Tales from the Front Lines of Convergence

Just like sh*t on the bumper sticker, re-orgs happenand security departments are no exception. Across the country, CEOs are taking one look at the org chart, seeing two separate groups with “security” in their titles and beginning to salivate with the anticipation of cost savings.

The good news is, the physical and information security groups have a lot to learn from one another. The bad news is, well, the two groups have a lot to learn from one another. I should know, having been in charge of a “converged” security department for years. As the trend really begins to take off, it seems like a good moment to share what I’ve learned.

First things first, though. I do think it makes sense for the two disciplines to work together whenever possible. Even though physical and information security are two separate disciplines, they have important areas where they overlap in providing overall security.

In March, for example, a thief stole a computer containing personal information about 100,000 alumni, students and applicants at the University of California, Berkeley. You can bet that the university is reviewing its physical security procedures for electronic devices.

I also experienced this overlap firsthand two years ago, when my company suffered an infection of the Slammer worm. The worm infected numerous internal servers, including those controlling access to our buildings. For almost an entire business day, the card readers for all our worldwide facilities were inoperable. Other than visually checking ID badges, we had no way of knowing whether the people entering our facilities were authorized.

It’s simply not realistic for information security and physical security departments to continue to operate independently. But bringing them together raises its own challenges.

Information Security Is from Mars…

The first and most practical problem of managing a converged security department is that the two groups have different backgrounds. Security guards tend to come from the military or law enforcement. Physical security managers get college degrees in criminal justice and pursue certifications such as the Certified Protection Professional, or CPP. Most information security professionals, on the other hand, have backgrounds in technology. Their college degrees are in computer science and information management, and they go for certifications like the Certified Information Systems Security Professional, or CISSP.

The groups have marked philosophical differences as well. Information security groupsespecially the “white-hat hacker” typestend to be libertarians who break systems for the sheer intellectual pleasure. Generally speaking, they love glory, and whenever they discover a vulnerability, they want to gain the recognition of their peers. Most of them cut their teeth during the heady days of the commercialization of the Internet, so they tend to be entrepreneurial types. (Although I started my career in the military, I entered civilian life in this environment, and I usually sympathize more with the attitudes of this group.)

On the other side of the fence, physical security groups tend to emphasize control. Guards, for instance, look for ways to limit access and monitor suspicious activity. Their mantra almost seems to be: That which is not specifically allowed is prohibited. If they discover a vulnerability, they quietly repair it without letting the public know that it ever existed in the first place. They really don’t like unannounced exercises designed to test the physical security of a system because lives could be inadvertently endangered.

With these disparities in mind, I offer up four suggestions.

1) Get everyone talking.

I found that the best way to start overcoming this gulf in culture is quite simple: Have the managers and employees of the groups begin meeting regularly togetherespecially in after-hours events at a local watering hole.

There is one caveat to this advice. If your company employs contractors to perform physical security, then you may have policies in place that prevent contractor guards from fraternizing with company employees. The intent of such policies is to prevent guards from “looking the other way” should they see their company employee friend doing something that is unauthorized. So check the rules. If you find yourself in this situation, I still encourage interaction between the groups, but you’ll have to confine it to professional business and training events, and not socializing.

Either way, once the two groups begin talking with each other, they’ll find out how much they have in common. Not only that, it piques employees’ interest in cross-training. Merging the organizations actually leads to improvements in morale and training among the employees in both groups. In time, the guards may even begin to enjoy the cat-and-mouse chase of a good war game because it helps break the monotony of their job.

2) Bring in the best of both worlds.

The groups really do have much in common, and much to learn from one another. Because information security is a younger profession, it has borrowed heavily from long-established physical security principles such as security concentric circles, partitioning, defense-in-depth and forensics.

Likewise, practitioners of physical security have much to learn from information security. Physical security systems are becoming much more technologically advanced, and as a result, physical security professionals must become technologically savvy to defend against potential technological attacks.

Use this to your advantage. Almost 10 years ago, I was given my first CISO position with a bank. I drew on my experience from the military to develop “blue teams” and “red teams” to square off against each other in war games. The red team evolved into a full-time attack and penetration team whose job it was to constantly be seeking ways to compromise the security of the bank. The blue team was formally tasked with the day-to-day operational aspects of protecting the bank’s computing systems with access control, firewall maintenance, malware scanning and intrusion detection. The healthy competition between the two teams helped ensure that we had no compromises of our sensitive systems.

Likewise, I once worked as the head of information security for a high-profile government agency. I made sure that the guards knew how to spot technology attacks such as wardrivers in the parking lot trying to access the wireless network, other people potentially tapping into network cables running under the street, and the possible dangers of parked vehicles using high-energy radio frequency weapons near data centers. The guards thought it was cool, James Bond-type of stuff that they were defending against.

3) Expect the majority of your time and money to be spent on the physical security side.

I know this might sound like sacrilege to some of my information security colleagues who view the data of the organization to be their paramount concern. However, much of a security manager’s time is spent reacting to the concerns of senior management and employees. Because physical security is much more visible and terrorist incidents have heightened employees’ security awareness, expect most of the complaints, concerns and suggestions for improvement to come from the physical security side of the house.

This disparity in the amount of time spent on physical security vis-à-vis information security grows larger as a company increases in size and in the number of offices it hasespecially in international locations. Thus, a security manager faced with these time demands will need to force himself to make time to address the less visible, but nonetheless very important, infosecurity concerns.

4) Find effective ways to report progress of both aspects of security.

In general, the best way I’ve found to present to the company’s board of directors every quarter is by using metric “scorecards.” The challenge comes in offering both physical and information security metrics in a manner that catches the board members’ attention and conveys the organization’s state of security. I always find the metrics of the physical security side much easier to develop. Petty theft incidents, reports of intruders, the number of cameras installed and the number of guards on duty are all easily quantifiable.

Developing metrics for information security is much more difficult. Traditional metrics in information security take in lots of data, such as the number of viruses the antivirus software intercepted or the number of scans at the firewall. I don’t find these traditional types of metrics very useful because they don’t convey a sense of how much risk the organization faces. Instead, I always try to link my metrics to compliance with an industry standard such as ISO 17799. I gather report cards from the different business units to chart their levels of compliance. With this approach, I can demonstrate security implementation on a more granular level across business functions and give a better picture for the level of risk mitigation for the company.

Whatever kind of information you use, though, presentation is to briefings what location is to real estate. Presentation, presentation, presentation. Make your briefing quick, snappy and straight to the point. I always find that it helps to have eye-catching, multicolored graphics such as pie charts, bar graphs and compliance scorecards. Hey, I admit it’s a bit smarmy, but if it helps to gain the attention and support of the senior managers, then it’s worth it. Not only that, but face itdeep down, you like them too.

CISOs have long lamented the fact that they are often stuck reporting to the CIO instead of the CEO. Physical security groups are often trapped reporting to the head of human resources or facilities. Merged together, the combined security group can make the case that its level of importance warrants its reporting directly to the CEO. With that level of access, the CSO should be able to gain senior management’s support for key initiatives. Sure, merging the two disciplines is a huge challenge, but given the resulting improvements in overall corporate security, it’s worth it.