I recently uncovered a situation in which a company's network-based data center control system (i.e. access, fire, temperature, video monitoring) was vulnerable to attack through an unsecured wireless network. A malicious individual on the street or in the parking lot or nearby buildings could connect and take complete control of the data center. A situation like this can easily compromise the entire building or campus in larger organizations.
Finally, I've noticed that many IT folks would rather converse via e-mail than get on the phone and talk or have in-person meetings. Trying to meet halfway by communicating via e-mail whenever it's reasonable is yet another way to better relate and win them over in day to day tasks when working on convergence issues.
Making It Stick
There's a belief that once security policies and procedures are standardized, developed and implemented, everyone can work together in harmony to keep the organization's bytes and buildings locked down. It's not that simple.
As you've likely already realized, convergence will add many conveniences and help establish a better grip on risk management. However, it will also introduce complexities and challenges you've never thought of before and aren't necessarily prepared to take on.
Making convergence work long-term is all about managing change—change in your own career and skill set as well as change taking place on the network and within the physical controls environment.
If physical security is your primary focus, it would behoove you to learn more about information security concepts. I'm not talking about risk basics—they're the same whether you're talking about physical or information security. What I'm referring to is technical vulnerabilities found in computer systems at the network protocol, operating system, and application levels. A good way to approach your learning is from the bad guy's point of view. This is known as ethical hacking, and it can bring some real-world perspective of just how tightly integrated your physical systems are with the IP network and what can be done to exploit them.
Don't assume that convergence is a technical issue alone. Sure, there are underlying technology concerns that involve IT, but convergence is, by and large, a business issue that requires working out the kinks in your people and processes.
Everyone involved in security has to consider and deal with both physical and information security issues at the same time to manage business risks. This also includes your employees—those everyday end users. They must be made aware of physical and information threats and weaknesses so they can help protect against them; they are the first line of defense, after all. The way to do this is to get the word out and keep it in the front of their minds month after month and year after year.
If you have a network that's tightly locked down but your buildings are wide open, or if you have impenetrable facilities whose controls run over a vulnerable network, you do not have a secure business. It's critical to find a balance between physical and information security, and that's only going to work with better communications and interaction between the departments and with your employees and other users. It's also going to require the right people on both sides that have the authority to make changes. You can't force two departments to play well together, but if the business reasons are outlined and incentives are there to help make things happen, you'll begin to see positive changes.
Kevin Beaver is an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Mr. Beaver is creator of the Security On Wheels audiobook series and has authored/co-authored six information security-related books including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at firstname.lastname@example.org.