May/June 2005 issue

Red tape binds virtual, physical security

Cath Everett

As organizations choke on red tape compliance, a more holistic approach to security is emerging: integrated threat management.

The events of 9/11, Enron and Slammer, and the legislation that followed them have concentrated directors’ minds as seldom before. Increasingly boards are starting to view IT and physical security as interlinked parts of the same continuum. The new watchword has become risk management.

Tom Cavanagh, a senior research associate at the Conference Board, a market analyst firm, explains. “Risk management is emerging as a conceptual framework to pull the two areas together. There is some level of convergence going on as physical security increasingly relies on IT as part of its function.”

He cites the example of firms that increasingly use IP-based cameras or webcams to protect the perimeter of buildings. This means that physical security managers have to become more conversant with technology in a way that was not needed before. In some cases, still rare, this has resulted in the creation of a chief security officer (CSO) role and/or risk management team.

Head hunt
Neil Hare-Brown, senior security advisor at security incident response company QCC Information Security, suggest that between 10 and 15 percent of large organisations have appointed a CSO, and their number has been growing by five to 10 percent a year for the last few years.

“The increasing amount of regulation requires organisations to take a more holistic view of security. Because senior management often can’t get a handle on it, they appoint a CSO to explain it to them, and this starts them thinking about security in a more holistic way,” he says.

Steve Hunt, managing director of security consultancy 4A International, points out it is still pretty rare for organisations to manage the two functions under one umbrella. Even if a CSO is in place, less than one in five have formal responsibility for both IT and physical functions, with most focusing on the former.
These views were confirmed by a survey by the Conference Board a couple of years ago. This showed that about two-thirds of IT security managers report to either the CIO or other IT function, while physical security is “all over the place”. About 20 percent of those questioned reported into human resources (HR), 20 percent to facilities management (FM) and the rest to a range of operational directors.

“There was no common pattern, but very few (people responsible for physical security) reported into IT. They’re generally two different silos and aren’t well co-ordinated in most companies,” Cavanagh says.

He believes this is the result of their very different cultures and histories. Traditionally IT security was about protecting information and data, and physical security was concerned with safeguarding people and goods.
Moreover, he says, “Physical security is often handled at the business unit and facilities level. When operations are so decentralised, it’s very difficult to co-ordinate things across different functions.”

Culture clash
According to Hunt, another key issue is politics. In his view, it is very unlikely that IT and physical security departments will merge, not least because of the much higher salaries on the IT side.

“The salaries are different, the levels of formal academic training are different and their respective comfort levels with new technology means that the two worlds will remain separate. In most organisations, it would be difficult if not impossible to merge them because of these cultural issues,” he says.

But adopting a more harmonised approach does make sense because most security incidents tend to have both an IT and physical element to them.
Datamonitor research director Ian Williams explains: “From a very practical point of view, if someone steals your laptop, they also have access to your data. In terms of downtime, it doesn’t matter whether your servers are stolen or hacked because the end result is the same. This means that it’s important to take an holistic view when providing security for both your facilities and information assets and not to look on them as completely separate entities.”

In his opinion, the creation of the role of CSO, which has increased dramatically since 9/11 in heavily regulated sectors, such as financial services and government, is a good starting point. It indicates that organisations are beginning to think more strategically about security.

Joining up
The aim, Williams says, is not only to understand better the nature of risk, but also to be able to demonstrate to auditors that all necessary steps have been taken to safeguard corporate information. Even if the size of the change management project needed to consolidate IT and physical security rules it out, some level of co-ordination between the two should be considered. Harmonisation at the very least makes it easier for organisations to put common policies and processes in place to respond to incidents more effectively.

Without such harmonisation “IT security departments find that they can only progress incident responses to a certain point before they have to involve physical security or HR. Communication often breaks down here due to a lack of disciplined processes and understanding of each other’s issues, and this leads to failure,” Hare-Brown says.

As a result, some organisations have set up security co-ordinating committees with eight to 10 representatives from IT, Security, legal, HR, FM, supply chain management and operations.

“They’re the people that need to be on top of all of the security dimensions of the company. They’d certainly meet in a crisis situation, but increasingly they’re also meeting on a monthly and quarterly basis to review procedures and discuss new issues. Energy, chemical and financial services organisations tend to be particularly advanced here,” says Cavanagh.

Low-hanging fruit
But there are also applications within the organisation where a converged approach to IT and physical security is easier to introduce. An obvious one is to use multi-function smart cards to access computers, buildings and rooms. This has been particularly popular with organisations such as universities.

Williams reasons “If you’ve got to issue two cards, there’s a management cost plus a capital cost, but if you converge the two formats into one form factor, you get physical and IT access on a single card that performs two different functions. You might save up to half the capital cost as well as reduce the management cost.”

He adds this approach also reduces risk because if the user takes the card out of their computer, it automatically logs them off. “You don’t have to worry about them forgetting to do so when they go for a coffee”.

In addition, the information collected can be used in forensics work if and when there is a security incident.

Simon Perry, vice president of security strategy at Computer Associates (CA), says, “In seven out of ten cases of computer crime, physical access is also involved. But in the past, it took three to four months to do an investigation because there was completely different infrastructure for physical and IT access.”
Such investigations now take only an hour when using systems that conform to the Physbits standard, he says. The Open Security Exchange, of which CA was a founding member, and which is now run by the IEEE, developed the standard.
A second possible field for convergence is the deployment of IP-based cameras. In the past, surveillance cameras required a piece of copper going from the camera to the monitoring station where someone watched the picture, often in real time. This was very expensive and not very practical as people lose attention and fall asleep, Hunt says.

Candid camera
Digitising the signal means that computers can analyse data and respond when they detect anomalies. “They use very simple software that is much more accurate and reliable than an expensive guard station, so it’s an opportunity for organisations to save money and improve the effectiveness of their security controls at the same time,” Hunt says.

A third possible area of convergence, however, is event management. Although this requires some internal development work, Hunt advocates integrating the applications that manage the alarm systems used to secure physical infrastructure such as doors with those providing alerts from IT infrastructure such as firewalls and servers.

“The trouble is that management software is currently different. It’s not as high quality in the physical security world as it is in the IT one, but you could bring some of the operations together under one umbrella. It would take a couple of development weeks, but would allow you to define, correlate, research and prioritise events to improve event management across the organisation,” says Hunt.

Hare-Brown says a growing number of consultancies is gearing up to help organisations tackle some of these convergence issues; mergers between service providers appear likely as they bid to cash in on rising interest levels.
“Members of the Guild of Security Professionals, which comprises about 70 percent physical security specialists and the rest IT, are starting to look at acquisitions. It’s kinetic in both physical and IT security at the moment so it seems likely that we’ll see systems integrators merging from both areas to cater to demand,” he concludes.

Cath Everett is an IT and business journalist who writes for titles that include: Computing, Computer Weekly, MIS, Financial Director, Red Herring, and IT Consultant.

.