We would like to keep you up to date with the latest news from Digitalisation World by sending you push notifications.
Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
NOW THE SUMMER HOLIDAYS ARE OVER things look busier than ever for the DCA and I’m pleased to say for the data centre sector in general. I would imagine that in the run up to Christmas this autumn will be some kind of record for the amount of data centre events, conferences and activities.
There are more DCA steering group meetings than ever, and as a reminder anyone can participate in these. Following the Energy Efficiency and Anti-Contamination workshops during the summer, September kicks off with The Physical Security meeting, a subject that you can read more about in this issue. September also sees the DCA run the PEDCA workshops in Poland, from which I have just returned and I’m pleased to say this activity was an extremely useful exercise with much learned from all perspectives.
September also sees the first DCA charity golf tournament, and with Steve Hone being the DCA team Captain, ably supported by John Booth, Frank Verhagen and Richard Judd, I’m satisfied the DCA has no chance of winning its own tournament. September also sees the annual round of EU Code of Conduct Meetings – I hope this year, I’m able to report some good progress, for a change.
September also sees a parliamentary roundtable in conjunction with the Energy Managers Association to explore synergies for the training of data centre energy managers (whoever they are) and finally we see the BIS/UKTI workshop reconvene at UEL to review the UK Governments data centre proposition.
So that’s September, October and November are just as packed as I’m sure are all your diaries, long may that continue and I thank you for your support if you are participating at any of the above activities, if you are not please keep an eye on
data-central.org for updates, reports and to participate virtually.
The 7 most effective ways to save money on your security budget
WHITE PAPER
This White Paper has been prepared to assist Security Managers and Security Professionals direct resources and focus attention on the areas of operation that will deliver the best Return on Investment.
CornerStone © 2009
EVERY CORPORATION looks for the value proposition’ when deciding upon strategic and operational development. To professionally carry out our duties we all want to understand how a proposed change is going to impact the business and deliver a Return on Investment (RoI).
It has long been argued that Return on Investment models focus too greatly on short term objectives at the expense of understanding true life costs and longer term strategy. Return on Investment models also tend to take a perfect world’ perspective and don’t factor in the sort of performance/technical problems that we all face from time to time.
CornerStone’s awareness of these issues enables us to work with Clients and provide long term support that contributes to the overall value proposition’ and manages the delivery of the Return on Investment.
The following 7 most effective ways to save money on your security budget all share one overriding factor.
They are all part of the ‘value proposition’ that any INDEPENDENT Security Consultant will deliver. Some factors are possibly more obvious than others and some deliver bigger savings but one thing is for certain, without the involvement of an Independent Security Consultant the exposure to the associated risks, both commercial and operational, are far greater.
The following suggestions, if implemented correctly, will save your organisation money and reduce the risk profile associated with any similar project. Whilst it is obviously true that an Independent Security Consultant will charge for their service, the potential saving in terms of finance, time and risk, on a medium to large scale project, will outweigh the fees charged.
1. System design
The design of a security system can be provided via a number of routes. It can be carried out by the system installer, a product manufacturer or even the Client. Whilst all three may provide a working system, the question that should be asked is whether they are offering the best solution.
Installers normally work with a limited number of equipment manufacturers. They do this to make the management of Programming, Commissioning, Service & Maintaining more effective. Imagine running a small installation business with 20 engineers. Even if the Company selected to work with only 5 core product manufacturers, just imagine how many days training would be needed to ensure that adequate levels of competency were instilled within their Engineering team. Good installers will always offer a programme of continual learning to their employees but how many businesses can commit to 20, 30 or possibly even 40 days training each year. On the other hand do you really want to trust your security system to a Company that provides insufficient training?
Commercially there is also a conflict. Installers that over-engineer’ a system could be doing so to inflate the price. Even if an installer’s original design was used to acquire comparative quotations from some of its competitors, the process is flawed as it is unlikely that one of these other companies will comprehensively review the design at that point. They are more likely to simply offer a check price encouraging the eventual decision to be made for not necessarily the right reasons.
Another option is that a Manufacturer could offer a design service. The reality here is that they will only obviously design a system around the use of their own equipment. This may provide a suitable solution but the likelihood of that solution being right for every customer is highly unlikely as is the chance of it being the most cost effective solution.
