Infosec pros need to get 'physical'

By Bill Brenner, Senior News Writer 20 Mar 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

BOSTON -- How do you interest IT security pros in airport baggage checking, or parking lot security guards in spyware or denial-of-service attacks? Not easily, according to some who have tried.

However, many of today's attack scenarios put cyber and physical assets in equal peril, and professionals in both arenas need to break out of their silos to ensure true enterprise security.

That's the message a panel of security executives delivered Wednesday during a discussion on merging physical-cyber threats at the 2006 SecureWorld Expo in Boston.

We need to develop future security leaders by getting our young people to branch out and understand that security is security, whether it's in a parking lot or in a server. Dennis Treece

If a person's business is IT security, said panelists, they're usually content to focus on cyberspace and leave physical security to someone else. If a person's job is to watch for trouble in a parking garage, they're probably not going to be interested in a course on information security.

"There are these perceptions that the guy with the gun can't also learn something about electronics," said Anne Oribello, senior information security analyst at Cambridge, Mass.-based Genzyme Corp. She said the security guard may never learn to be an information security guru and vice versa, but they can learn to help each other. "One way to start breaking these perceptions is to put everyone in one room for lunch" and get everyone talking.

Dennis Treece, director of corporate security for the Massachusetts Port Authority (Massport), told the story of an ambitious IT security manager who works for his organization's CIO.

"I suggested his next career step could be in baggage control," Treece said. "But this young lad has absolutely no interest in physical security. His lack of career flexibility surprised me. We need to develop future security leaders by getting our young people to branch out and understand that security is security, whether it's in a parking lot or in a server."

While that may be no easy task, panelists agreed the convergence between IT and physical security is starting to happen. Since an enterprise security threat may no longer limited to just one of those realms, corporations are being pushed toward finding synergy.

L.E. Mattice, VP and CSO at Boston Scientific Corp., said his organization's growing international clientele and the need to protect intellectual property has prompted it to bolster security, and convergence between the cyber and physical arenas has been key to those efforts. But it hasn't been easy.

"Convergence can work if it's done in a collaborative fashion," he said. "People can have a misconception that physical security is what someone does on the other side of the house. We look at all our business units and ask ourselves what we must do across the board to keep things moving at all levels."

The merging physical-cyber threat Read our recent special series on the merging physical-cyber threat: The threat with the most disaster potential Why the catastrophic cyberattack may never come Who best to avert disaster: Government or business? Home is where the heart (and disaster back-up plan) is Cybersecurity czar: DHS overhaul will improve preparedness

Melissa Lolli, director of global information security at Boston-based Gillette Co., described efforts in her enterprise to get IT and physical security on the same page. The company set up a steering committee where people from different departments could focus on a single security approach for everyone. One lesson she has learned: Companies can put personnel from the cyber and physical groups together functionally on a chart, but people on both sides have to be willing to work together.

"It's all about coordination and checking egos at the door," she said. "It's not about who has the most power. We will not be successful without everyone."

That philosophy was put to the test when Gillette was acquired by consumer products giant Procter & Gamble Co. last year.

Lolli said the combined organization had two Web sites and two incident response policies, but worked together to develop one policy and one site so said that customers and employees would see a unified security effort. She added that IT and physical departments have come together as well and are working off the same page. For example, she said, "Physical security knows when a laptop goes missing."

Glenn Hill, IT security manager for Northeastern University in Boston, said sharing resources with other departments has helped his campus bridge the gap between IT and physical security. In one example, the IT department helped campus police use computers for evidence gathering. They were able to track one suspected lawbreaker electronically and ultimately captured him.

"Threats have multiple faces," he said. "A law enforcement officer may be good at law enforcement but not computers. I can help him with that. Protection is protection, whether it's about how to move the [university] president to a safe space during a security incident or about how to protect IT assets."

In the end, he said, the key to bridging the cyber-physical divide is to "share, share, share."

Tags: Information Security Incident Response,  Security Awareness Training and Internal Threats,  Information Security Jobs and Training,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Incident Response Tying log management and identity management shortens incident response Tabletop exercises sharpen security and business continuity Security book chapter: Applied Security Visualization The challenges of incident response plans and procedures CISOs, human resources cooperation vital to security After a data breach, are there legal implications of sharing details? Boosting morale of the information security staff after a data breach Recovering stolen laptops one step at a time IT security pros face challenge during economic crisis Spotlight article: Domain 9, Physical Security Information Security Incident Response Research Security Awareness Training and Internal Threats Twitter risks, Facebook threats trouble security pros Social engineering training could disrupt botnet growth How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence Tabletop exercises sharpen security and business continuity Security policies need simplifying, expert says Microsoft IE 8 security only benefits educated users Security book chapter: The Truth About Identity Theft How to integrate the security of both physical and virtual machines Laid off workers likely to steal company data, survey warns Information Security Jobs and Training Security jobs survey finds fewer budget cuts, lower security salaries IT security skills and certification pay Information security skills must include communication, expert says Despite recession, pay climbs for top IT security certifications How do I transition to a career in IT security? Information security book excerpts and reviews Security skills pay increases despite economic downturn Getting the CEH certification to join an ethical hacking network Finding a security management job after an economic downturn How to become an information security expert

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary incident response  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary