Gates, Geeks, and Guards (Security Convergence)
Introduction A comprehensive security strategy must encompass both logical and physical security. Call it convergence, consolidation, cooperation, or anything else for that matter, but the bottom line is that achieving a consistent view of enterprise security risk requires the integration of both logical and physical security. A simple example is account control; there is one and only one user for each account. If Roger is in the oﬃ ce, he shouldn’t be logging in on a remote access system and vice versa. No one can be in two places at the same time: Either Roger gave his credentials to someone else to use or the account has been compromised. Enforcing this level of account control is impossible without integrating facility access and computer access information. Security convergence has been a common topic of discussion in the physical and information security communities for the past several years, but the conversation is quickly moving into the executive suite where C series oﬃ cers looking for ways to reduce overhead costs ﬁ nd security convergence an attractive opportunity. And why not? Th e organizations have overlapping goals and common budget requirements, and they have been converging at the technology level for some time. Technology advancements on both sides of the fence have fostered dependences between the two functions. Th e introduction of physical devices such as smartcard identity badges and access tokens brought physical security into the information security realm, and the introduction of digital CCTV (Closed Circuit TV), PC network-based controllers, and other IP-based devices brought logical security into the physical security realm. For the IT security group, the primary driver was risk reduction: a way to overcome the inherent
weaknesses of passwords. For the corporate security group, the drivers were cost reduction and loss prevention; replacing expensive proprietary systems and outsourced monitoring with low-cost PC-based systems was a huge cost savings, especially on the maintenance side. For example, getting a high-capacity VCR repaired costs in the neighborhood of $2,000; replacing a disk on a DVR with 10 times the recording capacity costs only around $200. Improved capabilities and lower costs allowed the corporate security team to expand its loss prevention eﬀ orts with increased video surveillance. Networked technologies helped centralized monitoring to further reduce costs by eliminating the need for security oﬃ cers in branch oﬃ ces and other remote locations. Th e use of these technologies also required the involvement of IT. Devices needed to be attached to the IT network, software ran on business systems (PCs), and maintaining the system required an SQL DBA (whatever that is!). Technology skills are not the strength of corporate security and safety professionals. Conversely, identity vetting, access control, incident response, and investigations are not information security personnel’s strong suit. Both parties beneﬁ ted from the increased cooperation, but it wasn’t convergence; both groups continued to operate separately.