A technically competent Client could also undertake their own system design. The main drawback in this case is that the Client also has a business to contribute to and the time needed to undertake research, talk to manufacturers carry out surveys, write the system performance requirements etc. is unlikely to leave many hours in a day to fulfil his or her normal duties. The hidden cost to the business increases still further when it comes to the project management of the installation and commissioning and that’s without factoring in the potential costs associated with vendor management and contract fulfilment.
The INDEPENDENT Security Consultant will consider many factors when designing a system. The most important issue however, is that the Consultant has the opportunity to define solutions to the clients’ security challenges with no other agenda in mind. The Consultant only seeks to find the right technical, practical and most cost effective solution to meet the challenge.
2. System service and maintenance
When considering the cost of a Security System it is imperative that life cycle costs associated with deploying the system must be factored in. It would be a false economy to select a system or item of equipment without understanding just how much it will cost to operate, service or maintain throughout its expected, installed life.
The ability to maintain the system or system component should also be thoroughly understood. It still unfortunately occurs today that after the original procurement process that the equipment or system purchased, ceases to be maintained adequately and eventually performance is impaired or the item stops working all together.
The effort expended at the start of the cycle, to choose the right product or to buy it for the best available price could be completely wasted, costing not only a great deal more money than originally planned but also significantly more time and effort to address the original security issue.
The INDEPENDENT Security Consultant can assist throughout the life of a product or system. Regular System Performance Audits can be built in to the annual maintenance budget. This way, not only can the Client be assured that the system offers optimum protection against any related security threats but that the system continues to meet the objectives defined in the Operational Requirement. This saving could be quite substantial but at the very least knowing that your Security System is fully operational offers peace of mind which can be invaluable.
3. Develop an operational requirement
It is a sad fact that even today, very few Corporations have developed an Operational Requirement (OR) that acts as the blueprint’ that guides the counter-measures that can be taken in response to any Threats or Risks identified.
Without an Operational Requirement in place it can be difficult to deliver long term, strategic measures in the most cost effective manor. Organisations become more prone to knee jerk’ reactions to security incidents and find it more difficult to direct investment to the most appropriate area.
The Operational Requirement (OR) provides a way of reminding the Corporation why certain decisions have been taken along with mapping out the path required to address particular Threats and Risks and counter known vulnerabilities.
The OR is generally at 2 levels. Level 1 (L1) provides the higher level strategic direction and Level 2 (L2), the lower, more specific measures. A Corporation might publish the L1 OR to define it’s overriding Corporate approach to its security provision and then develop L2 OR’s for each individual type of facility differentiating for example between a manufacturing plant, a distribution warehouse and the Corporate Headquarters.
The INDEPENDENT Security Consultant will produce the Level 1 and 2 Operational Requirement after detailed consideration of many factors including the Threats and Risks that the business faces along with specific areas of Vulnerability. This process will allow identification of gaps’ in the current security measures and articulate the particular security needs of the business. It will allow a structured and considered process to be undertaken and help avoid panic purchases in response to particular incidents.
4. Threat & risk analysis and vulnerability studies
One of the starting points when defining security strategy has to be the Threat and Risks that a Corporation faces along with areas of Vulnerability that they might have. It’s only by fully appreciating both the generic and specific threats that counter-measures can be defined that address the particular area of concern.
It is quite common for Corporations to have in place a substantial Security Infrastructure but for the Threats and Risks along with any Vulnerability not to have been properly identified. The process should be the subject of continual review to ensure the appropriateness of information contained and once in place, should form part of the Strategic level documentation retained by the Security Management Team.
Suitable intelligence will be required to fully prepare a detailed study and careful consideration should be given to the source of that information.
The INDEPENDENT Security Consultant will be able to gather the pertinent information applicable to each client. It is essential that they have communication channels into a range of intelligence’ sources along with the experience to interpret the information effectively. By basing the budget and security provision requirements around the Threats and Risks that a Business will face and by countering any found Vulnerabilities, it will be possible to target finance and resource to where it will be most effective. This will not only ensure the most appropriate use of resource but minimise expenditure where practicable.
