Information security is different, though, and is thus being adopted and supported more slowly in practically every organization I've seen. It's easy to ignore problems we can't see and don't understand at the bit-level, but that doesn't mean information security problems don't exist. Between the well-publicized information breaches, the malware outbreaks, and the obvious concerns associated with mobile devices, management will begin to recognize that information security is a critical business issue as well.
What's Your Job?
The disconnect between physical and information security can also be attributed to a lack of understanding—on both sides—of what the other team does. The similarities between physical and information security are almost too obvious; people don't realize just how closely they operate. Both functions require the identification and classification of assets, assessment of risks, enforcement of policies and implementation of countermeasures, as well as incident response and business continuity. At the most basic level, they're literally identical, yet they often seem unrelated.
Know Your “Enemy”
Having been an IT guy my entire career, I know what it's like to be on this side of the fence. More important, I know how a lot of IT professionals work best and want to be treated. In a military context, if you know your “enemy” (that is, the IT team members) you can use this information to your advantage to learn how to deal with them more constructively to create a win-win for both teams. This will help you with short-term tactical issues such as system upgrades, as well as longer-term strategic issues such as security policy and plan development.
How Much Do They Know?
The first thing to know is that most IT team members, as much as they'd like for you to believe otherwise, don't know everything about information security. This is especially true in organizations where there's no dedicated information security team—that is, where IT does it all. In fact, the majority of IT professionals I know understand mostly the technical underpinnings of information security (firewalls, access controls, and so on) and not the operational and procedural functions that are more important. Of course, every situation is different, and some IT folks know a ton about information security, but if you at least keep this in the back of your mind, you'll be able to better relate to them. In fact, you could share your knowledge of risks and business processes so your teams can help balance each other out in many respects.
A Different Mindset
One difference between physical and information security is that physical security is more about preventing attacks, whereas IT professionals are often so caught up in day-to-day operations that information security is more reactive. It's therefore important to know that IT's perspective on incident response is often very different than physical security's. There's often a lack of formal procedures and protocols. For IT, incident response is sometimes a fly-by-the-seat-of-the-pants operation, unplugging network cables, rebooting systems, and so on.
A strong converged environment should rely heavily on well-documented plans and procedures. You can work with IT on risk and process and let them drive when it comes to what to do and what not to do with the technical systems.
Protect Converged Technologies
The technology and information security components of the newer Web-based access control systems have added a new set of requirements for the physical security side of the organization, especially with regard to dealing with the IT team. When it comes to convergence and placing your sensitive physical security control systems on the IP network, there are several things that are often overlooked.
First, there's a trend I'm seeing whereby physical security management expects and assumes that the IT team has completely secured the network infrastructure. This is rarely the case. Unless the IT team has complete control of their environment (which is very unlikely), your physical security-related systems are going to be integrated into an otherwise insecure network. Integrated physical security control systems have operating systems and network cards just like any other computer on the network and can therefore be exploited. In this situation, the entire organization, not just the digital assets, is at risk. Work with IT to ensure network-based systems and other physical security controls are locked down and protected from attack to the greatest extent possible.