Combining IT and Physical Security: Taming the Two-Headed Beast

The worlds of IT and physical security are colliding. Find out what to do about it.

1 2 Page 2
Page 2 of 2

The disparity among skill sets also creates a conundrum when it comes to reporting relationships. There seem to be as many variations on the reporting structure as there are hackers in high school. Fox reports directly to Sprint's executive vice president and general counsel, and he has six technical directors who report to him and are responsible for physical security, network security services, network security engineering, data security operations, investigations and IS security.

"If you have seven security people reporting to seven different parts of the company, there are too many weak links. It opens up the organization to attack," Fox says. "If something happens, people in the company won't know who to call and so they don't call anyone."

CSOs don't have to be an expert in every aspect of security; they simply need to be good managers, says Kroll's Maurer. As long as they have direct reports with expertise in physical and IT security, he says, they can rely on their own good judgment and business sense.

An added challenge to security consolidation are potential turf wars. When staff members who are entrenched in their own world are forced to work closely with an unknown discipline, things can get tense, Telders says. "When departments are separated, too often you have people whose jobs are very similarto protect the company. They'll compete for the same resources, such as staff and equipment and budget, and it's very disorganized," he says. But when Telders was hired in 1991, he restructured Pemco's security so that IT and physical security reported to him. During the process, territorial tendencies emerged, primarily in the IT staff, Telders recalls.

"There were questions in the IT department about who was in charge of security," he says. "They didn't understand why non-IT people were involved in security, which they saw as their domain. They weren't trying to stake a claim, but they had a mind-set that got in the way." However, once they understood that the new system was a partnership that would benefit them and the company, it was no longer an issue, Telders says. Training employees in both specialties is essential to making a merged organization work, he says. "You can do the work more efficiently, with one set of people trained in all areas so they can step into any role when needed." Culture CountsThere are those who think putting everything together under one roof is unnecessaryeven inappropriate. Physical and IT security organizations definitely need to communicate and cooperate, but merging the two isn't the answer, says Roberta Witty, a research director in security and privacy with Gartner. "The skill sets involved are so different. A person trained in physical security doesn't think the same way that an IT person trained in infosec does, and vice versa. They don't know how to think along those lines. It's a cultural difference."

Witty's argument is shared by some practitioners in the field. Pulling security personnel from multiple departments is counterproductive, says Mary Ann Davidson, CSO of server platform technology at Oracle. "If you rip people out of their native departments, you take them away from what they do best. It's very ineffective." Besides, unless everyone in your organization understands their responsibilities for protecting the companywhether it's updating virus definitions or preventing strangers from coming into the buildingit doesn't matter what kind of unified security force you put together. It won't work."

Davidson sits on Oracle's product and corporate security steering committees with representatives from other departments. She has lunch every six weeks with the head of facilities, who handles physical security, but otherwise she sees no need for further integration. The corporate security committee provides a forum for all departments to contribute to policy creation, she says, and that collaboration covers all the bases.

The benefits of bringing physical and IT security under one umbrella are industry- specific, Witty says. It makes more sense for companies in industries with a strong health and safety focus, such as manufacturing or chemical production, she says. It also works better for companies whose physical delivery system for products could be easily disrupted, such as oil distribution. The physical and IT security leaders should communicate regularly, she says, but unless there's a real need, they don't necessarily need to be merged into one department or report to the same person.

But to Fox, security consolidation has made his life and the lives of Sprint's senior executives a lot easier by consolidating functions and allowing them to get a clear picture of the company's security status and its vulnerability levels. It also helps them do better business, he says. "Companies want to work with us more because they know we protect people and information in the most thorough manner," Fox says. "That's a very important thing to anyone who does business these days."

Copyright © 2002 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)