NEW YORK -- The convergence of IT and physical security departments within the enterprise, once thought an impossibility,...
is becoming an inevitability.
The two units have distinct responsibilities and report to different layers of the corporate food chain, but recent economic doldrums and the foreboding possibility of more terrorism are causing the two to collide, security professionals said Wednesday at the Infosecurity Conference & Exhibition 2002.
"The two seldom talk, but that is changing," said Robert F. Fox, vice president and chief security officer of Sprint. "We are seeing a consolidation of traditional and technical security. I'm not convinced that movement is any more than an inch, however."
Not so ironically, the mission of both departments is identical: prevent the malicious actions of others. IT security aims its abilities at preventing data loss and interruption of network services. Traditional security, on the other hand, focuses on keeping human and physical assets safe.
"We provide a secure environment to allow the company to carry out its mission," said William J. McKool, vice president and director of business development for Corporate Security Services. McKool is a former security consultant with Kroll, where he serviced more than 250 projects for prominent firms like Bear Stearns, IBM Corp., MasterCard and others. "I really don't care if someone hacks their way in [to a network]. I'm concerned about whether someone will try to blow it up."
Post September 11, IT and traditional security are finding each other indispensable as enterprises shore up their disaster recovery and business continuity initiatives and place a premium on both levels of security.
The two overlap in other areas. The most noteworthy is access control and authentication. Many companies use smart cards, for example, as a means of authentication for access to buildings and specific offices as well as for access to IT networks and even some applications.
Still, despite the same mission, they often report to the heads of different departments, delaying the inevitable convergence of the two.
Fox, the Sprint CSO, said that a few CSOs have absorbed physical security as part of their responsibilities and that, for the most part, chief information security officers (CISOs) are turning into strictly technical security officers.
Fox said he prefers the term "traditional security" to "physical security." The term encompasses several areas, he said, including physical security, policy writing and enforcement, incident investigation, disaster recovery and business continuity. IT security, meanwhile, includes all IT, network security, information security, access control, authentication and disaster recovery, and business continuity as well.
"You will see more enterprises combine traditional security and IT security in one organization," Fox said. "Lousy physical security kills great technology. I can install the greatest technology, but it doesn't do me any good if a 12-year-old can break in at night and smash all my systems with a baseball bat. You have to have both, and both must be good."
McKool also said that management support is imperative in terms of deploying a security policy, educating users and enforcing the policy once deployed. IT faces a similar struggle, said Bruce Schneier, founder and chief technology officer of Counterpane Internet Security Inc.
"The problem is that users don't understand that some inadvertent action can have consequences," Schneier said.
McKool offered the example of securing access to a building with an expensive biometric technology, only to have that negated by someone propping open a door with a wedge.
"We have to deal with the fact that people want electronic answers for poor policies," McKool said. "The answer is creating workable policies and procedures and enforcing them."