Being responsible for the physical security of a campus environment can be a daunting task. Campuses may share similarities, but every campus is different and requires a strategy for master planning before going out and wasting a lot of time and money.
Campus security departments are usually under staffed, under budgeted and, historically, have had a limited voice in their organization’s budget discussions. The security department is often seen as the outcast, a cost burden and the first to have its budget cut when times get tough. Unlike other organizations, such as the facilities group where government regulations require certain standards (fire sprinklers/alarms, etc.), physical security is left to make it up as they go to convince the higher ups why it’s important to invest in their programs.
Another problem is many campus security leaders are former law enforcement professionals who try to run their organizations like a police department. Some use fear as their strategy for getting budget without articulating the value of what they are proposing or data to show why an investment is needed. I know many campus security departments are the police, which is problematic as law enforcement is usually behind the curve on innovation and technology.
Don’t get me wrong, I love law enforcement, but we all know it takes an act of Congress to get police to move an inch when it comes to technology. I spent more than 12 years in law enforcement and the past 15 in the private sector managing physical security operations, investigations and technology. My main focus now is on technology (security consulting, planning, design, implementation, solutions and tools). I work for Microsoft, which is composed of more than 850 buildings with over 100,000 employees in more than 200 countries. Microsoft calls many of its locations “campuses” and has a similar look and feel to a large college campus environment and hospitals. We have many visitors requiring parking, check-in and escorted access to certain areas. We also share the many challenges of keeping our campuses safe while balancing the need for open areas and easy access.
My goal of this article is not to brag about how big Microsoft’s security organization is. It is to share what I’ve learned over the years to help campus security managers with insights and strategies to help them build a world-class security program.
Technology Improves Officer Productivity
Back when I was a cop, I worked for a small but innovative police department in Redmond, Wash. I was somewhat of a techie cop, and I’ve leveraged technology to help me with my police work since 1989. Back then I truly believed technology was the future, and I purchased my own laptop (Tandy from Radio Shack) with dual floppy drives weighing what felt like 20 pounds with no hard drive. Despite the rudimentary nature of my computer, I could still pump out cases three-times faster than fellow rookies who were using manual and electric typewriters. This mindset eventually led me to Microsoft, where my passion is technology and how to leverage it to make the world a safer place.
When I arrived at Microsoft in 2000, the campus had about 35,000 employees, 50 buildings in the Puget Sound and another 200 or so around the nation and internationally. Our physical security technology infrastructure was a hodgepodge of approximately 60 proprietary technologies that didn’t interoperate or scale. We had 15 control centers around the world that were all standalone. It was a mess, and I was tasked to develop a master security plan for the corporation post-9/11 as physical security was now seen as a priority.
I had a lot of smart, talented security professionals on my team and even with this talent, we realized it was crucial to get advice from subject matter experts that specialized in security master planning. Instead of going in-house as many organizations do, I hired a security consulting firm to help us rewrite our business case that would ultimately be used to fund the buildout of three global security operations centers (GSOCs). The consulting firm had institutional knowledge that helped with our decision making and validated, but also discounted, many of our strategies. It was a great sanity check to ensure we didn’t fall prey to our own “smartest guys/gals in the room” group-think.
We reduced our 15 life safety control centers to three GSOCs strategically located around the world in Redmond (Americas), Hyderabad, India (Asia), and Reading, England (Europe, Middle East and Africa). Our master plan for technology called for commercial-off-the-shelf (COTS) solutions to avoid the pitfalls of customized technology solutions. We worked really hard to use COTS for the entire security operations and associated organizational lines of business. The GSOCs we built and operated became the gold standard. We had over 2,000 visits to our center for benchmarking, and many security organizations modeled their GSOCs after Microsoft’s.
However, a common theme I heard during benchmarking visits were, “Yeah, you guys are Microsoft, and we’re just a small organization and don’t have the money or resources to do what you do.”
The Cloud Has Changed Everything
That statement was very true for many years until now. The cloud has changed everything. If you haven’t embraced the cloud already and still love hugging the computer racks in your security operations centers (SOCs), get ready for a rude awakening because the cloud is here to stay.
Many security professionals are apprehensive of using the cloud as it sounds mysterious and risky. They are leery of leveraging the cloud for campus security, but those same security professionals bank online, do their taxes online, use social media, online health services, download apps, etc., and they trust their personal information on those sites. Where do you think all of their personal data is stored? It’s in the cloud.
Not all cloud providers are created equal though. You should do your own research on the cloud. Find out what it means, and if you use a service that’s in the cloud, check out where it’s physically located and hosted.
Many security professionals have asked me, “what is the cloud really, and can you explain it in simple terms?” The cloud is “utility-computing” where your computer resources are managed as services. The cloud is always on. There are multiple redundancies and backups in different geographical locations. It’s dynamic and scalable with very strong security, privacy and compliance requirements.
