What to Do When Physical Security and IT Meet

Oct. 5, 2005
Effective meetings between security and IT requires breaking through the communications barrier

Many discussions and meetings between Security and IT personnel go awry because of a terminology problem that is peculiar to the realms of Physical Security and IT. Because IT includes security elements, the world of Physical Security shares many words with the IT world. The words are similar conceptually, but different in specific meaning.

Security personnel can think that IT's discussion about an Access Control List means a discussion about authorizations for the security cards used to access the building and parking lot. The IT term is a parallel concept, but actually refers to a list that tells a computer operating system which access rights each user has to a particular system object, such as a file directory or individual file. Does a security breach inside the perimeter mean that someone forced a door open in the facility, or that a network breach originated on the inside of the firewalls that protect the network? Does traffic level mean the amount of people that go through a security revolving door, or does it mean the number of packets being transmitted on a network?

Meeting Fog
It is very common for people to get hung up on a particular point due to this terminology issue. They thought they were tracking with the speaker and then they realize they are not. Not wanting to appear ignorant, or out of concern for being ridiculed, they sit there and try to look alert even though they are fighting a heavy mental fog. It can put people to sleep.

Managers and executives can have the worst time of it, because just as they think a new word or phrase means one thing, it seems to mean another.

IT personnel would be amazed at the number of people who don't know the meaning of the word bandwidth. People can get all kinds of strange ideas when they hear words that they don't understand or for which they have different definitions. Overhearing a sentence like, "Look at the screen, you can see there isn't enough bandwidth," can give someone the idea that the width of the visual image on the screen is what is meant by bandwidth. This has actually happened. And there are people who think that CCTV refers to some cable television station like MTV rather than the camera surveillance system--closed circuit TV.

Meeting Guidelines
Here are some guidelines that can be applied to all meetings, but which are especially important for meetings where both Physical Security and IT topics will be discussed:

- List the topics to be covered. At the start of the meeting, list the various knowledge domains that will be covered in the meeting. Ask for a show of hands if a domain is not a primary subject of expertise. If any hands go up, emphasize the importance of not going past any point that isn't completely understood. Explain that the success of the meeting and the follow up actions is important enough to take the time to clear up any questions.

- Schedule attendance for mixed agenda meetings. Try scheduling the topics so that people won't be unnecessarily subjected to domain-specific discussions. Someone from accounting should not be expected to sit through a lengthy technical discussion. Skip the technical discussion and give a plain English summary, or schedule the technical discussions first with a limited group and bring others into the meeting at a later point.

- Specify who can answer questions. Sometimes people can think they understand something, to find later that they don't. By the conclusion of any meeting, make sure you have identified who should be contacted about questions specific to each topic of discussion.

- Check for questions. At the conclusion of each topic, not just at the end of the meeting, check for questions. If being considerate of questions is something new in your organization or department, you may have to overcome the reluctance of some people to ask questions.

- Clearly define terms. Be sure to define each topic term clearly when you first use it, and make it obvious when you are switching topics. You should have definitions written out in advance, that use plain language and avoid references to other words that would not be known to the meeting attendees.

- Be brave. Ask a question when you don't understand. Often others will have the same question. Lead by asking. Others will follow your example.

- Be considerate. Be patient in helping someone else understand what you are saying. It's your responsibility as the person speaking to make sure that you get your message across. This means you have to take the steps necessary to clearly explain what you are saying at the level of the listener. Remember what Einstein said: "If you can't explain it to a six year old, you don't understand it well enough yourself."

About the author: Ray Bernard, PSP, heads up Ray Bernard Consulting Services. RBCS is online at www.go-rbcs.com. He can be reached via email a [email protected] or reached via telephone at (949) 831-6788. This article originally appeared in Security Technology & Design magazine and has been the handout of choice at numerous security conference presentations. Ray Bernard will be addressing a similar topic in the webinar "Bits and Bytes for Security Types: What Every Security Director Needs to Know about IT" -- sign-up to view that webinar here.

(c) 2003 by Ray Bernard.