A former vice president of security at a mid-size southwestern U.S. company vows to take a much harder look at his next employer's security culture after spending almost two years embattled with the IT manager over turf and his disregard for physical security matters.
In one case, the VP requested new security cameras after an incident with an intruder at the front desk that was difficult to investigate because the existing cameras were not working properly. Instead of fixing the cameras the IT department, believing the cameras were their domain, set up a webcam at the front desk that the receptionist would have to activate and position the camera toward the intruder in an emergency.
"The IT guys don't understand personal and physical security. If someone comes to the desk, in a high-stress encounter the receptionist won't be able to handle the intruder and manipulate the camera," the former VP says. "Security needs the IT pipes, but the physical and personal security domain is not his responsibility."
Meanwhile in Chicago, an IT executive attending the International Information Systems Security Certification Consortium, or (ISC)2 World Congress in September voiced concern over physical security leaders being more interested in "getting into the IT game," rather than working together with IT management.
"It's more like 'we're integrating our badge system to Active Directory, or moving it into the cloud.' Those things scare the hell out of me," he said. "Now the attack surface is going to be much bigger because they're not doing their due diligence" with the IT side.
Sound familiar? For many companies, bridging the security gap between information and physical protection remains elusive.
No doubt, all security professional are on high alert with increases in data breaches, insider threats and concerns about advanced persistent threats, where adversaries use multiple attack vectors, including cyber, physical and deception. With these threats, gray areas of vulnerability are emerging where IT and physical security issue overlap, leaving both sides pointing fingers when security gaps are discovered.
This summer, the ASIS Foundation and the University of Phoenix convened a national roundtable to identify the top security risks the U.S. security industry will face in the next five years, as well as the necessary competencies that security professionals will need to succeed in the future threat environment. A key finding in their report, Enterprise Security Risks and Workforce Competencies, addressed skills gaps in the security industry, underscoring the need for security professionals to possess a strong business foundation in order to link security goals with overall corporate strategies and to position security as a facilitator across business functions. Among the recommendations were educational programs and a joint partnership with (ISC)2 to help blend physical and informational security into one comprehensive responsibility.
Sign up for CIO Asia eNewsletters.