Two years ago, if you were the head of security for an organization, it meant one of two things. Either you were trying to prevent people with guns from walking through the front door, or you were watching your computer networks like a hawk, maintaining firewalls and patching software to ward off hackers. If you were in charge of the physical side, you were barely aware of the network security side. Let's face it, security guards weren't trained to install antivirus software, and the IS guys didn't know much more about controlling building access.
Well, the wall that separates physical and information security is crumbling fast. At corporations and government agencies nationwide, security leaders are abandoning the fragmented, compartmentalized approach of the past and creating a unified, coordinated program of protecting buildings, people and networks. Executive-level security positions are popping up with increasing frequency as oversight of both IT and physical security is merging into one discipline. And for good reason: Many companies can improve the efficiency and effectiveness of their security strategy by combining the two sides. They can also save money by eliminating redundancy in resources and budget requirements. There's no need to spend thousands of dollars to set up a smart card building access system if your IT group already has the wiring and bandwidth in place for another project.
But security involves much more than just guarded gates and encrypted networks. Privacy, risk management, financial and health-care issues, policy creation and enforcement, and investigations all fall under the rubric of security. Bringing those issues under one roof requires strategic planning, communication and good management skills. That means making sense of responsibilities, says Chris Christiansen, an analyst with IDC (a sister company to CSO's publisher).
"The people who own the gates, guns and guards are often totally independent of the IT people," Christiansen says. "But you have to know who was in the building, where they went, and what parts of the IT system they might have accessed. You need some reconciliation between the two for both to be stronger."
Creating a consolidated approach means policies, procedures and implementation are consistent. So today's CSO needs to find ways to integrate law enforcement and network protection, e-mail and electric fences. For some companies, appointing a CSO to oversee the merging of physical and IT security is a first step toward creating a safer environment.
The Inside Scoop
Putting a company's entire range of security operations under one roof is a trend that's gaining momentum in both the private and public sectors, but it's not by any means a new phenomenon. Like all things security, the trend toward merging the worlds of physical and IT security is getting lots of attention since Sept. 11—the call for unified oversight is currently the preoccupation in Washington, on the heels of reports that the FBI and CIA dropped the ball in coordinating investigative efforts—but some have been doing it, or at least thought about doing it, years before security became the nation's number-one priority.
In fact, some see merging the two as a natural evolution of business practices. "We went from writing with pencil and paper to using a typewriter to the computer," points out Marty Lindner, team leader of incident handling at CERT Coordination Center. "Saying the physical [security] and IT are merging is like saying the typewriter and cyberworlds are merging. It's not an earthshaking change in security policy. It's a natural evolution toward learning how to use computers in areas where they were never used before, like tracking who's coming in and out of a building."
The move to combine the physical and information sides of security can be chalked up to three primary factors. First, technology began encroaching on what had traditionally been the territory of physical security. Second, bad economic conditions forced companies to scrutinize and improve their business processes. And third, security threats evolved from random instances to well-planned incursions on network and building security. Companies have become more computer- and Internet-dependent, and thieves and hackers have become more cunning. During the past five years, intellectual property and identity and credit card theft have stopped corporations and government agencies in their tracks. And internally, disgruntled employees have thrown computer networks for a loop.
"Security is security, whether it's in the physical or IT realm," says Bob Fox, vice president and CSO of Sprint corporate security. When Fox became CSO six years ago, Sprint's internal audit group members were fed up with the lack of attention that their security audits garnered from the senior executives, so they hired a major consulting firm to evaluate the company's information security. Their gambit worked. The consultant's report revealed exactly what the internal auditors had noted for years: Sprint's seven independent security organizations had developed disparate procedures and policies, were buying redundant, noncompatible equipment, and were spending large amounts of money on functions that could easily be consolidated. The report also uncovered holes in Sprint's security coverage. Essentially, the seven security groups didn't collaborate, and as a result, there were tasks that no one did because they assumed another group had it covered.
"The executive management team decided to consolidate all security into one organization with one leader who could look out for the entire corporation," Fox says. Managing the merge was one of the first things Fox did as CSO. The executive management's mandate created a strong team bond and cleared up all possible turf issues, Fox says. Merging departments also simplified the budget process at Sprint. Fox oversees a single corporate security budget, which is doled out by group to each of his internal security departments.
"When we do a security assessment, we start with the physical and go through all elements into the technical security," he says. "Both sides are learning more about each other, and I have employees who have asked to be moved into different parts of the security organization so that they can improve their technical or traditional skills."
