While at the SecureWorld Expo in Seattle, we met and conversed with a broad variety of security end users, from those who fit the traditional mould to those who are coming over from the IT side. Offered the chance to be anonymous and talk with each other about their concerns and about what works and what doesn't, these folks got candid. The following represents some of their most "of interest" comments, presented without the company-specific details that would break their confidentiality.
Their concerns, while only representing a snap-shot of the industry, do seem to touch upon common issues and challenges that we're all working through. From CISOs to CSOs to system designers to regional security directors, we heard from them all. See if you can find some shared concerns in their comments below:
On enterprise access control:
"We have card reader access being managed across the enterprise, and it's not taking into account the needs of individual facilities."
On cultural issues:
"We're getting pushed for security. We've had a lot of cultural issues. Being a small company, people just come and go. But then you have something go missing, and the mindset it to initially think it's just the janitorial staff, but then you start to see "systems" type stuff start to disappear and you have really start to analyze security."
On card access convergence:
"The big push in the company is to merge logical and physical security cards. It started in 2001 and it took them a while to get software set up for smart card acceptance. At this computer company, user acceptance is a challenge. Everyone here knows computers, so it's hard to develop universal policies and tell someone how to manage their desktop. What starts to pop up are little gangs of people who say, "This is how we're going to do it - our way" . Fortunately the company has started to put some teeth to its policy; they can finally start enforcing it."
On compliance issues:
"For us, compliance is what's driving IT and physical security collaboration."
On denial of service attacks:
"When you start to think of joint incidents that affect security and IT, we think of denial of service issues and you get your VOIP communications shut down and that's how your guards communicate - they often pick up the phones. You also have to consider what happens if one fiber-targeting-backhoe digs up you main fiber optic line."
On selling security to the C-level:
"I don't think ROI is what sells security. I think there has to be a total value chain. When you're talking to the CEOs and to company administrators, you can't talk in either term, security or IT. You have to talk business."
On the sales force's smoke and mirrors:
"The bull factor from the integrator is getting worse and worse. We're seeing lots of smoke and mirrors."
On losing the connection with your integrator:
"We had a hard time finding a competent integrator. Maintaining a good relationship is hard, because the person we worked with for a long time left and they didn't have anyone else in the area who knew what we needed. When working with integrators, turnover is tough."
On cracking the CEO's password:
"Explaining what best practices are sometimes means a direct security showing. We'll bring together senior managers and have them create a password and then we'll start a ripper program and it will crack their password in a few minutes. We hope our CEO is smarter than my teenager when it comes to security, but I'm not sure."
[Editor's note: The convergence seminars were presented by SIW sister publication Security Technology & Design and are sponsored by HID, Bosch and IPIX. Learn more about SecureWorld Expo online at www.secureworldexpo.com.]