In Depth

Combining IT and Physical Security: Taming the Two-Headed Beast

The worlds of IT and physical security are colliding. Find out what to do about it.

By Simone Kaplan

Page 2

In fact, some see merging the two as a natural evolution of business practices. "We went from writing with pencil and paper to using a typewriter to the computer," points out Marty Lindner, team leader of incident handling at CERT Coordination Center. "Saying the physical [security] and IT are merging is like saying the typewriter and cyberworlds are merging. It's not an earthshaking change in security policy. It's a natural evolution toward learning how to use computers in areas where they were never used before, like tracking who's coming in and out of a building."

The move to combine the physical and information sides of security can be chalked up to three primary factors. First, technology began encroaching on what had traditionally been the territory of physical security. Second, bad economic conditions forced companies to scrutinize and improve their business processes. And third, security threats evolved from random instances to well-planned incursions on network and building security. Companies have become more computer- and Internet-dependent, and thieves and hackers have become more cunning. During the past five years, intellectual property and identity and credit card theft have stopped corporations and government agencies in their tracks. And internally, disgruntled employees have thrown computer networks for a loop.

"Security is security, whether it's in the physical or IT realm," says Bob Fox, vice president and CSO of Sprint corporate security. When Fox became CSO six years ago, Sprint's internal audit group members were fed up with the lack of attention that their security audits garnered from the senior executives, so they hired a major consulting firm to evaluate the company's information security. Their gambit worked. The consultant's report revealed exactly what the internal auditors had noted for years: Sprint's seven independent security organizations had developed disparate procedures and policies, were buying redundant, noncompatible equipment, and were spending large amounts of money on functions that could easily be consolidated. The report also uncovered holes in Sprint's security coverage. Essentially, the seven security groups didn't collaborate, and as a result, there were tasks that no one did because they assumed another group had it covered.

"The executive management team decided to consolidate all security into one organization with one leader who could look out for the entire corporation," Fox says. Managing the merge was one of the first things Fox did as CSO. The executive management's mandate created a strong team bond and cleared up all possible turf issues, Fox says. Merging departments also simplified the budget process at Sprint. Fox oversees a single corporate security budget, which is doled out by group to each of his internal security departments.