Who's the Boss?
Practically every organization I've seen handles the roles of CISO (or similar role such as IT Security Director) and CSO (or similar role such as Corporate Security Director) differently. In fact, the formal definitions of all these positions has blurred to the point where it seems everyone has a differing opinion about who is responsible for what.
Based on my experience working on the IT side, the IT folks tend to believe that they should ultimately head up all security matters for the organization. That may not be a bad thing. Those in IT security do seem to have the ear of other executives right now. Others are seeing the same thing. Says Jeff Jenkins, vice president of Information Security Governance and Compliance for First American Corp.: “Most CISOs I know — at least those that picked up on the emergence and importance of the topic of risk management — started talking risk management in the boardroom long ago and have easily established themselves as authorities in that realm much more so than physical security folks.”
On the other hand, I have spoken with many physical security professionals who believe that they should have final say-so on all things security-related. Retired FBI agent and former head of corporate security for Goldkist Inc., Jerry Becknell, concurs: “I believe that the CSO should be at the top of the security chain and to limit confusion, there should not be a CISO in the mix but rather an information security officer that reports to the CSO,” he says. “It does not matter if the CSO comes from the physical side or the IT side of the company, as long as he or she gives equal attention to both and understands the security mindset mentioned above.”
As long as the right person with the right mindset and buy-in across the organization is running security, it does not matter which side of the house has ultimate authority over security matters for the business.
Areas of Collaboration
There are two areas where the integration of IT and physical security seems to make the most sense: 1) responding to security incidents and 2) implementing and managing the necessary security technologies. The overlap in both areas is too important for a one-sided approach. “Collaboration comes in the form of incidents with the physical manager notifying and/or turning over control of events and investigations to IT security management — particularly instances such as device theft that can be directly linked to information security risk,” Jenkins says. “In addition to incidents, physical security managers also tend to get IT security management involved when decisions need to be made on physical security strategies and practices such as upgrading DVR equipment to retain CCTV recordings for a longer period of time, expanding use of badges/photo IDs, etc., due to information security policy requirements.”
With all the convergence that's taken place in the past few years, both sides of security have to work together to ensure the right technologies are selected and that overlap and duplication of efforts is minimized. This is especially true for system monitor and administrative functions such as user provisioning. But it pays to approach technology solutions with a critical eye. “The problem I have seen with IT professionals and security is that they tend to think the answer to security concerns rests solely with technical solutions and they fail to see the whole security picture,” Becknell says. “They do not have the mindset that I think every security professional should have. Crooks will always find a way. A more sophisticated lock just requires a more sophisticated crook.”
In my work performing security assessments, I recently came across a good example of what a gap between IT security and physical security can lead to. An organization had a network-based system that controlled all aspects of data center-related physical security. Everything from entry access and logging to temperature monitoring to fire suppression to CCTV was run by this one device on the local network — certainly a worthy technology to use in today's IP convergence. The system was implemented by the physical security side of the business and managed by the IT team.
The problem was that the system's Web-based management application was left configured with the default password. On top of that it, the system was accessible by anyone within range of the radio signals emanating from the company's unsecured wireless network. Anyone with the right tools, know-how, and a sprinkling of malicious intent could “own” the data center in less than 30 minutes. An attacker could turn off security cameras, grant physical access and cover his tracks by erasing any and all access logs. This is a classic situation where it is almost guaranteed that no one would have ever known about the infraction. There was no real monitoring or management. So, here we have physical security and IT security with a system intended to minimize business risk which, in the end, was creating much greater problems than it was preventing — all because of a lack of communication, undefined responsibilities and little to no accountability.
What Not to Do
Whether you are an IT guru, work on the physical security side, or manage both, there are a few things to be cognizant of and avoid in order to enhance security across the enterprise:
1. Do not make one side or the other responsible for aspects of security outside of their core skill-set. It is easy to simply assign duties based on what feels right or seems appropriate based on what other organizations are doing; however, it pays to look deeper and take organizational style and individual experience and management types into account when it comes to assigning who does what. A security committee could help make these types of decisions.
2. Do not assume that just because security policies, procedures and plans are in place for both sides of security, that they are actually being adhered to and used as they should. In fact, there is often overlap and even conflicting requirements between the two. Make sure everyone is on the same page to minimize effort and ensure consistency when it comes to security policy enforcement and incident response.
3. Never assume that one side or the other is purely an operational burden or “cost center” not adding unique value to the business. There will always be areas where security takes more than it gives, but in today's marketplace, security can almost always be tied back to contributing to the bottom line.
4. Never assume the lines of communication are always open and friendly between both sides. Certain technologies may give the illusion of integration and collaboration but there is no replacing direct feedback from all security players. If you're responsible for managing both sides, simply ask to see what areas can be improved.
Keep in mind that individual contributions to business risk management can be valuable in and of themselves and not necessarily require an integrated approach. “Organizations shouldn't feel rushed to integrate or centralize all physical and information security functions,” Jenkins says. “There is usually a lot more day-to-day headaches and administration that goes on with physical security than most people realize, such as people being locked out of their cars in the employee parking lot, all types of badge requests/maintenance and escorting of visitors/vendors into and through the facilities. Throwing that at the CISO is not only inefficient, but it can seriously detract from his or her focus on managing the information security program.
The type of business and organizational culture will likely highlight areas where collaboration is needed and where it is not. It is a give and take situation and as long as everyone's on the same page with the same business goals — that's what really matters.
"Convergence of the two areas works very well by simply having the CISO govern physical security through policies/standards, physical security managers administer physical security on a daily basis, and both parties converse/collaborate as needed,” Jenkins says.
It's Up to You
Whether it's those who control access to the building or those who control access to the network, one thing's for sure — there is no good answer. In the end, is it worth integrating the management of IT security with physical security? I think so – but only to the extent that it enables a working solution for the organization to minimize risks. That's something only that culture, politics and ways of doing business can define.
At a minimum, collaboration between the two departments should still be on your radar — no matter which side of the fence you are on. That seems to be where the “herd” of most organizations is moving. Following the pack from a compliance and — for lack of a better term — best-practices standpoint, is a good place to be. You will minimize costs by not going overboard while still maintaining a balance of people working towards minimizing business risk. After all, that's what this is all about.
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments revolving around compliance and risk management. Mr. Beaver has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance ( Auerbach ). He's also the creator of the Security On Wheels information security audio books providing security learning for IT professionals on the go. He can be reached at firstname.lastname@example.org.