5. Policy and strategy development
This is not an area generally considered to save a Company money and can be overlooked in terms of delivering a Return on Investment’ but without a well written and auditable Security Policy in place, defining the actions necessary to deal with a security related
incident will only ever be an ad hoc process creating repletion
of effort.
By publishing clear Security Policy that provides a fully joined-up’, strategic approach, not only ensures a consistent and measured response to the businesses security issues but also guards against spending money unnecessarily and using resources wastefully.
Once in place, Policies and Procedures can be audited against a schedule of pre-determined Key Performance Measures and the quality of service refined and improved on a continual basis.
The INDEPENDENT Security Consultant will work in partnership with Department Heads and Operational Management to ensure the integration of all parts of the Security Policy so that they augment and protect the Business wherever possible. This process often leads to a closer relationship with other business functions, such as the FM team and HR. This extended level of communication can help to develop a greater appreciation of the Security Operation.
6. Cost Management
Probably the most obvious way to save money on your security budget will be to closely control all associated costs. This can include anything from Head-count to Corporate Security uniform, System Maintenance to stationary.
An INDEPENDENT Security Consultant will be able to assist in identifying areas of expenditure that could be reduced or where greater value could be derived. By using detailed analytical tools it will be possible to identify certain target areas that may include Capital Expenditure as well as Maintenance/Operational budgets.
Revised procedures may offer efficiency savings and the use of new or amended security strategies could improve auditable performance whilst returning value to the bottom line.
7. Security Training
As with many other areas of business the Security function can be broad ranging and complex. It is essential that individuals develop core competency skills to deal with the breadth of subject and that specialist knowledge is imparted in an effective manor.
The training needs of a Security Team should be assessed to fully understand the core competency levels and to help identify shortcomings or particular areas of expertise. Learning and Training programmes can then be developed to target particular needs. Budgets can be developed to address specific requirements and savings can be made by focussing training resource where it will have the most beneficial effect. A well developed Learning and Training Programme can also have an advantageous effect on staff retention by helping to protect the investment made when an individual is employed.
About the author
Jon Roadnight has been in the Security Industry for over 20 years. His broad experience encompasses Manufacturing, Installation and Consultancy Services and for the last 11 years has been on the Board of some of the UK’s most successful Security Companies.
Since 2007 he has been an Executive Director of CornerStone GRG, a leading Independent Security Consultancy firm with Headquarters in London. He has extensive International experience having been involved in projects throughout Europe, Africa and Asia. He has actively helped shape Security Industry opinion and represented the Security Industry in a live television debate about Video Analytics on the BBC’s ‘The Politics Show’.
He can be contacted with any queries at jon@CornerStonegrg.co.uk or via the web site www.CornerStonegrg.co.uk
Data centre solutions – physical security feature
By Richard Jackson of Jacksons Fencing
Beware of deviating from the specified physical security solution
Much has been written about the importance of incorporating robust and future perfect physical defence measures into the overall security architecture of a data centre. However for truly effective, long term, fit for purpose site security, the purchase and installation of any physical security solution should also represent the realisation of an informed and strategic decision-making process.
When planning the physical security infrastructure for a data centre, the architect, or quantity surveyor will specify his / her recommended products, products which are perceived to be the best response to the challenges faced on site.
Cheaper imitations come at
a price
However, frequently, the specification submitted by the architect / quantity surveyor will be ‘tweaked’ by the construction company responsible for the build and rather than installing the exact product proposed, a ‘similar’ – and often a cheaper substitute is deemed to be acceptable.
The irony is that buying ‘similar’ and ‘cheaper’ may come at a price which far outweighs any marginal savings that can be made at the installation stage. Cost cutting, increasing margins, maximizing the bottom line, however you choose to phrase it, the fact is pressing economic times have led to a culture where price is king – but how often is this at the expense of a depreciation in quality?
Deviating from the original specification may result in installing a product that is of an inferior calibre and one that has been manufactured from lower grade / mediocre materials. The limitations associated with this class of product will also lead to a failure to deliver a long service life.
Physical security solutions, by their very nature, must be stringently and independently tested to ensure their efficacy and ability to withstand the very challenges they claim to overcome. For this reason, it is often appropriate to only seek out products that carry the relevant industry accreditations, which acknowledge the proven capabilities of the item. At the very least, any automated gates must carry a CE mark which confirms the manufacturer’s declaration that the product meets the requirements of the applicable EC directives.
