Whether or not you buy into the convergence buzz and the trends associated with it, physical and information security are melding. Convergence has evolved from a theory with a lot of marketing hype to a business and technology necessity in which both physical security and IT managers will play a critical role. All of today's compliance, governance and competitive challenges are forcing physical and information security to work together. When they do so effectively, they can be seen as business enablers and competitive differentiators supporting the organization's mission and goals. But what's it going to take to make it work?
The Trickle-Down Effect
Just like any business initiative, convergence requires business leaders to help create a new mindset. For security convergence to work, a new way of thinking about business risks has to trickle down from the top. This will require upper management to not only influence change but to facilitate it with proper guidance, budget and oversight. Business leaders must create a trusting environment between physical and information security (which is for the most part IT) that treats both as equally important.
The people I see taking the lead on this are neither physical security managers nor IT managers. Rather, I'm seeing CFOs, COOs, and even CEOs stepping up to the plate to make sure their organizations aren't exposed to unnecessary risks. I credit a large part of this executive awareness to all the federal and industry regulations that have been thrust upon us recently. Non-security executives understand enough about what's going on with technology and security to realize that it's a serious business issue that warrants both sides working closely together.
Gravitating Towards a Center
There's been a disconnect between physical and information security, but there's often also a lot of overlap and duplication of efforts between departments. I often see team members writing policies, developing security plans and implementing technologies all on their own, while their counterparts are doing the exact same tasks.
However, in performing security assessments for organizations both large and small, I'm now seeing a lot of positive changes with regards to user provisioning, incident response, and especially the integration of security technologies. Vendors are making both sides of the security coin more manageable in a centralized fashion. Sounds elementary, but it's exactly what convergence needs.
I'm also seeing the incorporation of both physical and information security systems within the scope of ongoing security assessments and formal audits that organizations are either outsourcing or performing internally. In fact, many people performing these assessments and audits are using standards such as ISO/IEC 17799:2005. ISO/IEC 17799 is an information security-centric standard, yet it includes a significant portion on physical controls. In fact, it has an entire section on physical security that includes 13 subsections.
Similarly, you can look at any of the big federal or industry security regulations, such as the HIPAA Security Rule, GLBA Safeguards Rule, and the PCI Data Security Standard, and see the trend of incorporating physical security with information security. Physical security is on the radar of most of those involved in information security. In fact, it's becoming a well-known principle that you can't have good information security without good physical security.
Information Security: An Invisible Problem
The problem is, there's still not enough interaction between the physical and IT teams to make risk management and “security” in general as effective as they could be. I'm still seeing quite a bit of finger pointing and “not my job” mindsets. Many people still don't see the value in information security. Management, by and large, has always bought into physical security. It's easy to understand why, given that the risks and business value are so clear.