Basics

Physical and IT Security Convergence: The Basics

Here's the definition of convergence and an explanation of the desired payoffs and unexpected pitfalls that can obstruct efforts to merge physical security and cyber security.

Page 5

Given that most security personnel are from one background but not the other, how is such a person going to have the credibility and expertise to manage both functions?

First, CSOs leading formally converged programs stress that the leader doesn't have to be an expert in every sub-field of security. That's what you hire smart infosec and physical security specialists for.

Second, a small but growing number of academic programs (at Northeastern and Carnegie Mellon, for example) are available to help round out your background. John Petruzzi, an ex-Marine now leading security at Constellation Energy, took SANS Institute classes to get up to speed on information security. It can be done.

Third, other companies get around this by not putting a single individual in charge. Having all security functions report equally into a Chief Risk Officer or a department of risk mitigation is one possible solution. The aim is to achieve cooperation without making one group feel that they've been put under the thumb of another. (See next question.)

If we don't choose to combine operational groups, can we still get some of the benefits?

Steve Hunt, the former Forrester Research analyst (and CPP) who founded consultancy 4A International, believes convergence is better handled on a project-by-project basis. "You might have two employees, both with the company for 10 years, and [the infosecurity person] gets paid twice as much as the [corporate security person]. That makes for a natural cultural segmentation in the department," says Hunt. "My argument is, let's keep talking about converging the departments, but what's the hurry? The business doesn't care who people report to as long as value is delivered."

We've seen more and more convergence articles and presentations in the media and at trade shows. Why all the buzz at this point in time?

Here are five current trends knocking down the walls between traditional security stovepipes.

1. Technology convergence. Corporate security services—video surveillance, access control, fraud detection and access control, for example—are increasingly database-driven and network-delivered. In other words, IT is ever more tightly woven together with physical security.

2. Vendor convergence. Not so long ago, infosec vendors protected networks, and physical security vendors protected bricks and mortar, and the two never met. Now a growing roster of security companies operate in both spaces, as well as in other risk-related areas. Brink's, the armored car company, offers managed network security services. Unisys, the former mainframe purveyor, has a consulting business in supply chain security. Software giant Computer Associates is mixing with smart-card vendors like HID in the Open Security Exchange consortium, developing a network-and-building-access standard called PhysBits. Kroll, historically a physical security services provider, owns digital forensics unit Ontrack Data Recovery.

Bill Hancock, CSO and vice president of global security solutions at Savvis, points out that this is a rudimentary form of convergence. Nevertheless, Hancock expects vendors to continue to merge and meld these distinct product lines into more tightly integrated offerings. And aside from these well-known companies with roots in one discipline or the other, a growing fleet of smaller vendors now present all kinds of interesting examples of cross-functional services. Green-Tech Assets is an interesting illustration, offering a computer-disposal service that blends physical, digital, legal and insurance safeguards against potential liabilities created by inadvertently dumping hard drives and other technology assets containing sensitive financial or customer records.

3. Community convergence. Security is an association-driven world, and for years the associations gave little acknowledgement of each other's existence. That changed in a big way in 2004 and 2005, notably with a statement of solidarity from CISSP promulgator (ISC)2 (in the infosec corner), CPP certifier ASIS International (from the corporate security side) and IS audit association ISACA. Observers such as Williams (who is active in ASIS) anticipate ever more concrete cooperation between these communities over the near term.

4. Threat convergence. Hancock, among other experts, has been sounding the klaxons about the idea of blended threats (combined physical and logical attacks) for some years. The most likely scenario is a physical attack (such as 9/11) with its effect multiplied by concurrent digital denial-of-service attacks aimed at telecommunications or other infrastructure. This scenario becomes more likely as digital controls become more and more prevalent for physical systems. Hancock tells of a company that extolled its foresight in implementing a door-lock system at headquarters requiring verification of digital certificates to allow employees to enter. Hired as a consultant, Hancock used his laptop to launch a "mini-DDoS" attack against the server that handled the verification. Throughout the building, the door locks stopped working.

5. Educational convergence. This trend is just picking up steam, but universities such as Carnegie Mellon and Northeastern have launched programs aimed at equipping students with a portfolio of knowledge and skills in both corporate and information security.

I've also seen some companies who've tried a single security department and then moved away from it.

There will be ebbs and flows, but according to the State of the CSO survey conducted every spring, the overall trend toward consolidated departments, specifically, has been upward for at least the last three years.

This primer was compiled from articles published in CSO magazine. Contributing writers include Scott Berinato, Kathleen Carr, Todd Datz, Simone Kaplan, and Sarah Scalet. Send feedback to CSO Editor Derek Slater at dslater@cxo.com.