News Stay informed about the latest enterprise technology news and product updates.

Infosec pros need to get 'physical'

Many attack scenarios put cyber and physical assets in equal peril, but security pros say it can be tough getting departments in those arenas to work as one defensive force.

BOSTON -- How do you interest IT security pros in airport baggage checking, or parking lot security guards in spyware or denial-of-service attacks? Not easily, according to some who have tried.

However, many of today's attack scenarios put cyber and physical assets in equal peril, and professionals in both arenas need to break out of their silos to ensure true enterprise security.

That's the message a panel of security executives delivered Wednesday during a discussion on merging physical-cyber threats at the 2006 SecureWorld Expo in Boston.

We need to develop future security leaders by getting our young people to branch out and understand that security is security, whether it's in a parking lot or in a server.
Dennis Treece,
If a person's business is IT security, said panelists, they're usually content to focus on cyberspace and leave physical security to someone else. If a person's job is to watch for trouble in a parking garage, they're probably not going to be interested in a course on information security.

"There are these perceptions that the guy with the gun can't also learn something about electronics," said Anne Oribello, senior information security analyst at Cambridge, Mass.-based Genzyme Corp. She said the security guard may never learn to be an information security guru and vice versa, but they can learn to help each other. "One way to start breaking these perceptions is to put everyone in one room for lunch" and get everyone talking.

Dennis Treece, director of corporate security for the Massachusetts Port Authority (Massport), told the story of an ambitious IT security manager who works for his organization's CIO.

"I suggested his next career step could be in baggage control," Treece said. "But this young lad has absolutely no interest in physical security. His lack of career flexibility surprised me. We need to develop future security leaders by getting our young people to branch out and understand that security is security, whether it's in a parking lot or in a server."

While that may be no easy task, panelists agreed the convergence between IT and physical security is starting to happen. Since an enterprise security threat may no longer limited to just one of those realms, corporations are being pushed toward finding synergy.

L.E. Mattice, VP and CSO at Boston Scientific Corp., said his organization's growing international clientele and the need to protect intellectual property has prompted it to bolster security, and convergence between the cyber and physical arenas has been key to those efforts. But it hasn't been easy.

"Convergence can work if it's done in a collaborative fashion," he said. "People can have a misconception that physical security is what someone does on the other side of the house. We look at all our business units and ask ourselves what we must do across the board to keep things moving at all levels."

The merging physical-cyber threat

Read our recent special series on the merging physical-cyber threat:
The threat with the most disaster potential

Why the catastrophic cyberattack may never come

Who best to avert disaster: Government or business?

Home is where the heart (and disaster back-up plan) is

Cybersecurity czar: DHS overhaul will improve preparedness

Melissa Lolli, director of global information security at Boston-based Gillette Co., described efforts in her enterprise to get IT and physical security on the same page. The company set up a steering committee where people from different departments could focus on a single security approach for everyone. One lesson she has learned: Companies can put personnel from the cyber and physical groups together functionally on a chart, but people on both sides have to be willing to work together.

"It's all about coordination and checking egos at the door," she said. "It's not about who has the most power. We will not be successful without everyone."

That philosophy was put to the test when Gillette was acquired by consumer products giant Procter & Gamble Co. last year.

Lolli said the combined organization had two Web sites and two incident response policies, but worked together to develop one policy and one site so said that customers and employees would see a unified security effort. She added that IT and physical departments have come together as well and are working off the same page. For example, she said, "Physical security knows when a laptop goes missing."

Glenn Hill, IT security manager for Northeastern University in Boston, said sharing resources with other departments has helped his campus bridge the gap between IT and physical security. In one example, the IT department helped campus police use computers for evidence gathering. They were able to track one suspected lawbreaker electronically and ultimately captured him.

"Threats have multiple faces," he said. "A law enforcement officer may be good at law enforcement but not computers. I can help him with that. Protection is protection, whether it's about how to move the [university] president to a safe space during a security incident or about how to protect IT assets."

In the end, he said, the key to bridging the cyber-physical divide is to "share, share, share."

Dig Deeper on Information Security Incident Response-Information

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.