In Depth

Combining IT and Physical Security: Taming the Two-Headed Beast

The worlds of IT and physical security are colliding. Find out what to do about it.

By Simone Kaplan

Page 6

CSOs don't have to be an expert in every aspect of security; they simply need to be good managers, says Kroll's Maurer. As long as they have direct reports with expertise in physical and IT security, he says, they can rely on their own good judgment and business sense.

An added challenge to security consolidation are potential turf wars. When staff members who are entrenched in their own world are forced to work closely with an unknown discipline, things can get tense, Telders says. "When departments are separated, too often you have people whose jobs are very similarto protect the company. They'll compete for the same resources, such as staff and equipment and budget, and it's very disorganized," he says. But when Telders was hired in 1991, he restructured Pemco's security so that IT and physical security reported to him. During the process, territorial tendencies emerged, primarily in the IT staff, Telders recalls.

"There were questions in the IT department about who was in charge of security," he says. "They didn't understand why non-IT people were involved in security, which they saw as their domain. They weren't trying to stake a claim, but they had a mind-set that got in the way." However, once they understood that the new system was a partnership that would benefit them and the company, it was no longer an issue, Telders says. Training employees in both specialties is essential to making a merged organization work, he says. "You can do the work more efficiently, with one set of people trained in all areas so they can step into any role when needed." Culture CountsThere are those who think putting everything together under one roof is unnecessaryeven inappropriate. Physical and IT security organizations definitely need to communicate and cooperate, but merging the two isn't the answer, says Roberta Witty, a research director in security and privacy with Gartner. "The skill sets involved are so different. A person trained in physical security doesn't think the same way that an IT person trained in infosec does, and vice versa. They don't know how to think along those lines. It's a cultural difference."

Witty's argument is shared by some practitioners in the field. Pulling security personnel from multiple departments is counterproductive, says Mary Ann Davidson, CSO of server platform technology at Oracle. "If you rip people out of their native departments, you take them away from what they do best. It's very ineffective." Besides, unless everyone in your organization understands their responsibilities for protecting the companywhether it's updating virus definitions or preventing strangers from coming into the buildingit doesn't matter what kind of unified security force you put together. It won't work."