In Depth

Combining IT and Physical Security: Taming the Two-Headed Beast

The worlds of IT and physical security are colliding. Find out what to do about it.

By Simone Kaplan

Page 5

Some CSOs are responding to the challenge by getting certified in whichever specialty they know least. Telders started out modeling computer systems, became a CISSP (certification for the information systems security professional) and in order to get a better grasp on the physical security side of his job, got a certified protection professional, or CPP, certification from ASIS International. Baklarz also came up through the IT ranks, became a CISSP and is in the process of getting a CPP. "That way I'll have a better appreciation of what the physical side entails," he says. Although he doesn't see many of his peers getting certified in physical protection, Baklarz thinks doing so will make executives more marketable. "It's also a good idea for physical security experts to get certified in infosec," he says, "but the learning curve is sharper and the process will take longer."

To be a CISSP, you have to work in the infosec field for a minimum of three years. There's no such requirement to get a CPP certification. "I would never line up my knowledge of physical security against experts in the fieldit's more difficult to learn than a lot of people thinkbut picking up the IT end is more technically complex and it takes a few years to get up to speed," says Baklarz. He points out that Howard Schmidt, vice chair of President Bush's Critical Infrastructure Protection Board under Chairman Richard Clarke (see linked interview), started his career in law enforcement and successfully migrated to information security.

Fox has put in time on both sides of the track and oversees Sprint's entire security operation. He earned a bachelor's and master's from Michigan State in criminal justice with a concentration in security administration and spent several years as a police detective in Michigan. He doesn't have a CISSP, but he has 40 technical employees who do.

The disparity among skill sets also creates a conundrum when it comes to reporting relationships. There seem to be as many variations on the reporting structure as there are hackers in high school. Fox reports directly to Sprint's executive vice president and general counsel, and he has six technical directors who report to him and are responsible for physical security, network security services, network security engineering, data security operations, investigations and IS security.

"If you have seven security people reporting to seven different parts of the company, there are too many weak links. It opens up the organization to attack," Fox says. "If something happens, people in the company won't know who to call and so they don't call anyone."