Don’t scrimp on safety
Paring down the recommended safety measures is an easy way to reduce costs and in the case of automatic gates, is an occurrence that happens all too frequently. Indeed, Gate Safe, the charity set up to improve standards in automated gate safety estimates that over two thirds of automated installed in the UK do not comply with latest legislation and could pose a serious safety risk.
However in the event of a serious accident, or fatality (since 2010, there have been 15 accidents including six fatalities reported involving automated gates), the savings represented by omitting to incorporate the relevant safety features become totally irrelevant. Neglecting to adhere to the appropriate guidance will come at a significant price to a business both in terms of its reputation as well as the monetary fines imposed if a breach in safety laws is established (recently the two firms found guilty of breaching safety laws for the automated gates that killed a five year old girl were fined £110,000 and both companies were also ordered to pay £40,000 court costs).
Long life vs guarantee?
A truly fit for purpose perimeter security / access control purchase will not simply benefit from a ‘long life’. It is supplied with a credible guarantee consistent with the manufacturer’s confidence in the product. A simple analogy would be choosing to buy a car with a five-year warranty or buying a car from a dealer supported by a very dubious three month ‘dealer’s guarantee’. Or another way of viewing the matter, why install a fence which is expected to last only ten years, if the building it is protecting is anticipated to be in existence for at least twenty plus years?
Integrated response
It should also be noted that an architect / quantity surveyor specifies items from the same manufacturer’s portfolio for a reason, to ensure an integrated response to a particular problem. Purchasing a gate from one company and then opting to buy a fence from another supplier can lead to potential weaknesses in site security. These risks can be avoided if the construction company adheres to the products originally specified, which are likely to be from a manufacturer that also offers an expert installation service.
The best advice therefore is to adhere to the original specification. Digressing from this in the name of cost cutting (reductions which largely benefit the contractor and may not even be passed onto the end client) simply leads to a cycle of purchasing and then re-purchasing that ultimately leads to enhanced, rather than reduced cost. It can even pose serious safety risks …
Jacksons has always prided itself on its commitment to quality, designing and manufacturing products, which are fit for purpose, and built to last. Sourcing the very best materials for the job in question together combined with robust road testing and fine-tuning, enables the company to offer a unique 25-year guarantee across its physical security solutions portfolio.
For more info visit www.jacksons-security.co.uk or call tel 01233 750 393.
How secure is your data centre?
Martin Grigg, Senior Security Consultant at PTS Consulting discusses
the vulnerability of many businesses resulting from lack of understanding
of the real security risks that they face every day.
IT IS OFTEN REPORTED that the average Londoner is recorded by a CCTV camera 300 time a day and that is probably true throughout the country. But does this fact increase the security of your data centre? Does the myriad of access control systems and biometric readers really keep a date centre, its people, property and assets safe?
To answer these questions we first need to consider what threatens our data centres and how likely any of the scenarios are to affect us. Whether the risks are unauthorised use of equipment, illegal processing of data, data corruption, espionage, bombs, terrorists, electronic warfare or system sabotage, the risks need to be quantified.
A process of risk assessment should consider the risks associated with any specific security event. The assessment establishes the relationship between two equally important variables in the definition of risk; the likelihood of a security event occurring and the impact the event would have if it were to occur.
SIA-licensed security personnel, cameras and access control systems all play a part in protecting a data centre from local crime but, put under scrutiny, they would often fail to protect the business from a crisis. Effective risk assessment, mitigation and business continuity planning is essential in today’s climate of heightened security. The current threat level from international terrorism is ‘SEVERE’ which means that the risk of a terrorist attack is highly likely. If a part of the country is disabled for a prolonged period of time, could your data centre continue to operate?
Many people believe that ‘It won’t happen to me ’or ‘It’ll never happen here’ yet we are often surprised by crime statistics and the horror stories of operations ceasing, and disruption to business activity. Surveys after the 9/11 attack in New York indicated that many businesses that were not directly involved in the physical destruction failed to survive after the event. But it does not have to be a major disaster to affect a data centre. The insider threat is always a problem. Low-paid staff can be a target for bribery to help with espionage or theft. A rogue or disaffected employee can cause significant damage if they have access to machinery, stock or data.
