While many enterprises have physical security programs in place, they are often in an organizational silo separate from information security. Sometimes the function is under operations, other times facilities. No matter where it is, though, communication can easily break down, or even be nonexistent, between the two groups. And, the fact is, when communication is inadequate, putting proper controls in place becomes impossible.
For this reason, a growing number of businesses are looking to strategically merge the oversight of physical and IT security access within their organizations.
"There's an overlap on logical access and physical access," says Randy Barr, chief security officer of the web conferencing firm WebEx. "It's one thing being able to protect our environment from people connecting to areas they should not, but how do we protect against people walking in."
A longtime veteran in information technology and IT security, Barr helped transition WebEx to a converged security model in 2004. After overseeing the IT security side, he took the mantle of CSO and assumed responsibility of physical security. Many security experts believe that this business shift is part of a trend toward convergence that is gaining traction with enterprises, large and small.
The push for more chief information security officers to become full-fledged CSOs is a relatively new trend, says Steve Hunt. As founder and president of the analyst firm 4A International, Hunt focuses on physical and logical security convergence. He says that prior to this decade, the CSO was a rare breed, mostly a novelty position that a select few organizations chose to install.
"After 9/11 the concept of the CSO really got some legs, because often the CEO — hearing about terror attacks and cyberterrorism — called in the head of IT security and the head of physical security and said, ‘So, are we prepared?' And the two had never met each other!"
In addition to eye-opening meetings such as these, some organizations have had their security gaps illuminated through the process of attaining certifications — such as WebTrust and International Standards Organization (ISO) 17799 — which often cover physical security controls.
For example, to improve customer and partner trust, WebEx undertook the certification process for both WebTrust accreditation and the American Institute of Certified Public Accountants Statement on Auditing Standards (SAS) No. 70. The results of the process are what prompted Barr to petition for control over physical security in the first place.
"When we started pursuing certifications and trying to identify controls, that's when we started implementing the physical security along with logical security. We've used controls for both, not only in our SAS 70 report and our ISO, but also in our change control process," he says. "It improved our security program as a whole."
Hardware is improving
Many security executives think that stringent certification by third parties helps organizations create a framework that accounts for all parts of security.
"It is really your checklist and the model onto which you build your framework," says Greg Hughes, CSO of Corillian Corporation, a provider of online banking, payment and security solutions to the financial services industry that was acquired by CheckFree Corp. in February.
One other impetus to merging IT security and physical security has been the improvement of physical security technology hardware and applications.
"The technology has been improving over the years," Barr says. "For example, badge access and cameras used to be two separate systems. But since the improvement of applications, you can receive alerts on people who attempt to access an area they shouldn't. With technology today you can click on the alert, and with that alert the camera that is facing that area pops up. It allows you to get information a lot faster than having to work with a different department to ask for it."
Most people in Barr's position don't expect the technology to solve strategic problems around merging physical and logical security within an organization. But it can often be the means to enable changes in processes that make the business more secure and more efficient.
"The point is, the way we have been doing security so far has been pretty stupid, narrow-minded and nearsighted," Hunt says. "For example, let's take the very popular concept of identity management. It includes the technology and processes to manage people and their privileges to corporate assets — in this case, logical assets. Well, the physical security department also has technology and processes for managing people and their privileges. It is called access control. So if they're both managing people and their privileges to corporate assets, and it's the same people, and it's the same company's assets, why aren't we using one system?"
In Barr's case, he didn't even have to make a significant additional investment to do this. "It was more of a case of improving technology we already had," he says. "We came to realize that some of the technology already in place could work together. In the case of the cameras and the badge access reader, we found out we could use what we had already and work with the vendor to incorporate the camera into the system."
Even vendors pitching products agree that this approach may be the best way to ease into a convergence situation.
"Most of these projects don't get off the ground when they involve huge capital outlays to change what you already do," says Omar Hussain, president and CEO of Imprivata, an enterprise single sign-on appliance company. "You can't have a physical system and the network guy come in and say, ‘Well, if we had a different system we could really do X,Y,Z.' It is kind of unreasonable to say you are going to rip out all of the existing door readers or badge readers."
Corillian's Hughes agrees, because he believes the most impact comes from changes to the processes and the people behind them.
