Part 1: As IT And Security Converge, Physical And Information Security Challenges Increase
As IT And Security Converge, Physical And Information Security Challenges Increase
By Casey Laughman, Managing Editor August 2013 - Security
There's an ongoing trend toward convergence between IT and security. As this trend continues, the challenges of physical and information security continue to grow.
Stop and think for a minute about how many potential points of entry there are into your building for uninvited visitors.
There are the doors, of course, as well as areas such as loading docks or delivery entrances. Ground-floor windows need to be secured as well.
Now, did you remember to count the network connections the outdoor security cameras are plugged into? Or the laptops the sales department has that have Virtual Private Network (VPN) access?
As buildings and their systems become more plugged in, they become a more accessible target. And with systems such as building automation and security moving to more network-based operations, they can be compromised remotely to allow access to what is a supposedly secure building and, sometimes more importantly, the data stored on a network inside of it.
"It's not just somebody rolling up at a building and coming in and gaining access" anymore, says Geoff Craighead, vice president, Universal Protection Services, and current president, ASIS. "It's all these other things now that come into play. "
To combat this, IT and security departments are moving toward convergence in several areas, such as access control and surveillance. But convergence creates its own set of challenges. First, there's no such thing as a universal definition of convergence; each organization or even each location will have a different meaning based on what its security and IT needs are and how the departments work together. There's also the issue that security isn't just making sure the doors are locked and the servers protected by a firewall, says BICSI president Jerry Bowman.
"True security management is more holistic than simply information security and physical security," Bowman says. "Risk management disciplines, loss prevention, fraud prevention, business continuity planning, legal/regulatory compliance, insurance, and others are all part of the bigger picture that benefits from a collaborative approach to protection of enterprise assets."
Converging To A Point
Accounting for all of these factors and combining operations means that IT and security each have to have a level of knowledge about the other that allows them to work together. As an example, defining who is responsible for the servers that run the access control system helps ensure that they're not only secure, but also kept up to date on routine maintenance and non-critical software updates.
One challenge for defining responsibilities is figuring out whether there's a difference between information security, physical security, and just plain security. If someone walks out of the building with a laptop, is that an information security breakdown or a physical security breakdown? Does it really make a difference when the CEO is asking why a bunch of laptops are disappearing?
The good news is that the challenges of convergence are not insurmountable. The solutions come down to basic communication and cooperation between departments. So if you're involved in a convergence effort or considering one, keep in mind that the first step is a willingness to find common ground, says Sean Ahrens, global practice leader, security design and consulting, Aon Global Risk Consulting.
"The more you push back on the process, the more detrimental it's going to be for you in the long run," Ahrens says. "Trying to close off your network or trying to get your own stand-alone network, or all these other different components, really is counterproductive."
But, says Bill Sako, senior vice president, Rolf Jensen & Associates, while there may be a call for departmental cooperation and even a specific person who can work with IT on managing security devices and networks, that does not mean simply handing everything over to IT and expecting them to know what to do with it.
"The worst thing you can do is build a network, take all the security systems like the IP cameras, the intrusion detection devices, the card readers, etc., and say that IT's now responsible for those," Sako says. "They're not and they shouldn't be. That's not in their realm."