A secure data centre has security at its heart and in its culture. Employees should feel comfortable in the workplace, in the knowledge that security checks have been performed on all of the staff and that everybody is happy to wear an identity badge. If a stranger is in the building then staff should feel confident about approaching them and asking if they need help. Suspicious behaviour should be reported without any feeling of possible guilt. A well-rehearsed business continuity plan means that everybody knows exactly what to do if disaster does strike – in any form. All of these things indicate a secure business and technology can play an important role as well.
Upgrading access control systems to one where the card is encrypted and cannot be cloned will help reduce the risk of a deliberate attempt to breach your perimeter. Biometric readers such as fingerprint, palm vein and iris readers ensure that the person requesting access is the authorised individual and not just a person holding the card with the access rights. There is a security professional‘s mantra of ‘what you have, what you know and who you are’.
If an area within your building is of a high-security nature then doubling up on identification technology is a good idea. ‘What you have’ could be your access card. ‘What you know’ could be a PIN number entered on a keypad and ‘who you are’ could be your fingerprint. Any combination of these is going to make it more difficult to compromise the system.
CCTV is a common form of security system but it can lead to a false sense of security because if nobody is watching it then all you have is an evidence-gathering tool which may be useful after the event but that may be too late. With the advent of IP security systems it is possible to integrate CCTV with access control so that if an exceptional event occurs then a security officer is notified with video verification. Modern security systems can also fit into the world of ‘Big Data’ and the ‘Internet of Everything’ which are the philosophies behind intelligent buildings that use information management to spot trends to either report on problems or predict an event.
In conclusion, data centre security is about planning both before and after an event. It is about mitigation through procedures and technology and it is about instilling a culture of security awareness in the company. It is my belief that many businesses fall short when it comes to security.
Martin Grigg is a member of the DCA steering group for
data centre site access control & security as well as a technical
author having recently published his book ‘Integrated Electronic Security – A Layered Approach’.
Should we be sleeping so soundly in our beds?
Steve Hone, Operations Director of
the Data Centre Alliance.
MAKING A BUSINESS DECISION on the most appropriate level of physical and operational security is not as straight forward as one might think. On the face of it this question appears to be easily answered –As long as you or your supplier has ISO27001 then it’s job done and a good night’s sleep is assured! If only it were that simple.
The existence of a valid ISO27001 certificate for the data centre in question is something I would strongly advocate; however this only represents one piece of a complex puzzle which needs to be solved if you are adequately protect your company’s assets.
One’s business assets are not only the buildings you work in but what lies within.
Data and information is the new currency of the 21st Century and keeping this asset safely locked away and only accessible by those pre authorised to polish the silver should be a top priority to all business owners. Simply ticking the ISO27001 box is not enough, whether you opted to build your own DC or plan on outsourcing to a 3rd party hosting provider it is strongly recommended you dig a little deeper to ensure you have the most appropriate security strategy in place to meet your business needs.
There are a number of specialist security consultancy practices you can call upon for help, however if you wish to do your own homework, finding this information may prove easier said than done. I’m not saying it’s not out there… initial investigations by the DCA have found a massive amount of information on the subject, and there lies the problem with so much information available it can quickly become a little overwhelming and without a map to guide you through the maze it’s difficult to know where to start, or to decide which is the most appropriate route to take.
This very issue has been recognised by the DCA Site Access Control and Physical Security Group which has tasked itself with researching and cataloguing as much of the information in circulation as possible with a view to creating a user/reference guide. Additional work is being carried out in tandem on existing threat identification/mitigation and also data classification metrics to see if these can also be mapped and clarified.
Although it’s early days, I can report that work is progressing well. The objective is not to ‘reinvent the wheel’ but to review what’s already out there, to identify and plug any gaps and to make it easier for stakeholders to find the information they are seeking.
The next group meeting is planned for November and the group is open to any existing DCA member who feels the group would benefit from their specialist knowledge to find out more or to join this group please visit the following link http://www.data-central.org/group/Secrurity
