Combining IT and Physical Security: Taming the Two-Headed Beast

Two years ago, if you were the head of security for an organization, it meant one of two things. Either you were trying to prevent people with guns from walking through the front door, or you were watching your computer networks like a hawk, maintaining firewalls and patching software to ward off hackers. If you were in charge of the physical side, you were barely aware of the network security side. Let’s face it, security guards weren’t trained to install antivirus software, and the IS guys didn’t know much more about controlling building access.

Well, the wall that separates physical and information security is crumbling fast. At corporations and government agencies nationwide, security leaders are abandoning the fragmented, compartmentalized approach of the past and creating a unified, coordinated program of protecting buildings, people and networks. Executive-level security positions are popping up with increasing frequency as oversight of both IT and physical security is merging into one discipline. And for good reason: Many companies can improve the efficiency and effectiveness of their security strategy by combining the two sides. They can also save money by eliminating redundancy in resources and budget requirements. There’s no need to spend thousands of dollars to set up a smart card building access system if your IT group already has the wiring and bandwidth in place for another project.

But security involves much more than just guarded gates and encrypted networks. Privacy, risk management, financial and health-care issues, policy creation and enforcement, and investigations all fall under the rubric of security. Bringing those issues under one roof requires strategic planning, communication and good management skills. That means making sense of responsibilities, says Chris Christiansen, an analyst with IDC (a sister company to CSO’s publisher).

“The people who own the gates, guns and guards are often totally independent of the IT people,” Christiansen says. “But you have to know who was in the building, where they went, and what parts of the IT system they might have accessed. You need some reconciliation between the two for both to be stronger.”

Creating a consolidated approach means policies, procedures and implementation are consistent. So today’s CSO needs to find ways to integrate law enforcement and network protection, e-mail and electric fences. For some companies, appointing a CSO to oversee the merging of physical and IT security is a first step toward creating a safer environment.

The Inside Scoop

Putting a company’s entire range of security operations under one roof is a trend that’s gaining momentum in both the private and public sectors, but it’s not by any means a new phenomenon. Like all things security, the trend toward merging the worlds of physical and IT security is getting lots of attention since Sept. 11--the call for unified oversight is currently the preoccupation in Washington, on the heels of reports that the FBI and CIA dropped the ball in coordinating investigative efforts--but some have been doing it, or at least thought about doing it, years before security became the nation’s number-one priority.

In fact, some see merging the two as a natural evolution of business practices. “We went from writing with pencil and paper to using a typewriter to the computer,” points out Marty Lindner, team leader of incident handling at CERT Coordination Center. “Saying the physical [security] and IT are merging is like saying the typewriter and cyberworlds are merging. It’s not an earthshaking change in security policy. It’s a natural evolution toward learning how to use computers in areas where they were never used before, like tracking who’s coming in and out of a building.”

The move to combine the physical and information sides of security can be chalked up to three primary factors. First, technology began encroaching on what had traditionally been the territory of physical security. Second, bad economic conditions forced companies to scrutinize and improve their business processes. And third, security threats evolved from random instances to well-planned incursions on network and building security. Companies have become more computer- and Internet-dependent, and thieves and hackers have become more cunning. During the past five years, intellectual property and identity and credit card theft have stopped corporations and government agencies in their tracks. And internally, disgruntled employees have thrown computer networks for a loop.

“Security is security, whether it’s in the physical or IT realm,” says Bob Fox, vice president and CSO of Sprint corporate security. When Fox became CSO six years ago, Sprint’s internal audit group members were fed up with the lack of attention that their security audits garnered from the senior executives, so they hired a major consulting firm to evaluate the company’s information security. Their gambit worked. The consultant’s report revealed exactly what the internal auditors had noted for years: Sprint’s seven independent security organizations had developed disparate procedures and policies, were buying redundant, noncompatible equipment, and were spending large amounts of money on functions that could easily be consolidated. The report also uncovered holes in Sprint’s security coverage. Essentially, the seven security groups didn’t collaborate, and as a result, there were tasks that no one did because they assumed another group had it covered.

“The executive management team decided to consolidate all security into one organization with one leader who could look out for the entire corporation,” Fox says. Managing the merge was one of the first things Fox did as CSO. The executive management’s mandate created a strong team bond and cleared up all possible turf issues, Fox says. Merging departments also simplified the budget process at Sprint. Fox oversees a single corporate security budget, which is doled out by group to each of his internal security departments.

