The problem was that the system's Web-based management application was left configured with the default password. On top of that it, the system was accessible by anyone within range of the radio signals emanating from the company's unsecured wireless network. Anyone with the right tools, know-how, and a sprinkling of malicious intent could “own” the data center in less than 30 minutes. An attacker could turn off security cameras, grant physical access and cover his tracks by erasing any and all access logs. This is a classic situation where it is almost guaranteed that no one would have ever known about the infraction. There was no real monitoring or management. So, here we have physical security and IT security with a system intended to minimize business risk which, in the end, was creating much greater problems than it was preventing — all because of a lack of communication, undefined responsibilities and little to no accountability.
What Not to Do
Whether you are an IT guru, work on the physical security side, or manage both, there are a few things to be cognizant of and avoid in order to enhance security across the enterprise:
1. Do not make one side or the other responsible for aspects of security outside of their core skill-set. It is easy to simply assign duties based on what feels right or seems appropriate based on what other organizations are doing; however, it pays to look deeper and take organizational style and individual experience and management types into account when it comes to assigning who does what. A security committee could help make these types of decisions.
2. Do not assume that just because security policies, procedures and plans are in place for both sides of security, that they are actually being adhered to and used as they should. In fact, there is often overlap and even conflicting requirements between the two. Make sure everyone is on the same page to minimize effort and ensure consistency when it comes to security policy enforcement and incident response.
3. Never assume that one side or the other is purely an operational burden or “cost center” not adding unique value to the business. There will always be areas where security takes more than it gives, but in today's marketplace, security can almost always be tied back to contributing to the bottom line.
4. Never assume the lines of communication are always open and friendly between both sides. Certain technologies may give the illusion of integration and collaboration but there is no replacing direct feedback from all security players. If you're responsible for managing both sides, simply ask to see what areas can be improved.
Keep in mind that individual contributions to business risk management can be valuable in and of themselves and not necessarily require an integrated approach. “Organizations shouldn't feel rushed to integrate or centralize all physical and information security functions,” Jenkins says. “There is usually a lot more day-to-day headaches and administration that goes on with physical security than most people realize, such as people being locked out of their cars in the employee parking lot, all types of badge requests/maintenance and escorting of visitors/vendors into and through the facilities. Throwing that at the CISO is not only inefficient, but it can seriously detract from his or her focus on managing the information security program.
The type of business and organizational culture will likely highlight areas where collaboration is needed and where it is not. It is a give and take situation and as long as everyone's on the same page with the same business goals — that's what really matters.
"Convergence of the two areas works very well by simply having the CISO govern physical security through policies/standards, physical security managers administer physical security on a daily basis, and both parties converse/collaborate as needed,” Jenkins says.
It's Up to You
Whether it's those who control access to the building or those who control access to the network, one thing's for sure — there is no good answer. In the end, is it worth integrating the management of IT security with physical security? I think so – but only to the extent that it enables a working solution for the organization to minimize risks. That's something only that culture, politics and ways of doing business can define.
At a minimum, collaboration between the two departments should still be on your radar — no matter which side of the fence you are on. That seems to be where the “herd” of most organizations is moving. Following the pack from a compliance and — for lack of a better term — best-practices standpoint, is a good place to be. You will minimize costs by not going overboard while still maintaining a balance of people working towards minimizing business risk. After all, that's what this is all about.