Cisco's Rick Geiger on Converging Physical and IT Security

Sept. 18, 2006
How security professionals can work together to broaden their impact

The convergence of logical and physical security is a topic that for many years has resembled Mark Twain's commentary on the weather: "Everybody talks about it, but nobody does anything about it."

Today that situation is changing rapidly as companies bring converged technology platforms to market that enable businesses to achieve greater security and lower costs.

For some, convergence has been narrowly defined as assigning each employee a single credential for building access and computer login. Why not go beyond that one-dimensional view and consider an enterprise system, one that expands the promise of convergence as a business security driver? After all, consider the problems we're trying to solve. Consider the business value we're trying to deliver.

The starting point for both physical and logical security should be a threat assessment. Threats vary widely by industry and by company - a casino faces the credible threat of players attempting to defraud its business by cheating, while retail outlets worry about inventory shrinkage, point-of-sale fraud, and shoplifting - but every business must ask itself a series of questions: What are the credible threats? How can they be averted? What level of protection is needed, and at what cost? Is protection the primary goal, or is the primary goal identification and remediation? And what regulatory requirements must be considered?

IT and physical security teams are used to complete control, control of their strategy and control of their budget. And they possess vast experience in their own arenas. Imagine the power of combining the two and leveraging the strengths of both.

Fostering convergence throughout a business - becoming multidimensional with video surveillance, access control, IP networking, application security, and more - creates an interesting opportunity. By formulating an enterprise convergence plan and executing it with trust and teamwork, where each group acts as a resource for the other, security professionals can broaden their impact on a business' operational efficiency. Doing that increases their visibility, elevating them from a back-office tactical function to a strategic asset that proactively defends the bottom line and the integrity of a company's operations.

With all the attention that's been paid to the gulf dividing physical and IT security teams, it's time to rethink the opportunity in front of them. The two groups really aren't that different, especially considering the problems they face. While IT managers are familiar with denial-of-service attacks, physical security managers contend with malicious false alarms that reduce a physical security system's effectiveness. Like IP networks, physical security systems must be designed with multiple layers of protection, and they must have the intelligence and flexibility to isolate sensors that are overwhelmed by alarms and to prevent the system from being compromised.

Recognition of these similarities and their solutions plays a big part in realizing the value of convergence. It is what will bring the promise of a broader, more integrated security infrastructure to life. And while the physical and IT security teams are on the front lines, it's the overall business that will benefit from better results at less cost.

The fruits of this teamwork can manifest themselves in numerous ways. Consider the following examples:

- Unified threat assessment - Credible threats are identified collaboratively, ensuring end-to-end awareness across the security team. The team can make educated decisions that weigh the cost of mitigation against the risk. It can determine whether prevention or notification is more cost-effective. The appropriate personnel respond. Credible, cost-effective response occurs while adhering to regulatory requirements and supporting business needs.

- Integration with IT systems - The job responsibility and location of each employee should correspond to a role. The role should determine most of the appropriate permissions for network and application access, building access, and access to high-security locations. Without integration, privileges and permissions are often assigned individually and tracked manually, creating a considerable administrative burden. When an employee's responsibilities change or employment is terminated, the human resources system can automatically trigger a change in the employee's privileges and permissions. The result is enhanced control with more consistent business policy enforcement.

- Event correlation and investigation - An incident occurs. Data is available immediately. Surveillance video is used efficiently. Access control entry and exit transactions are identified. IT transactions from point-of-sale or other application systems are identified as well. Records are retrieved for persons of interest. Confidential data is protected until regulatory and legal requirements are met, and it is made available at a forensic quality suitable for legal submission. The result is a faster response to, and resolution of, events, with enhanced productivity, all of which lowers the cost of security while reducing the financial and operational disruption to the business.

- Business continuity and emergency preparedness - Plans are created for recovery from fires, hurricanes, tornados, earthquakes, and other disasters. Collaboration is required to ensure that IT and physical security issues are an integral part of the plans. Code requirements dictate emergency exit requirements for fires or other emergencies. In the event of an attack, is the facility locked down? What implication does a lockdown have for the corporate network? What access, both physical and network, is provided to first responders? Do the disaster recovery backup facilities provide both IT and physical security capabilities? Greater collaboration ensures greater efficiency and organization.

The convergence of a business' security systems is not one-dimensional. It's more than just using an access control credential for computer login. It is an opportunity. An opportunity to be ambitious and to evolve business security in a collaborative, multilayered fashion that incorporates access control, video surveillance, IP networking, and more into one powerful security infrastructure. Convergence is an opportunity for applying IT technology and processes to physical security, and applying physical security planning, analysis, and event response to IT. It creates an opportunity to use the strengths of two teams to forge one coordinated unit that protects all areas of a business.

But most of all, convergence is an opportunity for physical security and IT to work together for the betterment of both departments, and, in turn, for the betterment of the businesses they are enlisted to protect.

About the author: Rick Geiger is the director of engineering for Cisco Systems’ CSIBU. Prior to joining Cisco, Rick was the vice president of engineering for GE Security, and before GE was the vice president of engineering with Interlogix. He was also CTO of Itron, responsible for developing wide-area wireless networks for utility telemetry and SCADA systems, and is a senior member of IEEE.