Now that electronic security systems are IT systems and require computer and network security, it is important to have a grasp of the concepts involved and the roles that the various security devices play. Some security practitioners hold the idea that as long as the security systems are on an independent network (i.e. not connected to the corporate network), concerns about computer and network security do not apply.
Such thinking misses a key point of the situation: today’s networked security systems are vulnerable in ways that previous technologies were not. Those vulnerabilities do not go away simply by installing the security systems as a standalone network. That eliminates some of the threats (such as Internet-based hackers) but it does not fix the vulnerabilities of the systems. That is a distinction that we as security professionals have long been familiar with.
Just as closing down a business as a means of eliminating all threats and vulnerabilities is a wrong-headed security strategy, closing off security networks from the communications lifeline of the business (its networks) is similarly incorrect thinking from a security perspective. The aspects of networked security systems that make them vulnerable (such as common network communications protocols) are also the aspects that make them more affordable and enable a more widespread deployment of security technology than would otherwise be possible. They allow us to significantly extend security to protect business assets and operations, at the same time making security operations easier. Those are very desirable benefits.
As security professionals, the risk-benefit tradeoff is central to our thinking. Our job is to help the business affordably reduce certain operational risks while still keeping the desired business benefits. We simply need to apply some of our traditional security thinking to our deployment of security technology. What do we tell our organizations and our management about security? We correctly assert that a better understanding of the risk picture will enable better security-related business decisions. It is time that we started taking our own advice.
When it comes to deploying physical security systems, we security practitioners have been like the proverbial plumber who has a leaky faucet at home. We have security gaps in our own security systems! Surely we should take a little time to fix them, right?
The problem is, unlike the plumber’s situation, the technology of our security systems is now foreign to us. We cannot wrap our wits around the issues because when we start looking at the computer and network aspects of our systems, we are bombarded by technological complexities and strange terminology. Additionally, from our own personal perspective as computer users, there are frustrations with using the technologies that have already put us at a distance. (Where did that darn e-mail go? I know that file is here somewhere. Wait a minute, I have to reboot…)
Industry guru Steve Hunt is fond of highlighting one of our basic complaints as security practitioners: that management wrongly considers security as “an annoying layer of cost and inconvenience.” We are frustrated if management will not make any effort to understand and think about the basics of security. But now the shoe is on the other foot, as we have been ignoring computer and network security for our systems and refusing to address their vulnerabilities for almost a decade.
We correctly assert that management needs to pay attention to security because ultimately, management is responsible for the welfare of the business. In the same vein, we ourselves need to pay attention to computer and network security because ultimately, we are responsible for the welfare and sound operation of our systems. Our security operations depend on them. There is also another consideration, which is the career benefit (our value to our organization) of having a basic understanding of IT security.