Who's the Boss?
Practically every organization I've seen handles the roles of CISO (or similar role such as IT Security Director) and CSO (or similar role such as Corporate Security Director) differently. In fact, the formal definitions of all these positions has blurred to the point where it seems everyone has a differing opinion about who is responsible for what.
Based on my experience working on the IT side, the IT folks tend to believe that they should ultimately head up all security matters for the organization. That may not be a bad thing. Those in IT security do seem to have the ear of other executives right now. Others are seeing the same thing. Says Jeff Jenkins, vice president of Information Security Governance and Compliance for First American Corp.: “Most CISOs I know — at least those that picked up on the emergence and importance of the topic of risk management — started talking risk management in the boardroom long ago and have easily established themselves as authorities in that realm much more so than physical security folks.”
On the other hand, I have spoken with many physical security professionals who believe that they should have final say-so on all things security-related. Retired FBI agent and former head of corporate security for Goldkist Inc., Jerry Becknell, concurs: “I believe that the CSO should be at the top of the security chain and to limit confusion, there should not be a CISO in the mix but rather an information security officer that reports to the CSO,” he says. “It does not matter if the CSO comes from the physical side or the IT side of the company, as long as he or she gives equal attention to both and understands the security mindset mentioned above.”
As long as the right person with the right mindset and buy-in across the organization is running security, it does not matter which side of the house has ultimate authority over security matters for the business.
Areas of Collaboration
There are two areas where the integration of IT and physical security seems to make the most sense: 1) responding to security incidents and 2) implementing and managing the necessary security technologies. The overlap in both areas is too important for a one-sided approach. “Collaboration comes in the form of incidents with the physical manager notifying and/or turning over control of events and investigations to IT security management — particularly instances such as device theft that can be directly linked to information security risk,” Jenkins says. “In addition to incidents, physical security managers also tend to get IT security management involved when decisions need to be made on physical security strategies and practices such as upgrading DVR equipment to retain CCTV recordings for a longer period of time, expanding use of badges/photo IDs, etc., due to information security policy requirements.”
With all the convergence that's taken place in the past few years, both sides of security have to work together to ensure the right technologies are selected and that overlap and duplication of efforts is minimized. This is especially true for system monitor and administrative functions such as user provisioning. But it pays to approach technology solutions with a critical eye. “The problem I have seen with IT professionals and security is that they tend to think the answer to security concerns rests solely with technical solutions and they fail to see the whole security picture,” Becknell says. “They do not have the mindset that I think every security professional should have. Crooks will always find a way. A more sophisticated lock just requires a more sophisticated crook.”
In my work performing security assessments, I recently came across a good example of what a gap between IT security and physical security can lead to. An organization had a network-based system that controlled all aspects of data center-related physical security. Everything from entry access and logging to temperature monitoring to fire suppression to CCTV was run by this one device on the local network — certainly a worthy technology to use in today's IP convergence. The system was implemented by the physical security side of the business and managed by the IT team.