“When we do a security assessment, we start with the physical and go through all elements into the technical security,” he says. “Both sides are learning more about each other, and I have employees who have asked to be moved into different parts of the security organization so that they can improve their technical or traditional skills.”

Developing dexterity in both the physical and IT arenas is increasingly important as traditional physical security practices become more reliant on digital tools. Name tags and guest books have been replaced by smart cards that allow cardholders access to buildings and computer networks.

Business and security leaders now see that networks can be successfully secured, but if someone can physically get into the building and do something as simple as pull out a power cord, networks and businesses will remain vulnerable. Reliance on IT security alone is no longer sufficient for protecting networks, says Richard Maurer, senior director for the physical security group at Kroll, a security and protection services company in New York City, and member of the physical security council of ASIS International (formerly known as the American Society for Industrial Security). Strengthening physical security is vital to securing a company’s assets.

Maurer tells the story of visiting a dotcom to do a security assessment. The company’s owners bragged endlessly about how secure their network and phone room was, but they’d never looked beyond the confines of their office. “We said, ‘Follow us,’ went down the elevator to the ground floor, poked around a bit and found an unlocked door that led to a room containing every phone line in the building,” he says. “Anyone with a pair of nail clippers could have taken their network out.”

Blending Budgets

Merging the tools of the trade has made responsibility and oversight more complicated as security and IT leaders are forced to ask who’s in charge of what. But budgeting for consolidated security operations can actually make your relationship with the CEO and CFO stronger while keeping more money in your department’s pockets. “The selling point for creating a single security office is the cost savings,” says Eduard Telders, security manager at Pemco Financial Services, a Seattle-based group of independently owned insurance companies. Security is a cost center, and the value of preventing a possible attack is difficult to quantify in terms of revenue. Consequently, the security budget is an easy target when budgets are tight. “You save by creating a single department out of multiple departments, which eats up much less money,” Telders says. “Having a single security budget helps protect you from cost-cutting measures.”

While doing security assessments for Kroll, Maurer consulted with several Fortune 100 companies that were about to purchase new fiber cable and data storage for IP-based surveillance cameras. Maurer recommended asking their IT departments if they had extra cable on hand and available space on their network. They did, and that coordination alone saved the companies tens of thousands of dollars.

“The two groups simply have to talk to each other,” he says. “That’s where having a manager who oversees them both is beneficial.”

A consolidated security force also enables the CSO to create a unified approach to threats via coordinated plans and processes. Consider terminations, for example. If an employee quits or is fired, does your company have a coordinated process in place to block his electronic access to the building and shut off his e-mail (AKA, a deprovisioning process)?

“If I wanted to steal something like the designs for a new product, I could try to hack into the back-office research,” says Steve Hunt, a research analyst with Giga Information Group. “Or I could call someone in R&D and use social engineering to see if they’ll give them to me. I could even walk through the front door and impersonate a contractor or an employee to gain access to the information,” he adds. “These days, the threats are intertwined. The physical and IT [security] guys have to be operating on a coordinated response plan where everyone is on the same page.”

Geeks and Cops

Despite the weight of opinion in favor of merging the two disciplines, getting people from both sides of the track to work together is, of course, no easy task. Finding and training qualified personnel, establishing new reporting structures and overcoming turf wars among traditionally independent departments are just a few of the challenges of bringing disparate security organizations together.

Foremost is the issue of experience. Security personnel tend to come up through the ranks in very different ways. On the physical side, many are former cops, FBI agents or Secret Service agents. Most IT security staff have come up the IT ladder. The two disciplines require vastly different skill sets--your average IT executive probably doesn’t know how to take down someone waving a gun, and not many ex-cops can configure a firewall. “Combining these skills is optimal for a CSO but is very rare,” says Hunt.

CSOs with a background in one specialty and not the other will gravitate to where their strength lies and solve problems using what they knownot necessarily the best approach in every situation. That is one of the drawbacks to merging physical and IT security. In other words, “if they know how to use a sledgehammer, then every [problem] is fixed with a sledgehammer,” says Ron Baklarz, CISO of the American Red Cross in Arlington, Va.

Some CSOs are responding to the challenge by getting certified in whichever specialty they know least. Telders started out modeling computer systems, became a CISSP (certification for the information systems security professional) and in order to get a better grasp on the physical security side of his job, got a certified protection professional, or CPP, certification from ASIS International. Baklarz also came up through the IT ranks, became a CISSP and is in the process of getting a CPP. “That way I’ll have a better appreciation of what the physical side entails,” he says. Although he doesn’t see many of his peers getting certified in physical protection, Baklarz thinks doing so will make executives more marketable. “It’s also a good idea for physical security experts to get certified in infosec,” he says, “but the learning curve is sharper and the process will take longer.”

