The convergence of physical and IT security management – by James Willison.
The convergence of physical and IT security management is an area of growing interest for security professionals and is also proving to be an effective way of developing a sound business security strategy. It certainly has a great appeal to company directors who are looking at mitigating all forms of security risk in a unified policy. However, William Crowell, former deputy director of the National Security Agency in the U.S. indicates, in a book published this year, that the current situation is far from integrated.<br><br>"Today commercial industry is too slow to embrace security convergence in a significant way and we are less prepared than we should be. A lack of technology is not the issue in solving the problem. A collaboration of effort around the concept of establishing a "mutual defence" is required."<br><br>(Contos, 2007: xxiv)<br><br>In 2004 I worked on a project with BP and nine other global organisations which involved interviewing senior Corporate and IT security leaders about the case for integration. The results of this interview process and an analysis of the available literature led to a series of eight recommendations for future security policy. They formed the basis of my Master’s thesis. I submit them, together with relevant quotations from Dave Tyson’s recent book, "Security Convergence", for further consideration. It has become clear that as security professionals it is now crucial to begin or further our collaboration with those in the IT security realm. The Deloitte Global Security Survey of Financial Institutions in 2006 found that relatively few companies are working at convergence (24%) but nevertheless concluded,<br><br>"As information security and the role of the CISO continue to evolve<br>in terms of scope of responsibility and value, and as formal risk<br>management efforts become more integrated and cross functional,<br>it will likely become increasingly clear that the logical and physical<br>areas of the organization can contribute more value together than apart." <br><br>(www.deloitte.com)<br><br>It is recognised that the formation of a single security department would take some time to achieve and would require the authority and support of the board of directors. The following recommendations could form the foundations of such a process.<br><br>1. A Holistic View of Security<br><br>First, the board of directors and the heads of physical and IT security need to adopt a comprehensive and holistic view of corporate security which sees it as a ‘broad strategic activity’ that includes all areas of security risk. At this point the business’ security needs should be assessed and appropriate solutions considered. These will include physical and digital security counter measures. It is particularly important that the company’s culture and vision is understood and a meaningful policy written and endorsed by senior management. This will give the security function the necessary authority to follow through on its recommendations. Dave Tyson has found, in his experience as Senior Manager, IT and Physical security for the City of Vancouver, that a comprehensive security policy ‘meets all the needs of the business requirement, considers all risks for the assets, and reduces the stakeholder time (by up to 50%) necessary to evaluate the policy viability and appropriateness’ (Tyson, 2007:108).<br><br>2. Co-operation on Shared Areas of Security Risk<br><br>Second, the two teams should be encouraged to communicate and co-operate more on shared areas of security risk. They should be allowed to state their views and concerns without feeling that the other side will exploit any apparent weakness. The whole point of unity is to gain from each other’s expertise and enjoy mutual respect. This should strengthen the relationship between them. Dave Tyson sites the field of investigation as an example, <br><br>"Now that we see the volume of personal information stored in electronic form in our organizations increasing on an exponential scale along with the interconnected nature of attacks, it is often difficult to say whether an investigation should be handled solely by IT or Physical security. The threats have converged, and this leads us to the immutable fact that, in order to properly respond to investigations of cyber crime and crimes against people and their information, our investigation techniques are going to have to converge as well."<br><br>(ibid. p 82)<br><br>3. The Formation of a Single Security Function.<br><br>Third, the sections should be united into one function and a Chief Security Officer appointed to lead the new department. This person could either be a physical or IT security specialist providing he or she has the full support of both groups and the confidence of the board of directors that all aspects of security will now be more effectively handled. Alternatively some companies may prefer that the new team is co-led by the CSO and the CISO. <br><br>Historically the two functions have operated independently and rarely worked together. This led to the formation of security silos and the widening of the gap between them. Some of this is probably due to the fact that most IT security specialists work in isolation from the physical security team and as a part of the IT department. The Deloitte survey indicates that there are other factors, <br><br>"This approach is due, in part, to the fact that IT security has been primarily viewed as an IT issue and that physical or corporate security has been concerned mostly with the process of keeping the "bad guys" out. Another factor in this approach has been the wide disparity between the business and IT functions in relation to competencies, compensation, inter-organizational perception and reporting structures".