In my last blog posting I mentioned the growing trend to join up information and physical security. A few people have asked me to expand on this topic. Why is it happening? Where is it happening? And is it a good thing? The short answer is that it’s an inevitable trend that will impact all organisations, with both good and bad consequences.

Personally, I’ve never been a big fan of joining up these functions. I don’t see much synergy between a technician that configures firewalls and an investigator that kicks down doors. I’ve seen such mergers tried, and I’ve seen them fail. The main problem is the combined problem space, which is far too big. Each subject area already exhibits a richness and complexity that is at the limits of practical professional development. We don’t have enough professionals today who can comfortably span the combined security spectrum. Tomorrow it will be more difficult, given the growth and the pace of change in both subjects.

But information and physical security are increasingly converging, not only in large organisations with big centralised functions, such as high street banks, but also in small enterprises with part-time focal points. The primary drivers are political ones, such as the reduction of senior management headcount and the simplification of reporting lines. It’s not about synergy of activities. Restructuring is a top-down, political process, not a bottom-up, logical exercise 

Growth in the significance of the human factor in information security breaches is also a consideration. Data breaches scare executive boards. Information security demands a high-profile education programme to help reduce losses of laptops and USB sticks. The most pressing physical security issues are now associated with the control of information and technology, rather than the guarding of buildings.

When you drill down into the subject matter, the vast majority of information and physical activities are quite separate, requiring different skills and experience. Many projects require both sets of skills, but that doesn't mean that they have to be joined up. Identity management programmes, for example, are by their nature multi-disciplinary, involving a range of stakeholders, ranging from legal to HR professionals. They don’t need to report into a single management point, though they would clearly benefit from unified direction.

In my view you can't put a 50% expert in charge. Executive boards expect security directors to be equally comfortable fielding questions about international terrorism as well as finding simple solutions for board members to access their email securely from hostile locations. You can’t get off the hook by saying “that’s for the IT department” or “I’ll need to consult one of my staff”. It simply won’t wear. 

Non-technical activities such as policy, audits, education and investigation are the areas that are most likely to benefit from being joined up. Architecture, network security and vulnerability management are far too specialist for physical security to make a substantial contribution. And major investigations and prosecutions cannot be left in the hands of armchair enthusiasts. But somehow we have to bring it all together.

In practice, information security has always been a component of physical security, and vice versa. Whichever side dominates at any one time is more a matter of politics, fashion and personality. Attempts to bring information security under physical security following 9/11 were not successful. But information security has now overtaken physical security in both visibility and importance, so it’s likely that IT professionals will increasingly take the leading role.

The combination of physical and information security provides new opportunities for converged projects, such as identity management. But they will be the prize rather than the driver of the merger. A converged security function will have greater political leverage and incident data to support new initiatives such as identity management, security monitoring and security education. These goals might not be the catalyst for the change, but they will be the serendipitous consequence.   

Delicious

Digg

Reddit

Facebook

StumbleUpon