type images are becoming available. The fusion of video information from three or more strategically placed cameras enables the creation of perspective images of an entire campus or urban area into one 3-D type image, not a profusion of simultaneous images on a dozen independent monitors. RFID technology is beginning to be used to track employees and visitors to and within a facility. This enables greater awareness of personnel location, automatic facility management, and threat control.
IEN: Where are other R & D hot spots?
Nickell: Biometrics holds considerable potential in virtually all of the areas noted above. Better and less expensive biometrics will be emerging in the marketplace as the idea of biometric identification becomes less Gattica (the movie that uses instantaneous DNA analysis for identification) and more Main Street. Indeed, one vendor at a recent security trade show showcased product security and access control based on DNA sampling and smart cards.
IEN: Is the web a significant factor? Why/Why not?
Nickell: Yes, the web holds considerable potential for cost-effective security applications and controls. For the time being, however, real concerns over the stability and availability of the web temper any real efforts to embrace the potential. The web is an excellent communications medium for the transmission of administrative information and other non-time-critical security-related data. We can enroll people in Washington, DC, into biometric recognition systems, then send the enrollment data through the web, very securely, around the world to every door in every facility we may own or control.
The biggest threat to this process is not interception or compromise of the data, but denial of service. But, if we are enrolling someone today who is going to Africa next month, a day or two of a virus or worm-caused delay is irrelevant. It is not ready yet, if ever, for mission-critical, real-time monitoring and control. Nonetheless, privately implemented TCP/IP technologies are even now being used successfully in global security management.
IEN: Will wireless technology play an increasing role in security? If so, how?
Nickell: My comments on the web are relevant to this question also. Wireless technology holds significant theoretical promise, but is constrained by the threat of information interception and/or denial of service, two factors that argue against depending on the technology for mission- and/or time-critical applications.
IEN: How can companies integrate security technologies within the industrial enterprise?
Nickell: Security systems are integrated pretty much the same way regardless of the industry or business segment involved.
An additional thought: How much is enough? My favorite question. Companies would do a lot better by doing a ruthless job of threat and vulnerabilities assessment, combined with an equally ruthless examination of their own business, to determine what business they are really in and, given that, what is valuable and what is not. Protect what is valuable and forget the rest. Many companies will fail these tests and spend money protecting the wrong thing.
This question is often wrapped up in the ROI question. The problem with ROI is that expenses for security appear on the income statement that mid-level mangers read and use to evaluate the security managers who work for them. How much did we spend on security and how much profit did we realize? Wrong question. The benefits from security appear on the balance sheet that only the CEO and shareholders read. When''s the last time you caught a security manager reading the Balance Sheet? The real, long-term benefits of a sound security plan make themselves known in the various components of shareholder value (use of capital, value of inventory, goodwill, etc.), not periodic profit.