In Depth

Combining IT and Physical Security: Taming the Two-Headed Beast

The worlds of IT and physical security are colliding. Find out what to do about it.

By Simone Kaplan

Page 4

While doing security assessments for Kroll, Maurer consulted with several Fortune 100 companies that were about to purchase new fiber cable and data storage for IP-based surveillance cameras. Maurer recommended asking their IT departments if they had extra cable on hand and available space on their network. They did, and that coordination alone saved the companies tens of thousands of dollars.

"The two groups simply have to talk to each other," he says. "That's where having a manager who oversees them both is beneficial."

A consolidated security force also enables the CSO to create a unified approach to threats via coordinated plans and processes. Consider terminations, for example. If an employee quits or is fired, does your company have a coordinated process in place to block his electronic access to the building and shut off his e-mail (AKA, a deprovisioning process)?

"If I wanted to steal something like the designs for a new product, I could try to hack into the back-office research," says Steve Hunt, a research analyst with Giga Information Group. "Or I could call someone in R&D and use social engineering to see if they'll give them to me. I could even walk through the front door and impersonate a contractor or an employee to gain access to the information," he adds. "These days, the threats are intertwined. The physical and IT [security] guys have to be operating on a coordinated response plan where everyone is on the same page."

Geeks and Cops

Despite the weight of opinion in favor of merging the two disciplines, getting people from both sides of the track to work together is, of course, no easy task. Finding and training qualified personnel, establishing new reporting structures and overcoming turf wars among traditionally independent departments are just a few of the challenges of bringing disparate security organizations together.

Foremost is the issue of experience. Security personnel tend to come up through the ranks in very different ways. On the physical side, many are former cops, FBI agents or Secret Service agents. Most IT security staff have come up the IT ladder. The two disciplines require vastly different skill sets

CSOs with a background in one specialty and not the other will gravitate to where their strength lies and solve problems using what they knownot necessarily the best approach in every situation. That is one of the drawbacks to merging physical and IT security. In other words, "if they know how to use a sledgehammer, then every [problem] is fixed with a sledgehammer," says Ron Baklarz, CISO of the American Red Cross in Arlington, Va.