Whether or not you buy into the convergence buzz and the trends associated with it, physical and information security are melding. Convergence has evolved from a theory with a lot of marketing hype to a business and technology necessity in which both physical security and IT managers will play a critical role. All of today's compliance, governance and competitive challenges are forcing physical and information security to work together. When they do so effectively, they can be seen as business enablers and competitive differentiators supporting the organization's mission and goals. But what's it going to take to make it work?
The Trickle-Down Effect
Just like any business initiative, convergence requires business leaders to help create a new mindset. For security convergence to work, a new way of thinking about business risks has to trickle down from the top. This will require upper management to not only influence change but to facilitate it with proper guidance, budget and oversight. Business leaders must create a trusting environment between physical and information security (which is for the most part IT) that treats both as equally important.
The people I see taking the lead on this are neither physical security managers nor IT managers. Rather, I'm seeing CFOs, COOs, and even CEOs stepping up to the plate to make sure their organizations aren't exposed to unnecessary risks. I credit a large part of this executive awareness to all the federal and industry regulations that have been thrust upon us recently. Non-security executives understand enough about what's going on with technology and security to realize that it's a serious business issue that warrants both sides working closely together.
Gravitating Towards a Center
There's been a disconnect between physical and information security, but there's often also a lot of overlap and duplication of efforts between departments. I often see team members writing policies, developing security plans and implementing technologies all on their own, while their counterparts are doing the exact same tasks.
However, in performing security assessments for organizations both large and small, I'm now seeing a lot of positive changes with regards to user provisioning, incident response, and especially the integration of security technologies. Vendors are making both sides of the security coin more manageable in a centralized fashion. Sounds elementary, but it's exactly what convergence needs.
I'm also seeing the incorporation of both physical and information security systems within the scope of ongoing security assessments and formal audits that organizations are either outsourcing or performing internally. In fact, many people performing these assessments and audits are using standards such as ISO/IEC 17799:2005. ISO/IEC 17799 is an information security-centric standard, yet it includes a significant portion on physical controls. In fact, it has an entire section on physical security that includes 13 subsections.
Similarly, you can look at any of the big federal or industry security regulations, such as the HIPAA Security Rule, GLBA Safeguards Rule, and the PCI Data Security Standard, and see the trend of incorporating physical security with information security. Physical security is on the radar of most of those involved in information security. In fact, it's becoming a well-known principle that you can't have good information security without good physical security.
Information Security: An Invisible Problem
The problem is, there's still not enough interaction between the physical and IT teams to make risk management and “security” in general as effective as they could be. I'm still seeing quite a bit of finger pointing and “not my job” mindsets. Many people still don't see the value in information security. Management, by and large, has always bought into physical security. It's easy to understand why, given that the risks and business value are so clear.
Information security is different, though, and is thus being adopted and supported more slowly in practically every organization I've seen. It's easy to ignore problems we can't see and don't understand at the bit-level, but that doesn't mean information security problems don't exist. Between the well-publicized information breaches, the malware outbreaks, and the obvious concerns associated with mobile devices, management will begin to recognize that information security is a critical business issue as well.
What's Your Job?
The disconnect between physical and information security can also be attributed to a lack of understanding—on both sides—of what the other team does. The similarities between physical and information security are almost too obvious; people don't realize just how closely they operate. Both functions require the identification and classification of assets, assessment of risks, enforcement of policies and implementation of countermeasures, as well as incident response and business continuity. At the most basic level, they're literally identical, yet they often seem unrelated.
Know Your “Enemy”
Having been an IT guy my entire career, I know what it's like to be on this side of the fence. More important, I know how a lot of IT professionals work best and want to be treated. In a military context, if you know your “enemy” (that is, the IT team members) you can use this information to your advantage to learn how to deal with them more constructively to create a win-win for both teams. This will help you with short-term tactical issues such as system upgrades, as well as longer-term strategic issues such as security policy and plan development.
How Much Do They Know?
The first thing to know is that most IT team members, as much as they'd like for you to believe otherwise, don't know everything about information security. This is especially true in organizations where there's no dedicated information security team—that is, where IT does it all. In fact, the majority of IT professionals I know understand mostly the technical underpinnings of information security (firewalls, access controls, and so on) and not the operational and procedural functions that are more important. Of course, every situation is different, and some IT folks know a ton about information security, but if you at least keep this in the back of your mind, you'll be able to better relate to them. In fact, you could share your knowledge of risks and business processes so your teams can help balance each other out in many respects.