To be a CISSP, you have to work in the infosec field for a minimum of three years. There’s no such requirement to get a CPP certification. “I would never line up my knowledge of physical security against experts in the fieldit’s more difficult to learn than a lot of people thinkbut picking up the IT end is more technically complex and it takes a few years to get up to speed,” says Baklarz. He points out that Howard Schmidt, vice chair of President Bush’s Critical Infrastructure Protection Board under Chairman Richard Clarke (see linked interview), started his career in law enforcement and successfully migrated to information security.

Fox has put in time on both sides of the track and oversees Sprint’s entire security operation. He earned a bachelor’s and master’s from Michigan State in criminal justice with a concentration in security administration and spent several years as a police detective in Michigan. He doesn’t have a CISSP, but he has 40 technical employees who do.

The disparity among skill sets also creates a conundrum when it comes to reporting relationships. There seem to be as many variations on the reporting structure as there are hackers in high school. Fox reports directly to Sprint’s executive vice president and general counsel, and he has six technical directors who report to him and are responsible for physical security, network security services, network security engineering, data security operations, investigations and IS security.

“If you have seven security people reporting to seven different parts of the company, there are too many weak links. It opens up the organization to attack,” Fox says. “If something happens, people in the company won’t know who to call and so they don’t call anyone.”

CSOs don’t have to be an expert in every aspect of security; they simply need to be good managers, says Kroll’s Maurer. As long as they have direct reports with expertise in physical and IT security, he says, they can rely on their own good judgment and business sense.

An added challenge to security consolidation are potential turf wars. When staff members who are entrenched in their own world are forced to work closely with an unknown discipline, things can get tense, Telders says. “When departments are separated, too often you have people whose jobs are very similarto protect the company. They’ll compete for the same resources, such as staff and equipment and budget, and it’s very disorganized,” he says. But when Telders was hired in 1991, he restructured Pemco’s security so that IT and physical security reported to him. During the process, territorial tendencies emerged, primarily in the IT staff, Telders recalls.

“There were questions in the IT department about who was in charge of security,” he says. “They didn’t understand why non-IT people were involved in security, which they saw as their domain. They weren’t trying to stake a claim, but they had a mind-set that got in the way.” However, once they understood that the new system was a partnership that would benefit them and the company, it was no longer an issue, Telders says. Training employees in both specialties is essential to making a merged organization work, he says. “You can do the work more efficiently, with one set of people trained in all areas so they can step into any role when needed.”

Culture Counts

There are those who think putting everything together under one roof is unnecessary even inappropriate. Physical and IT security organizations definitely need to communicate and cooperate, but merging the two isn’t the answer, says Roberta Witty, a research director in security and privacy with Gartner. “The skill sets involved are so different. A person trained in physical security doesn’t think the same way that an IT person trained in infosec does, and vice versa. They don’t know how to think along those lines. It’s a cultural difference.”

Witty’s argument is shared by some practitioners in the field. Pulling security personnel from multiple departments is counterproductive, says Mary Ann Davidson, CSO of server platform technology at Oracle. “If you rip people out of their native departments, you take them away from what they do best. It’s very ineffective.” Besides, unless everyone in your organization understands their responsibilities for protecting the company--whether it’s updating virus definitions or preventing strangers from coming into the building--it doesn’t matter what kind of unified security force you put together. It won’t work.”

Davidson sits on Oracle’s product and corporate security steering committees with representatives from other departments. She has lunch every six weeks with the head of facilities, who handles physical security, but otherwise she sees no need for further integration. The corporate security committee provides a forum for all departments to contribute to policy creation, she says, and that collaboration covers all the bases.

The benefits of bringing physical and IT security under one umbrella are industry-specific, Witty says. It makes more sense for companies in industries with a strong health and safety focus, such as manufacturing or chemical production, she says. It also works better for companies whose physical delivery system for products could be easily disrupted, such as oil distribution. The physical and IT security leaders should communicate regularly, she says, but unless there’s a real need, they don’t necessarily need to be merged into one department or report to the same person.

But to Fox, security consolidation has made his life and the lives of Sprint’s senior executives a lot easier by consolidating functions and allowing them to get a clear picture of the company’s security status and its vulnerability levels. It also helps them do better business, he says. “Companies want to work with us more because they know we protect people and information in the most thorough manner,” Fox says. “That’s a very important thing to anyone who does business these days.”