<br><br>If the company culture does not favour such a strategy it may be possible to establish a single reporting chain with the Chief Risk Officer or another board member as the executive who has responsibility for both areas of security. This would still be a far more unified approach than the current situation. <br><br>4. Introduction of a Smart Card Access Control System (SCACS).<br><br>Fourth, now working as a single function the security department should introduce a smart card system which aims to record accurate audit trails of personnel in physical and digital locations. This is a particularly significant way in which an organization can begin to see the benefits of convergence but it may not be appropriate for all those attempting integration to put this in place. If implemented the team will need to establish a central alarm monitoring system which enables administrators to respond to unauthorised access in real time so that vulnerable servers and files can be protected. <br><br>5. CSO to Advise Other Business Units of the Advantages of the SCACS.<br><br>Fifth, the Chief Security Officer should contact the leaders of all other business group functions to advise them of the advantages of the new smart card system and in particular show how productivity is increased following its implementation. He or she would refer to the confidence personnel can have that only those authorised to do so can access sensitive data. It could also be shown that since passwords are securely stored on the card less time will be lost from being denied access to the network and obtaining password resets. This is a significant return on investment which is worth stressing.<br><br>6. The Board of Directors to be Informed of All Major Security Incidents.<br><br>Sixth, the board of directors should be kept informed of all major security incidents which are recorded by the new department. In this respect they will be able to comply with the legislation outlined in the Data Protection Act 1998 and the Sarbanes Oxley Act 2002. The security group will be in an excellent position to conduct investigations and the reports will be accurate enough to meet the law’s requirements.<br><br>7. Establish a Common Line of Reporting.<br><br>Seventh, a common line of reporting should be established. This will enable the experts from both fields to examine security vulnerabilities together and ensure all incidents receive the necessary attention they deserve. It will promote respect for those who succeed in identifying new areas of risk and specialists who provide solutions to the problems it raises. This is important as it will also ensure good levels of morale in the new department. This will have a vital impact on the relationship with senior management and the board for as Dave Tyson explains,<br><br>"Instead of reviewing two security metrics reports or having presentations by two security departments and then having to integrate the risks of both presentations, leaders can now get one report document or presentation that provides a snapshot of all security risks across the organization" (Tyson, 2007: 18).<br><br>8. Recommend the Implementation of a Common IP Network.<br><br>Finally, the CSO should recommend to the board of directors the implementation of an identity management solution (such as those available from IBM or CISCO) which includes operating the corporate digital infrastructure on a common IP network. This will allow IP video, alarms, voice and data to be streamed through the network and strengthen the unity of the security function. It will provide greater efficiency and accuracy in responding to incidents. It will of course be necessary to have a back up system in place. Dave Tyson believes that the ability of an organization to adopt such a policy will set it apart from its rivals and so increase its competitive edge.<br><br>"The ability to integrate the traditional physical security systems (such as access control and CCTV) into the company data network allows the organization to take advantage of economies of scale, and to leverage the existing infrastructure to deliver many benefits to the organization. These benefits can include utilizing the existing transmission medium (such as the corporate data network) which reduces costs and increases reliability". (ibid. p 54) <br><br>It is perhaps only the converged security team which will actually have sufficient status with the board of directors to carry out effective security policies with their support and financial backing. The importance of the security function will be elevated and enhanced by this unity and both areas will benefit as senior management perceives the group’s strategic value. <br><br>About the author<br><br>James Willison was awarded an MA by Loughborough University in July 2005 for his work on "The case for the integration of corporate physical and IT security". He can be contacted at [email protected] <br><br>References<br>Contos, B., T (2007) ‘Physical and Logical Security Convergence.’ Elsevier Inc.<br>Deloitte (2006) ‘2006 Global Security Survey’ in www.deloitte.com.<br>Tyson, D (2007) ‘Security Convergence: Managing Enterprise Risk.’ Elsevier Inc.
(As reported fully elsewhere on this site: the UK arm of the security body ASIS – Chapter 208 (United Kingdom) adds: James Willison has agreed to join the main UK Chapter 208 Committee as "convergence lead".)