A Different Mindset
One difference between physical and information security is that physical security is more about preventing attacks, whereas IT professionals are often so caught up in day-to-day operations that information security is more reactive. It's therefore important to know that IT's perspective on incident response is often very different than physical security's. There's often a lack of formal procedures and protocols. For IT, incident response is sometimes a fly-by-the-seat-of-the-pants operation, unplugging network cables, rebooting systems, and so on.
A strong converged environment should rely heavily on well-documented plans and procedures. You can work with IT on risk and process and let them drive when it comes to what to do and what not to do with the technical systems.
Protect Converged Technologies
The technology and information security components of the newer Web-based access control systems have added a new set of requirements for the physical security side of the organization, especially with regard to dealing with the IT team. When it comes to convergence and placing your sensitive physical security control systems on the IP network, there are several things that are often overlooked.
First, there's a trend I'm seeing whereby physical security management expects and assumes that the IT team has completely secured the network infrastructure. This is rarely the case. Unless the IT team has complete control of their environment (which is very unlikely), your physical security-related systems are going to be integrated into an otherwise insecure network. Integrated physical security control systems have operating systems and network cards just like any other computer on the network and can therefore be exploited. In this situation, the entire organization, not just the digital assets, is at risk. Work with IT to ensure network-based systems and other physical security controls are locked down and protected from attack to the greatest extent possible.
I recently uncovered a situation in which a company's network-based data center control system (i.e. access, fire, temperature, video monitoring) was vulnerable to attack through an unsecured wireless network. A malicious individual on the street or in the parking lot or nearby buildings could connect and take complete control of the data center. A situation like this can easily compromise the entire building or campus in larger organizations.
Finally, I've noticed that many IT folks would rather converse via e-mail than get on the phone and talk or have in-person meetings. Trying to meet halfway by communicating via e-mail whenever it's reasonable is yet another way to better relate and win them over in day to day tasks when working on convergence issues.
Making It Stick
There's a belief that once security policies and procedures are standardized, developed and implemented, everyone can work together in harmony to keep the organization's bytes and buildings locked down. It's not that simple.
As you've likely already realized, convergence will add many conveniences and help establish a better grip on risk management. However, it will also introduce complexities and challenges you've never thought of before and aren't necessarily prepared to take on.
Making convergence work long-term is all about managing change—change in your own career and skill set as well as change taking place on the network and within the physical controls environment.
If physical security is your primary focus, it would behoove you to learn more about information security concepts. I'm not talking about risk basics—they're the same whether you're talking about physical or information security. What I'm referring to is technical vulnerabilities found in computer systems at the network protocol, operating system, and application levels. A good way to approach your learning is from the bad guy's point of view. This is known as ethical hacking, and it can bring some real-world perspective of just how tightly integrated your physical systems are with the IP network and what can be done to exploit them.
Don't assume that convergence is a technical issue alone. Sure, there are underlying technology concerns that involve IT, but convergence is, by and large, a business issue that requires working out the kinks in your people and processes.
Everyone involved in security has to consider and deal with both physical and information security issues at the same time to manage business risks. This also includes your employees—those everyday end users. They must be made aware of physical and information threats and weaknesses so they can help protect against them; they are the first line of defense, after all. The way to do this is to get the word out and keep it in the front of their minds month after month and year after year.
If you have a network that's tightly locked down but your buildings are wide open, or if you have impenetrable facilities whose controls run over a vulnerable network, you do not have a secure business. It's critical to find a balance between physical and information security, and that's only going to work with better communications and interaction between the departments and with your employees and other users. It's also going to require the right people on both sides that have the authority to make changes. You can't force two departments to play well together, but if the business reasons are outlined and incentives are there to help make things happen, you'll begin to see positive changes.
Kevin Beaver is an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Mr. Beaver is creator of the Security On Wheels audiobook series and has authored/co-authored six information security-related books including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at [email protected].
Kevin Beaver
Kevin Beaver is an information security consultant, expert witness, author and professional speaker with Principle Logic, LLC. With over 21 years of experience in the industry, he specializes in performing independent security assessments revolving around minimizing information risks. He has authored/co-authored eight books on information security including “Hacking For Dummies.” In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Contact him at www.principlelogic.com and follow him on Twitter at @kevinbeaver.?