In Depth
Combining IT and Physical Security: Taming the Two-Headed Beast
The worlds of IT and physical security are colliding. Find out what to do about it.
By Simone Kaplan
"When we do a security assessment, we start with the physical and go through all elements into the technical security," he says. "Both sides are learning more about each other, and I have employees who have asked to be moved into different parts of the security organization so that they can improve their technical or traditional skills."
Developing dexterity in both the physical and IT arenas is increasingly important as traditional physical security practices become more reliant on digital tools. Name tags and guest books have been replaced by smart cards that allow cardholders access to buildings and computer networks.
Business and security leaders now see that networks can be successfully secured, but if someone can physically get into the building and do something as simple as pull out a power cord, networks and businesses will remain vulnerable. Reliance on IT security alone is no longer sufficient for protecting networks, says Richard Maurer, senior director for the physical security group at Kroll, a security and protection services company in New York City, and member of the physical security council of ASIS International (formerly known as the American Society for Industrial Security). Strengthening physical security is vital to securing a company's assets.
Maurer tells the story of visiting a dotcom to do a security assessment. The company's owners bragged endlessly about how secure their network and phone room was, but they'd never looked beyond the confines of their office. "We said, 'Follow us,' went down the elevator to the ground floor, poked around a bit and found an unlocked door that led to a room containing every phone line in the building," he says. "Anyone with a pair of nail clippers could have taken their network out."
Blending Budgets
Merging the tools of the trade has made responsibility and oversight more complicated as security and IT leaders are forced to ask who's in charge of what. But budgeting for consolidated security operations can actually make your relationship with the CEO and CFO stronger while keeping more money in your department's pockets. "The selling point for creating a single security office is the cost savings," says Eduard Telders, security manager at Pemco Financial Services, a Seattle-based group of independently owned insurance companies. Security is a cost center, and the value of preventing a possible attack is difficult to quantify in terms of revenue. Consequently, the security budget is an easy target when budgets are tight. "You save by creating a single department out of multiple departments, which eats up much less money," Telders says. "Having a single security budget helps protect you from cost-cutting measures."
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