Developing dexterity in both the physical and IT arenas is increasingly important as traditional physical security practices become more reliant on digital tools. Name tags and guest books have been replaced by smart cards that allow cardholders access to buildings and computer networks.
Business and security leaders now see that networks can be successfully secured, but if someone can physically get into the building and do something as simple as pull out a power cord, networks and businesses will remain vulnerable. Reliance on IT security alone is no longer sufficient for protecting networks, says Richard Maurer, senior director for the physical security group at Kroll, a security and protection services company in New York City, and member of the physical security council of ASIS International (formerly known as the American Society for Industrial Security). Strengthening physical security is vital to securing a company's assets.
Maurer tells the story of visiting a dotcom to do a security assessment. The company's owners bragged endlessly about how secure their network and phone room was, but they'd never looked beyond the confines of their office. "We said, 'Follow us,' went down the elevator to the ground floor, poked around a bit and found an unlocked door that led to a room containing every phone line in the building," he says. "Anyone with a pair of nail clippers could have taken their network out."
Merging the tools of the trade has made responsibility and oversight more complicated as security and IT leaders are forced to ask who's in charge of what. But budgeting for consolidated security operations can actually make your relationship with the CEO and CFO stronger while keeping more money in your department's pockets. "The selling point for creating a single security office is the cost savings," says Eduard Telders, security manager at Pemco Financial Services, a Seattle-based group of independently owned insurance companies. Security is a cost center, and the value of preventing a possible attack is difficult to quantify in terms of revenue. Consequently, the security budget is an easy target when budgets are tight. "You save by creating a single department out of multiple departments, which eats up much less money," Telders says. "Having a single security budget helps protect you from cost-cutting measures."
While doing security assessments for Kroll, Maurer consulted with several Fortune 100 companies that were about to purchase new fiber cable and data storage for IP-based surveillance cameras. Maurer recommended asking their IT departments if they had extra cable on hand and available space on their network. They did, and that coordination alone saved the companies tens of thousands of dollars.
"The two groups simply have to talk to each other," he says. "That's where having a manager who oversees them both is beneficial."
A consolidated security force also enables the CSO to create a unified approach to threats via coordinated plans and processes. Consider terminations, for example. If an employee quits or is fired, does your company have a coordinated process in place to block his electronic access to the building and shut off his e-mail (AKA, a deprovisioning process)?
"If I wanted to steal something like the designs for a new product, I could try to hack into the back-office research," says Steve Hunt, a research analyst with Giga Information Group. "Or I could call someone in R&D and use social engineering to see if they'll give them to me. I could even walk through the front door and impersonate a contractor or an employee to gain access to the information," he adds. "These days, the threats are intertwined. The physical and IT [security] guys have to be operating on a coordinated response plan where everyone is on the same page."
Geeks and Cops
Despite the weight of opinion in favor of merging the two disciplines, getting people from both sides of the track to work together is, of course, no easy task. Finding and training qualified personnel, establishing new reporting structures and overcoming turf wars among traditionally independent departments are just a few of the challenges of bringing disparate security organizations together.
Foremost is the issue of experience. Security personnel tend to come up through the ranks in very different ways. On the physical side, many are former cops, FBI agents or Secret Service agents. Most IT security staff have come up the IT ladder. The two disciplines require vastly different skill sets—your average IT executive probably doesn't know how to take down someone waving a gun, and not many ex-cops can configure a firewall. "Combining these skills is optimal for a CSO but is very rare," says Hunt.
CSOs with a background in one specialty and not the other will gravitate to where their strength lies and solve problems using what they know
Some CSOs are responding to the challenge by getting certified in whichever specialty they know least. Telders started out modeling computer systems, became a CISSP (certification for the information systems security professional) and in order to get a better grasp on the physical security side of his job, got a certified protection professional, or CPP, certification from ASIS International. Baklarz also came up through the IT ranks, became a CISSP and is in the process of getting a CPP. "That way I'll have a better appreciation of what the physical side entails," he says. Although he doesn't see many of his peers getting certified in physical protection, Baklarz thinks doing so will make executives more marketable. "It's also a good idea for physical security experts to get certified in infosec," he says, "but the learning curve is sharper and the process will take longer."
To be a CISSP, you have to work in the infosec field for a minimum of three years. There's no such requirement to get a CPP certification. "I would never line up my knowledge of physical security against experts in the field
Fox has put in time on both sides of the track and oversees Sprint's entire security operation. He earned a bachelor's and master's from Michigan State in criminal justice with a concentration in security administration and spent several years as a police detective in Michigan. He doesn't have a CISSP, but he has 40 technical employees who do.