Traditional Physical Security and the Convergence with Digital
It wasn’t that long ago that information security protected networks, and physical security protected people, bricks and mortar. The Convergence of the two, once a projected trend is now an inevitability, a natural bi-product of a rapidly evolving environment that has seen the functions of protecting people, process and technology become both more complex and more interconnected.
The concept of ‘security’ has expanded well beyond its traditional remit and its definition broadened to include physical security, information security, risk management, compliance and privacy protection, disaster recovery and business continuity.
Further driving convergence of logical, and traditional physical security, is the convergence within threat itself and the potential of cyber-based physical attack or a blended one where the effect of physical attack is concurrently multiplied by digital attacks.
This multiplicity and interdependence of potential threat has necessitated synergy across management structures and solutions, so that previously disjointed security functions can act in concerted and results-oriented cooperation.
As physical and logical security systems have until more recently had little in common, integrating them has been viewed as a costly and complex proposition. Now a growing number of companies operate in both spaces, as well as in other risk-related areas and manufactures are merging what were distinct product lines into more tightly integrated offerings and promoting interfaces for integration with IT-based solutions.
Smaller innovators too, are entering the market with cross-functional services and products incorporating emerging technologies that are changing security in the contemporary workplace.
Security services such as video surveillance, fraud detection and access control, are increasingly database-driven and network-delivered and as such IT is ever more tightly entwined with physical security.
A new generation of gateway technologies is also remedying common convergence problems with new products that bridge the divide between physical and logical systems to provide bi-directional exchange of identity information and real-time events.
The Internet of Things (IoT) further promises to transform security in a new networked world. By 2020, analysts expect tens of billions of devices to be connected to the Internet, initially with consumer-oriented products but inevitably moving into commercial and institutional environments. This plethora of IP-enabled devices will include those in heating and lighting systems, intelligent meters, equipment monitoring and maintenance sensors, industrial robots, asset tracking systems, plant control systems and personal devices.
Additionally, trends such as BYOD (bring-your-own device) mobility, and cloud computing have blurred the boundaries between corporate networks and the outside world, requiring new skills and strategies to protect company systems and data.
Against this fast-paced changing environment, organisations need to become strategic purchasers of security technology and when evaluating solutions consider whether the systems they buy today will be able to connect to tomorrow’s networks. Can technology be added to enhance and leverage existing infrastructure or, indeed, require the replacement of it?
Security products and technologies need to be able to provide intelligence in making robust, data-based decisions across an organisation, including where to invest, how to increase profitability, and how to optimise resources.
It is not just technology or equipment interoperability that organisations need to address, they must also recognise that that physical security and logical IT security often represent different views and ideas within an organisation.
Resistance to convergence can run deep among traditional physical security managers, wary of IT departments assuming control. IT security experts are in turn expressing concerns as to video surveillance streams riding on the same IP network as other parts of an organization. They argue that physical security controls for building access and video surveillance shouldn’t be associated with networks for desktops that can be subject to malware or other types of attacks.
Combining these parallel but different universes requires both cultural and technological changes and is redefining the role of the Chief Security Officer.
The new CSO must take command of not just the physical aspect of an organization’s security needs, but the digital aspect as well and help forge strong and secure connections between both, while addressing the increasingly complex area of compliance.
CSOs are overseeing a combined security framework that creates positions to consolidate functions such as reporting, incident response, blended risk assessments, security policy and standards development, bringing team members into a more cohesive organization with one strategic mission and consistent goals. This framework encourages collaboration and removes the barriers between people who previously might have had prime allegiance to their individual security function to the detriment of others. It further allows the identification of opportunities where security can produce business benefits and increase system and resource efficiency.
For smaller or medium sized companies, that have no organizational initiative that might be termed “convergence”, an holistic approach might simply take the form of all security personnel recognizing the efficiencies of working together by forming Interdisciplinary Security Councils or a regular forum to provide an audience for updates on physical and logical security, business continuity and disaster recovery exercises.
Microsoft have championed the partnership between information technology and physical security with a holistic risk management strategy that aligns security programs with their organisational goals. Leading that charge is their Chief Security Office, Mike Howard who will be a leading contributor to The Australian Security Industry Association Limited Conference, in Melbourne, on June 4-6. He will chart Microsoft’s journey from using standalone physical security platforms across systems such as CCTV, access control and intrusion detection, to cloud based, integrated, digital management of physical security systems across their global organisation.
Expanding the view and scope of security is a necessary part of integrating security risk management into an organisation and a converged approach to risk would not look at each risk in isolation, but have each team work closely together in parallel and use their collective experience to quickly identify potential overlapping risk, gaps or cracks that leave an organisation vulnerable to blended or converged security risks.
This Convergence creates a portfolio of knowledge and skills in physical and information security and risk management leading to more efficient problem solving and the opportunity to cross-train employees. While Security personnel and emergency responders work to lower response times and increase overall situational awareness, they must be capable and knowledgeable in how technology augments those real time events.
Of course, one of the important pay-offs of a converged security strategy is cost savings. An often cited example is the integration of personnel identity management systems. Multiple systems that don’t intuitively communicate with each other, can see personnel data replicated across multiple systems such as those for Human Resources, IT, and electronic access control. When these disparate systems are fully integrated, it significantly saves time and costs in data entry, but also provides added security by quickly and simultaneously terminating all building and network access privileges when an employee leaves.
Consolidated logging of entry and access records also creates a more accurate occupancy roster list, knowing exactly where employees are in the event of emergency and can map an employee’s network and access history providing a complete timeline and comprehensive audit trail in a forensic investigation.
A converged security strategy should reduce costs, increase the ability to protect lives and property while demonstrating measurable value to business results. The task of implementing it might seem like a technical one but the challenge to organisations is an altogether more human one; that of getting all within it to recognize security as a single concept, one that spans technology, process, people and culture.
To keep up to date with current trends and products in the Security industry register here for Security Expo 2014.