In Depth

Combining IT and Physical Security: Taming the Two-Headed Beast

The worlds of IT and physical security are colliding. Find out what to do about it.

By Simone Kaplan

September 04, 2002 — CSO — Two years ago, if you were the head of security for an organization, it meant one of two things. Either you were trying to prevent people with guns from walking through the front door, or you were watching your computer networks like a hawk, maintaining firewalls and patching software to ward off hackers. If you were in charge of the physical side, you were barely aware of the network security side. Let's face it, security guards weren't trained to install antivirus software, and the IS guys didn't know much more about controlling building access.

Well, the wall that separates physical and information security is crumbling fast. At corporations and government agencies nationwide, security leaders are abandoning the fragmented, compartmentalized approach of the past and creating a unified, coordinated program of protecting buildings, people and networks. Executive-level security positions are popping up with increasing frequency as oversight of both IT and physical security is merging into one discipline. And for good reason: Many companies can improve the efficiency and effectiveness of their security strategy by combining the two sides. They can also save money by eliminating redundancy in resources and budget requirements. There's no need to spend thousands of dollars to set up a smart card building access system if your IT group already has the wiring and bandwidth in place for another project.

But security involves much more than just guarded gates and encrypted networks. Privacy, risk management, financial and health-care issues, policy creation and enforcement, and investigations all fall under the rubric of security. Bringing those issues under one roof requires strategic planning, communication and good management skills. That means making sense of responsibilities, says Chris Christiansen, an analyst with IDC (a sister company to CSO's publisher).

"The people who own the gates, guns and guards are often totally independent of the IT people," Christiansen says. "But you have to know who was in the building, where they went, and what parts of the IT system they might have accessed. You need some reconciliation between the two for both to be stronger."

Creating a consolidated approach means policies, procedures and implementation are consistent. So today's CSO needs to find ways to integrate law enforcement and network protection, e-mail and electric fences. For some companies, appointing a CSO to oversee the merging of physical and IT security is a first step toward creating a safer environment.

The Inside Scoop

Putting a company's entire range of security operations under one roof is a trend that's gaining momentum in both the private and public sectors, but it's not by any means a new phenomenon. Like all things security, the trend toward merging the worlds of physical and IT security is getting lots of attention since Sept. 11