Physcial Security, Security Assessments, Security Management

Security Convergence – Ready or not, it is here!

The security industry has been talking about the convergence of physical and information security functions for years.  Many act as if it’s a big deal or that it’s a difficult endeavor to accomplish.  I say, ready or not, it’s already here.  Security functions and technology has merged right under our eyes.  Let me explain.

First, let’s define “Security Convergence”.  According to ASIS, it’s, “The identification of security risks and interdependencies between business functions and processes within the enterprise and the development of managed business process solutions to address those risks and interdependencies.”  The key words are risks, interdependencies, and solutions.  It’s critical to review the risks to the business and determine the best methods for mitigation.  Notice that this definition contains no reference to information security or physical security.

Traditional practices have caused many large organizations to create security silos to solve individual problems rather than looking at the best solution to reduce risk.  They separate physical from logical (or information) security without realizing that these groups serve the same purpose: mitigating risks.  More progressive organizations have their security converged and are thus better able to handle common risks.  These organizations are addressing the reality of risk management, which looks at methods to address risks regardless of the form.

Many new or small organizations lack a separate physical security force that is seen in established firms. They will often outsource physical security functions as part of their lease.  They believe it covers all types of risks and ignore others that they cannot address due to time or money constraints.  These businesses would be better served with a converged security function under a single employee who’s responsibility is to address all types of security risks: both physical and logical.  With this, the company is better positioned to manage their security risks in a consolidated function.

One last point on the physical/logical security convergence is that most of the equipment used by physical security, such as cameras and monitoring, badge systems, etc. is already on the network.  The camera system in your facility is most likely on your corporate IP network.  There’s also a strong possibility that’s also true with your badge system.  They are network servers, but are usually managed outside of IT.  This is another case where a converged security function can better maintain critical company services.

Security isn’t something you bolt on and hope it works.  It needs to be incorporated into the fiber of the organization.  A converged security function allows this to occur in the most cost-effective way.

What do you think?  Feel free to comment below.

Physcial Security, Security Management

Incident Response – Know what to do when “it” hits

There are four primary responsibilities of security: Prevent, Deter, Detect, and Respond.  We often focus much of our efforts on prevention and detection and neglect deterrence and response.  In today’s post, I want to focus on the latter: how security professionals should respond to incidents and what they need to have in their “toolkit” to be ready when “it” hits the fan.

Be prepared” is the boy scout motto.  It should also be a motto for security.  We never really know when something bad will occur. It’s usually at the worst possible time (see Murphy’s Law and its corollaries). It’s crucial that security professionals are ready for it and know what to do when “it” hits.   The websites linked below provide great resources to help you be prepared for anything that comes your way.  It includes procedures, templates, and forms that you can use in your security program so you are ready.

Security should have plans and checklists ready to use when there’s an incident. This is for both physical and IT incidents. That way they don’t miss any critical element. I’ve also seen that checklists help in these situations to reduce the impact of any emotions that occur in high stress situations.

My second law of incident response is “Don’t Panic, ” which is also the first line in the Hitchhiker’s Guide to the Galaxy. It works for security as well.  It’s important to respond to problems rather than react.  Response is positive while reaction is negative and is often associated with panic.  We react without thinking leading to mistakes. If you are prepared, then your poised to respond in a positive manner.  Think even for a second before you act.  Use your resources and respond.

Albert Einstein sums it up best, ” You can never solve a problem on the level on which it was created.”

Please feel free to comment on your ideas and suggestions to improve incident response.