Hey, here’s a good idea: let’s have the part of facilities management that deals with the physical security of the office park, the factory, and the government facility work with the folks that handle IT Security. Let’s put those folks together in a room, see where there’s overlap, eliminate duplication of effort and maybe even save money by flattening the overall “security” management system. It’s all “Security.” Yeah, that should work. Bring them together.
Oh boy.
Let’s take the way-back machine for some literary perspective. In 1959, novelist and scientist CP Snow delivered his The Two Cultures lecture. Its central thesis was the breakdown of communication between the sciences and the humanities. Snow said this was a major hindrance to solving the world’s problems. He likened it to a rift, a lack of understanding, maybe tinged with hostility, between scientists and literary intellectuals.
Okay, it’s not an exact comparison. Putting that aside, we hear a recurring opinion that the physical and cyber security communities need to come together, to communicate better, and to leverage what one discipline knows to the other. The problem is that the message usually comes from vendors pushing a “converged” solution.
Let’s face it. The former military or law enforcement types, representing those who patrol the parameter, guard the parking lot gates and supervise visitor check-in don’t have much in common with the geeks from the IT department and vice versa. The facilities management people handle fencing, building access, foot patrols, keys and locks. The IT security people run firewalls, intrusion protection systems, the Identity and Access Management systems and all the rest of that “stuff.”
They come from two different cultures, but they have a similar mindset and mission, filtered through risk analysis.
Despite the differences and faulty management thinking that “security is security,” organizations are putting together aspects of physical and IT security. Good things can come from it, IF expectations are reasonable. The title Chief Security Officer (CSO) implies managing ALL security and some companies and agencies have recruited or promoted folks to CSO. The job can be a career stepping stone for someone with the confidence and background to handle it, but it’s a risky step for someone making a power play or for an empire builder.
Unless you’re in a large organization which can support a qualified CSO reporting to a Chief Risk Officer or equivalent, a better alternative is to look for projects which bridge the cultural gap to improve physical plant protection, protect IT resources, protect intellectual property and consolidate compliance and regulatory reporting — while saving money.
Physical and IT security projects usually converge first on access control, be it gated doors or enterprise IT systems. For example someone who hasn’t officially entered the building shouldn’t be able to log on to sensitive applications or enter sensitive locations such as the data center. That seems logical. But there are challenges. The directories don’t necessarily synch up with one another, and don’t necessarily identify entitlements, responsibilities and restrictions across domains, requiring directory strategies as well as connectors to consolidated management consoles and reporting systems.
But overcoming such challenges is possible, and the benefits can be significant. An Identity and Access Management (IAM) system has more value when it can be leveraged, not only through a Physical Access Control System (PAC), but also in other protective projects such as data loss prevention, security incident response and business continuity planning.
To be sure, some organizations need correlation between physical and information technology security more than others. For example, pharmaceutical researchers need to prevent cross-contamination between human and animal research. Food processing and other manufacturing plants also need tight application and physical access policies due to regulations or separation of duty concerns.
A number of IT security vendors sell PACs themselves or work with partners to bridge the physical and IT access divide through policy-based management and shared directories. We’ve also seen vendor mergers in access control One company sold electronic locks and bought another bringing identity management solutions to the party.
A number of niche vendors have appeared over the last few years bringing industry sector-specific knowledge of required regulations and reporting mandates along with consolidated management consoles. Examples include Alert Enterprise (Fremont, CA) and Quantum Secure (San Jose, CA).
But the fundamental problem facing organizations remains bridging the two cultures and getting everyone to get along for the betterment of the company.
Rather than force-fit a CSO on top of the physical and IT parts of security, a federated approach is a better strategy to encourage collaboration to leverage the skills, knowledge and disciplines of both sides of the house for mutual benefit. Collaboration benefits include improved overall security through better communications and cross-training among those responsible, streamlined processes, and better information sharing.
Cost savings are possible by leveraging common infrastructure, policies and staff. Considering both physical and IT security requirements as appropriate can lower procurement costs. For example, IP-connected surveillance cameras can carry images on the existing corporate network rather than deploy separate cabling or wireless links.
There are challenges based on corporate tendencies to decentralize functions, diluting the potential value of joint projects. Vendor selection may be problematic because the market has limited vision in this context. There are issues in checks and balances: if a theft occurs, will an IT security department “perp” be able to cover up digital forensic tracks?
But the biggest challenges are inertia and overcoming the cultural differences on a personal level. Distrust, fears of being devalued under another department, and other concerns may prevent meaningful discussions and project movement in the first place.
Yet building stronger relationships through joint security projects can bring beneficial results, and the conversation should take place. We should all be able to get along when it comes to securing the workplace.
CP Snow reconsidered the two cultures problem a few years later after his original 1959 lecture. Contemporaries introduced the idea of the Third Culture, essentially a coming together to reconcile or mediate differences. The idea of two cultures in security can lead to unnecessary fence building and turf protection.
But just as scientists and literary intellectuals still have differences, today physical security and cyber security remain two cultures – two cultures that can learn from one another if those differences can be appreciated and the commonality be co-joined to create a third culture which has scope and vision to make good things happen in the realm of converged security.