Converging physical and information security: a marriage between cats and dogs
It has been talked about for decades. But the question is if it happens often successfully: Converging physical and information security. Yes, there are systems, solutions, ideas, frameworks and suppliers: but in most organizations securing buildings and securing data happens in separate silos. Although security risk mitigation in enterprises may span both worlds, in the operational reality information security and physical security are rarely aligned. Why is that? Both areas of expertise deal with business continuity. Both protect corporate assets. Both deal with threat assessment. Both monitor daily operations and scout for deviations. Both deal with incidents and alarms. Both deal with recovery after security incidents. So, it makes all the sense in the world that physical security and cyber security are subject to the same company policies, are managed by the same executives and are entangled technically and organizational. But reality is stubborn. Why is that? Let’s look at a few reasons.
They stem from different worlds
The first reason is obvious. Both activities emanate from different worlds. Not too long ago in enterprise environments and still today in smaller organizations, securing the building is considered a facility management task. Securing information is an obvious task for the IT manager. Facility managers and IT managers have different backgrounds and speak different languages. Getting them coordinated may be a challenging task.
They have always protected their own infrastructure
IT managers feel responsible for the ICT infrastructure. They are held responsible to ensure operational continuity by safeguarding availability of that infrastructure. Physical security managers are installing access control systems, fire and intrusion detection systems and video surveillance systems that also needed to be up and running to keep the physical operation running. IT managers were cautious to allow alien systems onto their corporate IP-network. Physical security managers trusted their dedicated (often CAN-based) networks and even when the physical security world moved to IP-networks, IT managers were often regarded by physical security managers as a potentially delaying factor in the roll-out projects of access control systems.
They both don’t support core organizational processes
Despite their importance to safeguard business continuity and despite all kinds of efforts to add value to their systems and solutions, both IT security and building security are not regarded as core business. Both security functions are subordinate to other activities that are perceived as core business. Buildings and facilities need to be supporting corporate staff to do their jobs. IT infrastructures are expected to do the same. Dealing with continuity risks usually is not the most appealing topic in board rooms. And if the chief executives don’t care about it that much, it is challenging for organizational departments to make convergence reality.
Dealing with a technical reality
It may be a logical or attractive concept: combining physical and information security. But the technical reality often is very different. Manufacturers often claim that their systems are open. But having multiple ‘open systems’ in your corporate realm does not mean that these systems and the people that use and manage them magically start working together.
In reality most systems have their own way of identifying and authorizing users. They have their own front-end and their own core engine. They use their own database and have their own setup and configuration potential. Administration and operational management is very different for most systems. How do you bream these technical security silos?
Convergence is an abstract and complicated concept
What does convergence mean? Where are the organizational, conceptual and technical intersections and meeting points of these two worlds?
At a basic level you would want the two functions to acknowledge the other’s existence and be willing to communicate and collaborate where it makes sense. After all: physical security systems rely on the corporate ICT infrastructure. And a large chunk of the ICT infrastructure is housed in buildings and rely on physical security to manage access to them. In a perfect world, this basic communication could result in structural collaboration. Which could lead to more effectiveness in security risk prevention and mitigation. And potentially it may lead to some operational efficiency. Time and attendance systems based on access control are a common and logical example of an application that would result from this collaboration. It even ‘supports the business’, making it a core function of the organsation.
Managing identities and allowing access to rooms, applications and information (IAM, Identity and Access Management) would be a logical next step to consolidate efforts, which could result in true SSO (Single Sign On) implementations. Which would be of great benefit in the successful onboarding and offboarding of staff.
The technical openness of systems (if available) could result in smart applications of systems exchanging information. Why should I get access to a workstation when I am not in a room? If I am a roaming employee, are my IT access rights and configuration (for printing for example) changed on the fly when I enter the building in another country?
Would it not make sense to look at the back-end of both functions? Can we still afford to look at security incidents in an isolated way? Should Security Information en Event Management (SIEM) not be crossing the borders of physical and IT security and not only look at the ICT infrastructure?
But security risk management at a corporate level (ERM – Enterprise Risk Management) is a strategic topic, which should be addressed in the board room. Corporate policies and measures should affect all security functions.
Convergence is an absolute necessity
Many examples given here are already happening in many organizations. So, convergence of both security functions is certainly not a lost cause. And we can’t allow it to be. Because the nature of international security threats is changing. The boundaries between our physical and virtual worlds are changing. Physical infrastructures rely on ICT infrastructures. ICT infrastructures are housed and protected in physical infrastructures. Both private and public organizations really can no longer allow themselves to rely only on the good intentions and initiatives of their professionals in both security silos. Our world is changing. Globalization has intensified commercial competition in industries of importance. International political and commercial rivalry has hardened. Digitization has changed the rules of the security game.
Security convergence is not a buzz word. It is a necessity. Do you agree?