The convergence of traditional and logical security; by James Willison.
(As reported fully elsewhere on this site: the UK arm of the security body ASIS – Chapter 208 (United Kingdom) adds: James Willison has agreed to join the main UK Chapter 208 Committee as "convergence lead".)
Since 2004 many of those involved in the leadership of ASIS have sought to encourage and promote the movement we now know as the Alliance for Enterprise and Security Risk Management. Timothy Williams articulated the vision of those early beginnings when he said, "Convergence is more than just the latest buzzword for security professionals. It’s the direction in which security is moving—and moving quickly—with us or without us." In January 2006, Jeff Spivey stated, "Our collaboration with other associations examining convergence is a very valuable strategy to ASIS and the other Alliance members. More collaboration will strengthen each association as we all strive to meet our members’ needs." In 2007, in the UK, an open forum for all members of the Alliance is being planned to further this unity. It is worth our while to look closely at this important area and see how we can all help to increase the effectiveness of the security policies entrusted to us. <br>In many global companies physical security and information technology (IT) security are ensured by two separate sections. There are two heads of security who occasionally meet to discuss relevant concerns and then return to an ever increasing range of security matters and deal with them as effectively as they can. Of course thankfully there are many gifted security professionals protecting companies from attack and fighting crime but would this effort be strengthened by a more united front? Military history for example has shown that when several nations have attacked an empire building nation on various fronts it eventually collapses. But one nation cannot resist large scale military invasion without some level of support from another. Many 20th century wars would fit this idea and other empires, for example the Napoleonic, have eventually been defeated when attacked on two or more fronts. <br><br>Of course we are all too aware that internet security issues can severely disrupt a business and there are now many more vulnerabilities to safeguard against. But what is becoming increasingly apparent is the rising support amongst security professionals for the convergence of physical and IT security. This is in part due to the realisation that it is becoming more and more difficult to ensure information security without an intricate relationship with the physical infrastructure. It is often the case that the IT security team is part of the IT department and the physical security team is led by the facilities or health and safety section. The philosophy of management may well be rather different even if both are seeking to keep in harmony with company policy and vision. Company culture and aims are paramount but can the purpose of security in maintaining and protecting these always be achieved when the two teams are also accountable to two different masters? <br><br>Convergence is now becoming such a widely held view that the editor of CSO magazine recently remarked, <br><br>"Indeed, considering IT or any other kind of security in isolation from the rest is a serious misunderstanding of the larger purposes of security as a broad strategic activity. In our view, convergence can’t come soon enough."<br><br>(www.csoonline.com)<br><br>The issue of the convergence or integration of physical and IT security has actually been a possibility for over twenty years. For a few it occurred at the birth of computer security in the early 1980s but for most it seems that the two have been separate and part of two quite different sections. Usually the IT department developed the tools and strategies for the IT security team and only became involved with the physical security team when their support was needed during the investigation of a corporate crime. But the development of a more holistic approach to security management has led to the call for the two areas to converge and so detect crime more effectively. The concern now is for business security management. Authorised access to company information is of particular concern to both teams and their unity in achieving this is crucial.<br><br>In recent years there has been a proliferation of articles on the World Wide Web encouraging such unification. There certainly seem to be more in favour than against. This may be due to the concern that when the two areas work in isolation the risk that vulnerabilities will be missed increases. Therefore it would be better to communicate and integrate more rather than less.<br><br>In a perceptive treatment of the subject, ‘The Case For Holistic Security’, Caroline Ramsey Hamilton writes, <br><br>"There are several reasons for this convergence between information security and physical security. One of the primary reasons is because physical security elements have become increasingly computerized and networked."<br><br>(www.riskwatch.com)<br><br>In 2002 a survey of IT professionals attending the Microsoft Exchange Conference (MEC) indicated that 21pc were merging or planning to merge network and physical security. The pie chart below shows the results. According to Aladdin Knowledge Systems a further 20pc were unsure. This is clearly favourable since they could be persuaded that integration is the best strategy for the future. The research also stressed that 90pc of those who answered in the affirmative represented companies with more than 1000 employees.<br><br>In particular the subjects of identity management and access control have been of central importance to both teams. It is crucial for a company to have an effective policy on these matters particularly now that the Data Protection Act 1998 and the Sarbanes Oxley Act 2002 exert their influence on organizational behaviour. It would be fair to claim that companies which allow their staff and contractors to have several different logins and use various ID cards are more at risk from false logins than those who adopt a single login and use smart card technology to access both physical entrances and computer systems.<br><br>It is perhaps the area of identity management and the requirements for verifiable audit trails made by the various acts mentioned above which will actually bring IT and physical security into the same arena. The case for a smartcard solution to the problems raised by identity management is a very strong one. In the light of the continual growth of internet commerce and the interconnectivity of networks the need for an authentic and secure identity in global organizations is indisputable. It also prevents unauthorised remote access by staff who have either left the company or who have ‘borrowed’ passwords from their colleagues. If this is true then the two teams in any corporation which deal with access control and whose responsibility is focused on ensuring that a person has authorization both to enter the building and logon to the network should work together on this issue.<br><br>The evidence of my research reveals that many security leaders believe global organizations would benefit from the integration of their security teams under the leadership of a chief security officer. It is also a widely held view that he or she could quickly respond to any security issue in the confidence that they are fully supported by their staff. This single point of contact is of particular importance to the board of directors. <br><br>All in all, this is just a glimpse into the whole area of converged or holistic security. One which deserves the attention it is now receiving.<br><br><br>About James Willison <br><br>Since joining ASIS as an associate member in April 2003 James has worked closely with security people from the traditional and digital arena with a desire to enrich the process of convergence. In July 2005 he was awarded a Master’s degree by Loughborough University for his research on, "The case for the Integration of Corporate Physical and IT security."<br>
