BOSTON -- How do you interest IT security pros in airport baggage checking, or parking lot security guards in spyware...
or denial-of-service attacks? Not easily, according to some who have tried.
However, many of today's attack scenarios put cyber and physical assets in equal peril, and professionals in both arenas need to break out of their silos to ensure true enterprise security.
That's the message a panel of security executives delivered Wednesday during a discussion on merging physical-cyber threats at the 2006 SecureWorld Expo in Boston.
"There are these perceptions that the guy with the gun can't also learn something about electronics," said Anne Oribello, senior information security analyst at Cambridge, Mass.-based Genzyme Corp. She said the security guard may never learn to be an information security guru and vice versa, but they can learn to help each other. "One way to start breaking these perceptions is to put everyone in one room for lunch" and get everyone talking.
Dennis Treece, director of corporate security for the Massachusetts Port Authority (Massport), told the story of an ambitious IT security manager who works for his organization's CIO.
"I suggested his next career step could be in baggage control," Treece said. "But this young lad has absolutely no interest in physical security. His lack of career flexibility surprised me. We need to develop future security leaders by getting our young people to branch out and understand that security is security, whether it's in a parking lot or in a server."
While that may be no easy task, panelists agreed the convergence between IT and physical security is starting to happen. Since an enterprise security threat may no longer limited to just one of those realms, corporations are being pushed toward finding synergy.
L.E. Mattice, VP and CSO at Boston Scientific Corp., said his organization's growing international clientele and the need to protect intellectual property has prompted it to bolster security, and convergence between the cyber and physical arenas has been key to those efforts. But it hasn't been easy.
"Convergence can work if it's done in a collaborative fashion," he said. "People can have a misconception that physical security is what someone does on the other side of the house. We look at all our business units and ask ourselves what we must do across the board to keep things moving at all levels."
"It's all about coordination and checking egos at the door," she said. "It's not about who has the most power. We will not be successful without everyone."
That philosophy was put to the test when Gillette was acquired by consumer products giant Procter & Gamble Co. last year.
Lolli said the combined organization had two Web sites and two incident response policies, but worked together to develop one policy and one site so said that customers and employees would see a unified security effort. She added that IT and physical departments have come together as well and are working off the same page. For example, she said, "Physical security knows when a laptop goes missing."
Glenn Hill, IT security manager for Northeastern University in Boston, said sharing resources with other departments has helped his campus bridge the gap between IT and physical security. In one example, the IT department helped campus police use computers for evidence gathering. They were able to track one suspected lawbreaker electronically and ultimately captured him.
"Threats have multiple faces," he said. "A law enforcement officer may be good at law enforcement but not computers. I can help him with that. Protection is protection, whether it's about how to move the [university] president to a safe space during a security incident or about how to protect IT assets."
In the end, he said, the key to bridging the cyber-physical divide is to "share, share, share."