Unless you’re a doomsday prepper or live in the sticks, most of us pay for our utility services. Think of the cloud as your utility company for computer services. You’re not going to dig a well for water or use a windmill turbine for electricity. When you get home and turn on the light switch, you expect the lights to turn on. When you turn on your tap for water, you expect water to flow, and if it doesn’t you’re making a call to the utility company.
What Is the Cloud?
The simplest way to explain the cloud is comparing it to cooking food for either yourself, your family or for a large party like a wedding you host in your backyard. Items 2, 3 and 4 listed below are all cloud services:
- 1. On-Premises Computing: You do everything at your home. You plan the menu, buy and prepare the food. You cook the meal in your kitchen. Set the table, serve the meal and when you’re done, you’re responsible for cleaning up the mess. Everything is done by you.
- 2. Infrastructure as a Service (IaaS): You order some of the food and supplies online, which is delivered to your home. You rent event items such as extra chairs, chaffing dishes that you pick up at the rental store and haul to your home. You take care of the cooking and serving it to your guests and clean up.
- 3. Platform as a Service (Paas): You leverage more help and services and have caterers bring all of the food, but they use your kitchen to prepare and cook some dishes that weren’t already cooked at their kitchen. They also help to serve your guests while you have another glass of wine. At the end, your staff cleans up the major mess, but you still end up tidying up over time as it’s your house, and you may find a hot wing wedged between your sofa two weeks later.
- 4. Software as a Service (SaaS): You host your event at a nice hotel ballroom. All you do is work with the hotel’s events management team for an all-inclusive gala event, and at the end of the party you cut a check and leave. The SaaS example can also work for small meals like getting a slice of pizza and beer at your local pizza shop. You pay $10 bucks, have a good slice and a brewski, and you’re done. Your kitchen at home remains spotless. Many apps on your mobile phone work this way where you pay for the software experience as a service and your mobile device is just the hardware used to view and execute on the service.
For you more technical folks, my example is not to insult your intelligence, but it took me a while to figure out the cloud early on and this example was told to me by the Director of Microsoft Justice and Public Safety, Rik Zak, who also happens to be a fire lieutenant in the Chicago suburban area. He briefs a lot of public safety chiefs and commanders, and this example really resonates well with decision makers who may not be that technical.
VSOCs Help Campuses Better Utilize Security Resources
At Microsoft, our global security team has embarked on a new strategic approach to campus security, and we’re pivoting away from GSOCs and evolving to an intelligence driven, operational led fusion center VSOC (virtual security operations center). After years of running our own GSOCs, we’ve discovered that a lot of the functions within the GSOC are not focused on life-safety or mission-critical activities. The thousands of signals and false alarms as well as non-security tasks that were absorbed in the GSOC through scope creep have reduced the majority of the GSOC’s function into a low level call center. The new VSOC model has decision makers either physically within the fusion center or virtually. This is a really hard concept for traditional security managers to buy in to and even harder for law enforcement agencies.
With the VSOC fusion center philosophy, you don’t need a security operations center (SOC). A VSOC can be situated anywhere because any alarms or other service calls can be pushed off to third-party security services. I see the future of SaaS (Software as a Service) to also be an acronym for physical security SaaS (Security as a Service). This is where the power of the cloud and security as a service can enable small organizations to operate just like a large corporate enterprise security program.
We have since closed our GSOC in the U.K., and converted the Redmond GSOC to the VSOC fusion center, with our GSOC in India now operating as a security communication center for tier 1 calls for service. The Redmond VSOC fusion center now has high-speed security professionals with decision making authority managing the operations. The VSOC’s focus is only on mission critical, life-safety events, and we’re able to quickly assess and address threats without layers of reporting/approval protocols that previously slowed down our response.
Transition to VSOC Requires Planning
We have realized that security as a service is an easier model to manage if you find the right partners for your program. Not all partners will work for everyone. You’ll need to find the best options based on your organization’s needs and requirements. Then the appropriate planning, diligence and strategy are required before spending a lot of money on in-house security services or technology solutions. This is where a good consulting firm with excellent experience and track record can help with your strategy. Don’t just take their word for it either, ask for references and do benchmarking with their references. If they are as good as they advertise, then their clients should be singing their praises.
Whether your current security program is very mature or just starting out, please consider this info for your security planning. Many organizations struggle getting out of the gate and are just keeping the trains running. But if you take the time to plan and leverage SaaS security partners to help you craft a strategy and speak in terms that your finance directors, controllers, or CFO’s understand, you’d be surprised at what you can accomplish.
Brian Tuskan is Microsoft’s Senior Director of Global Security Technology, Services and Investigations.