Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Signs of Common Sense

Three random indicators that information security might finally be getting physical

By

October 14, 2004CSO — Journalists like to joke that three examples make a trend. The first example is a fluke, the second a coincidence, and the third, a sure harbinger of Things To Come. (Four, of course, is overkill.) While I certainly dont want to declare any such portents this month in Alarmed, three random signs I encountered in the past week seem to point in a heartening direction.

First, I happened to talk to the CSO of a Fortune 500 energy company on the day before he was taking over the reins of information security from the CIO. Then, I came across a press release announcing that ASIS and (ISC)2, groups that issue certifications for physical security and for information security management, respectively, have signed a memorandum of understanding. Finally, I stumbled upon a survey, done outside the security industry, that seemed to take for granted that non-security executives look at security in a holistic way.

Something about these three seemingly unrelated incidents clicked. Maybejust maybethe convergence of physical and IT security, which weve been talking about for years, is finally becoming an everyday reality.

It might have been the nonchalance of the energy industry CSO, who was hardly queuing up the brass band over the transfer of powers. Its not such a big change, he said, explaining that he and the CIO already had done a good job with segregation of duties. S.O.D., he told me (spelling it out rather than pronouncing it like the carpets of grass), is the latest buzzword in security departments of regulated companies. The key is making sure that whoever is controlling the IT systems is separate from whoever is reporting on the vulnerabilities of those systems. It may seem an obvious point, but its been a long time coming.

Maybe it was the matter-of-factness of the press release from (ISC)2, which is known for conferring the moniker CISSP, or certified information systems security professional. (ISC)2 and ASIS International, which grants the CPP certification to certified protection professionals, have signed a memorandum of understanding that they will recognize each others certifications. Theyre not sure what this entails, exactly, but theyre off to a hopeful start. They are the leader in traditional security certification, and were the leader in information security certification, and theres convergence there, James Duffy, president and CEO of (ISC)2, told one of my colleagues. This is the first step. Were going to form committees to see what other types of benefits we can provide to each others membership. Who knows where it could go?

RESOURCE CENTER