Tales from the Front Lines of Convergence

Our CSO gives the straight story on what he's learned about bridging the gap between information security and physical security

June 01, 2005 — CSO — Just like sh*t on the bumper sticker, re-orgs happenand security departments are no exception. Across the country, CEOs are taking one look at the org chart, seeing two separate groups with "security" in their titles and beginning to salivate with the anticipation of cost savings.

The good news is, the physical and information security groups have a lot to learn from one another. The bad news is, well, the two groups have a lot to learn from one another. I should know, having been in charge of a "converged" security department for years. As the trend really begins to take off, it seems like a good moment to share what I've learned.

First things first, though. I do think it makes sense for the two disciplines to work together whenever possible. Even though physical and information security are two separate disciplines, they have important areas where they overlap in providing overall security.

In March, for example, a thief stole a computer containing personal information about 100,000 alumni, students and applicants at the University of California, Berkeley. You can bet that the university is reviewing its physical security procedures for electronic devices.

I also experienced this overlap firsthand two years ago, when my company suffered an infection of the Slammer worm. The worm infected numerous internal servers, including those controlling access to our buildings. For almost an entire business day, the card readers for all our worldwide facilities were inoperable. Other than visually checking ID badges, we had no way of knowing whether the people entering our facilities were authorized.

It's simply not realistic for information security and physical security departments to continue to operate independently. But bringing them together raises its own challenges.

Information Security Is from Mars...

The first and most practical problem of managing a converged security department is that the two groups have different backgrounds. Security guards tend to come from the military or law enforcement. Physical security managers get college degrees in criminal justice and pursue certifications such as the Certified Protection Professional, or CPP. Most information security professionals, on the other hand, have backgrounds in technology. Their college degrees are in computer science and information management, and they go for certifications like the Certified Information Systems Security Professional, or CISSP.

The groups have marked philosophical differences as well. Information security groupsespecially the "white-hat hacker" typestend to be libertarians who break systems for the sheer intellectual pleasure. Generally speaking, they love glory, and whenever they discover a vulnerability, they want to gain the recognition of their peers. Most of them cut their teeth during the heady days of the commercialization of the Internet, so they tend to be entrepreneurial types. (Although I started my career in the military, I entered civilian life in this environment, and I usually sympathize more with the attitudes of this group.)