Cisco's Rick Geiger on Converging Physical and IT Security

How security professionals can work together to broaden their impact

The convergence of logical and physical security is a topic that for many years has resembled Mark Twain's commentary on the weather: "Everybody talks about it, but nobody does anything about it."

Today that situation is changing rapidly as companies bring converged technology platforms to market that enable businesses to achieve greater security and lower costs.

For some, convergence has been narrowly defined as assigning each employee a single credential for building access and computer login. Why not go beyond that one-dimensional view and consider an enterprise system, one that expands the promise of convergence as a business security driver? After all, consider the problems we're trying to solve. Consider the business value we're trying to deliver.

The starting point for both physical and logical security should be a threat assessment. Threats vary widely by industry and by company - a casino faces the credible threat of players attempting to defraud its business by cheating, while retail outlets worry about inventory shrinkage, point-of-sale fraud, and shoplifting - but every business must ask itself a series of questions: What are the credible threats? How can they be averted? What level of protection is needed, and at what cost? Is protection the primary goal, or is the primary goal identification and remediation? And what regulatory requirements must be considered?

IT and physical security teams are used to complete control, control of their strategy and control of their budget. And they possess vast experience in their own arenas. Imagine the power of combining the two and leveraging the strengths of both.

Fostering convergence throughout a business - becoming multidimensional with video surveillance, access control, IP networking, application security, and more - creates an interesting opportunity. By formulating an enterprise convergence plan and executing it with trust and teamwork, where each group acts as a resource for the other, security professionals can broaden their impact on a business' operational efficiency. Doing that increases their visibility, elevating them from a back-office tactical function to a strategic asset that proactively defends the bottom line and the integrity of a company's operations.

With all the attention that's been paid to the gulf dividing physical and IT security teams, it's time to rethink the opportunity in front of them. The two groups really aren't that different, especially considering the problems they face. While IT managers are familiar with denial-of-service attacks, physical security managers contend with malicious false alarms that reduce a physical security system's effectiveness. Like IP networks, physical security systems must be designed with multiple layers of protection, and they must have the intelligence and flexibility to isolate sensors that are overwhelmed by alarms and to prevent the system from being compromised.

Recognition of these similarities and their solutions plays a big part in realizing the value of convergence. It is what will bring the promise of a broader, more integrated security infrastructure to life. And while the physical and IT security teams are on the front lines, it's the overall business that will benefit from better results at less cost.

The fruits of this teamwork can manifest themselves in numerous ways. Consider the following examples:

- Unified threat assessment - Credible threats are identified collaboratively, ensuring end-to-end awareness across the security team. The team can make educated decisions that weigh the cost of mitigation against the risk. It can determine whether prevention or notification is more cost-effective. The appropriate personnel respond. Credible, cost-effective response occurs while adhering to regulatory requirements and supporting business needs.

This content continues onto the next page...