A former vice president of security at a mid-size southwestern U.S. company vows to take a much harder look at his next employer's security culture after spending almost two years embattled with the IT manager over turf and his disregard for physical security matters.
In one case, the VP requested new security cameras after an incident with an intruder at the front desk that was difficult to investigate because the existing cameras were not working properly. Instead of fixing the cameras the IT department, believing the cameras were their domain, set up a webcam at the front desk that the receptionist would have to activate and position the camera toward the intruder in an emergency.
"The IT guys don't understand personal and physical security. If someone comes to the desk, in a high-stress encounter the receptionist won't be able to handle the intruder and manipulate the camera," the former VP says. "Security needs the IT pipes, but the physical and personal security domain is not his responsibility."
Meanwhile in Chicago, an IT executive attending the International Information Systems Security Certification Consortium, or (ISC)2 World Congress in September voiced concern over physical security leaders being more interested in "getting into the IT game," rather than working together with IT management.
"It's more like 'we're integrating our badge system to Active Directory, or moving it into the cloud.' Those things scare the hell out of me," he said. "Now the attack surface is going to be much bigger because they're not doing their due diligence" with the IT side.
Sound familiar? For many companies, bridging the security gap between information and physical protection remains elusive.
No doubt, all security professional are on high alert with increases in data breaches, insider threats and concerns about advanced persistent threats, where adversaries use multiple attack vectors, including cyber, physical and deception. With these threats, gray areas of vulnerability are emerging where IT and physical security issue overlap, leaving both sides pointing fingers when security gaps are discovered.
This summer, the ASIS Foundation and the University of Phoenix convened a national roundtable to identify the top security risks the U.S. security industry will face in the next five years, as well as the necessary competencies that security professionals will need to succeed in the future threat environment. A key finding in their report, Enterprise Security Risks and Workforce Competencies, addressed skills gaps in the security industry, underscoring the need for security professionals to possess a strong business foundation in order to link security goals with overall corporate strategies and to position security as a facilitator across business functions. Among the recommendations were educational programs and a joint partnership with (ISC)2 to help blend physical and informational security into one comprehensive responsibility.
Convergence "is quite capable of being done," says Joe McDonald, an ASIS board member. "Some people want it, but that doesn't mean their organization does." Most executives find convergence unrealistic because very few security professionals have sufficient skills in both realms, according to the report.
Security headhunters are already seeing a sharp increase in requests for security executives with a broad range of skills, especially in the last three years. "Quite frequently hiring managers are saying 'We want somebody who can work collaboratively, who has a certain baseline of knowledge [about physical and IT security] and the ability to understand and advance both programs," says Kathy Lavinder, executive director and founder of SI Placement in Bethesda, Md. "But a lot of organizations haven't gotten to that point and are still struggling with it. It's very much a work in progress."
Today the relationship between information and physical security is often described as adversarial by industry executives, with one team feeling threatened that the other side is taking over its responsibilities.
Experts agree that the problem will likely play itself out in the next decade or two as tech-savvy college grads reach the executive levels of security, but today's threats require companies to break down silos and make security more seamless right now. What's more, changes must be implemented from the top down.
Industry leaders on both sides of the security spectrum offer best practices for uniting information and physical security teams toward a shared goal.
One easy starting point that is often overlooked is basic communication. "Both sides must communicate what their tasks are and why they are important, says McDonald, who is also CSO at data center company Switch in Las Vegas. In his position, McDonald oversees both physical and IT security, with VPs specializing in each discipline handling daily operations.
"There are more similarities than there are divergence between the two roles. They just have different tool boxes," he says. Instead of walking a site, information security staff is looking at data logs for anonymous data packet loads. "That's no different from physical security staff looking at an access control system" to see why somebody tried to use the same reader four times at an entrance door they shouldn't be using, he explains.
Once the overlapping tasks have been identified, "it takes a lot of good policies and procedures to bring people, technology and processes together to make it work," he adds.
Much of the rivalries and misunderstandings come down to how the industry defines security, says Tim Williams, CSO and director of information risk & enterprise security at Caterpillar Inc.
"In any company you have a multitude of definitions of security" for people with security in their titles. "If we could change our titles to 'risk' and say we're both trying to mitigate security risks in the corporation, it's a much better platform for discussion because it can be translated into concepts that both sides can understand."
Williams calls his strategy an "all-hazard approach" to security risk, "but you have to be careful not to converge too much," he adds. "Rather than just pushing the departments together, I'm being very careful to engage the two groups with each other only where it makes sense. We're still learning that new art."
Similarly, (ISC)2 member Chris Nickerson suggests the groups should be united under the umbrella of "asset protection."
"In very highly secure companies, those teams are under asset protection in general -- whether physical, audit or IT," explains Nickerson, founder of Lares Consulting, which helps companies identify those gray areas where physical and IT security intersect. Together they're involved in every asset protection decision in the enterprise, he adds. And while some duties may require only one area of security expertise, they are all involved in new projects up front, identifying the processes and whether their expertise might be able to help, he says.
Find a Common Adversary
Nothing unites a group of people like a common enemy. To get the ball rolling, many companies hire a consulting firm to model an adversary to attack, compromise or manipulate the environment.
"What universally works is straight-up putting them through a war," says Nickerson, whose "Red Team" regularly infiltrates companies at their request and exploits gaps where information and physical security intersect. For instance, at one company, what started as an employee password accidentally exposed on his LinkedIn page, turned into infiltration of the company's VPN and badge system and culminated into Nickerson illegally entering the facility with a stolen key code.
"That really gives them some religion," Nickerson says. "The biggest thing that grows out of this isn't the fixes, it's those teams working together and having a common goal: stopping me."
It's not just a game. Nickerson models the type of attacks the company is mostly likely to face in real life based on its possible adversaries and their capabilities. "It's fighting the most logical fight."
Arm Yourself with Knowledge
When Lavinder speaks to security groups about the future employment landscape, her advice is always the same -- keep acquiring new skills that give you a broader spectrum of security knowledge.
"I don't think you have to go back and get a graduate degree. You can do a certificate program or a certification through a qualified organization such as (ISC)2 or CISSP," she says.
Beyond courses, security professionals must engage in personally driven learning, she adds. "Go out and educate yourself about these issues. Join groups, listen to presentations and Webinars, read trade publications -- just be engaged in the dialog -- you have to be proactive. The smart people are already trying to fill in that gap in their resumes."
Professionals who are already employed and looking to bridge the security gap inside their own company are advised to know the business. "Use risk and risk mitigation as your common platform for discussion, and understand your management team and what they're asking for," Williams says. "Better yet, write a strategy together on how you're going to mitigate those risks. If you learn to carry out each other's agenda, not only does that show commonality, it also shows collaboration."
If convergence is inevitable, Williams says, "the person who will take over will be the one who can articulate the risks to senior management in a way that they can clearly see the business imperative."