"Bridging the gap between physical and logical security is not an easy thing," he says. "It is not something you can solve with technology. We look at it as a triad. It is people, process and technology. And the people and process part of physical security — especially for bridging the gap over to logical — is critical."
How to make it happen
Though there are many security professionals out there who understand the need for an integrated security framework, some often can't get over the hump of internal politics and culture clashes to make it happen.
As the former CISO of PepsiCo, and an active member of the team that helped move PepsiCo into an integrated security framework, Bryan Palma knows the challenges firsthand. While there certainly are successes occurring, he says that on the whole, the industry is not doing a good enough job converging physical and logical security responsibilities.
"Part of the reason that security has failed to get a spot at the big table has been because it has failed to unite within its own ranks," says Palma, who now runs the consulting firm Ponic, which helps senior executives design, build and improve information risk functions. "There's physical and a logical. The two evolved in parallel."
According to Palma, the lack of integration stems from the inherent cultural differences between each side of the house. Hunt would agree. He explains that the physical security and the IT security teams often don't understand from where the other group is coming.
Because of this, Palma and Hunt believe that for a convergence to take place, the finesse of a delicate diplomat who is able to let each side do what they are good at while maintaining oversight of the big picture is required.
"If new CSOs want to be effective, they will build bridges and find those skills and abilities that are highlighted in each group and use those," Hunt says. "The most successful CSOs will be the one who can manage task groups."
Hughes agrees. "I'm responsible for everything that has the word security attached to it," Hughes says. "Physical, logical, personnel. But that doesn't mean I manage it all individually myself. It really does take a true team effort to manage a complete security framework."
Hunt believes that rather than just trying to merge groups together, a leader looking to bring converged oversight under one person should start by building connections within the organization. To do this, he advises forming some kind of risk management or security council. From there, the shift can often be formalized based on the group's successes. This is what Barr did, and it seemed to be just the type of consensus building needed to petition for a formal merge.
"In my case, I decided to work with our senior staff and created a security council where all escalations related to security were brought to this group's attention," Barr says. "The council is made up of officers of the company — CIO, VP of operations, general counsel, CSO, VP of product — and this is where I review our existing security posture and provide recommendations. As I continued to develop our security program and establish strong relationships with each of the departments, I was able to share the overlap of physical security into my existing role. I was also able to show that the security program will benefit if we converged the two together."
HOW TO PLAY
Pedigree of a CSO
One of the key questions posed by an organization that is contemplating the convergence of physical and logical security is: "Who should oversee the newly converged operations?" According to Steve Hunt, founder and president of the analyst firm 4A International, the IT security pedigree often makes for the best background for a prospective CSO.
"I think an IT person makes the best CSO," says Hunt. "They are more familiar with using technology to improve process efficiency, and it is easier for an IT person to learn the basics of physical security than it is for a physical security person to become versed in IT."
On top of this, he believes that IT security managers have what he calls better "C-level suite creds" than many physical security managers.
"The IT person generally has more credibility, is a little more visible and appreciated among the white collar C-level managers," Hunt says. "They're a little more plugged into the needs of the business regarding compliance to regulation and total enterprise risk management."
Nevertheless, these considerations shouldn't allow an IT security manager moving into the role to let a big ego get in the way.
"It just makes sense that an IT person is a better coordinator. But the stupidest CSO will be the one who thinks they are actually running physical security," Hunt says.
It is especially important to work with physical security in initially pitching convergence to higher ups. Trying for a coup, Hunt says, is a definite no-no.
"If you're truly a skilled diplomat, you'll walk in there with the physical security person standing next to you," he says. "That'll prove your diplomatic skills. If you are trying to cut the physical security guy out, then you're an idiot and deserve to fail."
— Ericka Chickowski
PHYSICAL AND LOGICAL
Things not to do
Don't try to take over physical security without consensus from that side of the house or some sort of existing security task force, says Steve Hunt of 4A International.
Don't pin organizational changes on a very expensive technology project, says Omar Hussain of Imprivata.
And most importantly, don't embark on a convergence without support from the most influential executives, says Bryan Palma of Ponic: "I think it really has to be prescripted from the top."
— Ericka Chickowski