Williams calls his strategy an "all-hazard approach" to security risk, "but you have to be careful not to converge too much," he adds. "Rather than just pushing the departments together, I'm being very careful to engage the two groups with each other only where it makes sense. We're still learning that new art."
Similarly, (ISC)2 member Chris Nickerson suggests the groups should be united under the umbrella of "asset protection."
"In very highly secure companies, those teams are under asset protection in general — whether physical, audit or IT," explains Nickerson, founder of Lares Consulting, which helps companies identify those gray areas where physical and IT security intersect. Together they're involved in every asset protection decision in the enterprise, he adds. And while some duties may require only one area of security expertise, they are all involved in new projects up front, identifying the processes and whether their expertise might be able to help, he says.
Find a Common Adversary
Nothing unites a group of people like a common enemy. To get the ball rolling, many companies hire a consulting firm to model an adversary to attack, compromise or manipulate the environment.
"What universally works is straight-up putting them through a war," says Nickerson, whose "Red Team" regularly infiltrates companies at their request and exploits gaps where information and physical security intersect. For instance, at one company, what started as an employee password accidentally exposed on his LinkedIn page, turned into infiltration of the company's VPN and badge system and culminated into Nickerson illegally entering the facility with a stolen key code.
"That really gives them some religion," Nickerson says. "The biggest thing that grows out of this isn't the fixes, it's those teams working together and having a common goal: stopping me."
It's not just a game. Nickerson models the type of attacks the company is mostly likely to face in real life based on its possible adversaries and their capabilities. "It's fighting the most logical fight."
Arm Yourself with Knowledge
When Lavinder speaks to security groups about the future employment landscape, her advice is always the same — keep acquiring new skills that give you a broader spectrum of security knowledge.
"I don't think you have to go back and get a graduate degree. You can do a certificate program or a certification through a qualified organization such as (ISC)2 or CISSP," she says.
Beyond courses, security professionals must engage in personally driven learning, she adds. "Go out and educate yourself about these issues. Join groups, listen to presentations and Webinars, read trade publications — just be engaged in the dialog — you have to be proactive. The smart people are already trying to fill in that gap in their resumes."
Sign up for CIO Asia eNewsletters.