Physical Security and IT…blending the two remains a bit like trying to mix oil and water. The two liquids will co-exist in the same bottle, but stubbornly resist any kind of merging at the molecular level.
Traditional physical security designs and technology have, until recently, traveled parallel paths with traditional logical and information security designs and policies. Rarely did the two meet; security management administered the physical security sphere of operations, and the IT department administered cyber-space and information security operations. But that divide narrowed over the past decade as security became increasingly dependent on network-based solutions.
While the convergence of IT and physical security seems to be something that both sides would actively seek, the reality remains more complicated. There are technological, policy and procedural obstacles to merging the two cultures. At the 30,000-foot level corporate management may embrace the concept of convergence. It’s a nice sound-bite at conferences, after all. But it’s a different story at the operational level. Resistance to change stubbornly remains, and nothing less than proactive engagement by executive management will ensure that convergence happens. That resistance takes the form of differing views on everything from terminology within the physical security discipline and procedures to competing budget priorities for the protection of systems. We see this divergence within companies and organizations every day.
Cultural Issues
Frankly speaking, the machine codes used to meld IT with physical security systems communicate far better than the individuals who write the code, or the operators sitting at the machines. An important issue when considering logical and physical security convergence is the culture of the operators and managers who are increasingly, and reluctantly, required to integrate operations, policies and procedures across organizations. In other words, play nice together. Physical security groups are generally former law enforcement, or other security-related fields that are accustomed to having and operating closed systems and networks. Logical/IT security managers, typically with business or technical backgrounds, are likewise wary about merging physical security systems such as video surveillance streams, or building access controls onto the corporate network. They don’t like the idea of mingling security data with business data, and prefer it be isolated from the rest of the network for proprietary reasons. Despite the differences, both groups need each other – much of the good information security policy and procedure lies within physical security, and as physical security technology becomes more sophisticated, the traditional physical security practitioner will rely on the skills of the IT specialist. A recent Pike research report on smart grid security identified the need for better collaboration between physical and IT security professionals. The report noted that while “on some occasions such professionals collaborate well together, more commonly they do not understand each other.” This is an understatement.
While culturally, the two groups are different due to differences in expertise as well as reporting structures and responsibilities within the enterprise, functionally they could have a lot in common. If information is a critical asset of the enterprise, physical security is an extension of good, information security policy to protect this asset. Likewise, integrity in the physical access control system for employees is only augmented by secure identity/authentication management processes in the IT environment. One is the logical extension of the other.
Generational Issues
The average age of a physical security professional is 50+ while the average for the IT industry is 32…or younger. This age gap creates some significant differences in experience and understanding. The typical IT professional was born into the Millennial Generation and is a “digital native.” They have an intuitive understanding of the role of computers and a comfort with technology that those born in the generation prior may not. These “digital natives” learned to do things using computers and technology from the start. They did not have to relearn anything. Those born before the 1980s are what is called “digital immigrants.” They may be tech-savvy, but they are still very reliant and more comfortable with more traditional forms of interaction and ways of conducting business. This can create tension when these two groups collide in an arena that is necessarily digital, but overlays the traditional security measures of gates, guards, guns and procedures.
Shrinking Budgets: Need to Reduce Cost, Increase Efficiency
Combining physical and logical security departments may not be easy, however it is considered to be a cost-savings for the enterprise. A centralized, IP-based security management system combining CCTV, access control, alarm monitoring and other physical security measures can reduce the need for on-site guards, generally the most expensive element of a security program, and provide a significant return on investment.
Integrating physical and IT security department budgets has also proven to deliver substantial efficiency, particularly when provisioning systems are used when upgrading or deploying access control badging systems, along with identity management and access levels, and enforcing consistent corporate security policies across both requirements.
Additional cost-savings and efficiency may come from:
- The creation of one system for managing all physical and logical security, including a streamlined workflow for creating, deleting, and modifying user identities.
- A unified network policy for both local network and remote access that leverages location and status information from physical access systems. Broader policy enforcement.
- Improved user access and reduction of privacy concerns.
- Practical and affordable second authentication factor.
- Increased ROI and stronger return on security investment.
Despite the challenges of developing a truly converged security design for the enterprise, a balanced blend of the logical and physical security worlds is – for the 21st Century – the ideal. It is also inevitable. Today’s synergies between various select physical and logical security technologies will soon be the expected standard for security programs. Converged security solutions are more holistic. They answer the essential question not of “is asset X secure?”, but rather in a wider context of “is asset X secure against whom, from what, in what environment, at what cost?” In short, converged technology solutions are a far superior match to risk-based security programs and will offer an organization the best balance of security and cost.