Mar 16 2009

Mix It Up

Adhere to the four commandments of security — deter, detect, delay and respond — with blended physical and technology security teams.

Rick Patterson, Director of Security, Sidley Austin

The battered economy is forcing many businesses to reduce operational costs and cut back on traditional “cost centers.” Every category of IT spending — including security — is under scrutiny, even with an increasing need to ensure that systems remain tight as a drum.

One way to reduce costs and more closely align technology with business goals is to consolidate security programs at the management, staff and process level, develop a risk-based approach to security and provide upper management with more meaningful metrics.

Consolidate. Physical and technological security should be managed as a single function. This management convergence allows for a singular focus on operational risk management and replaces the vertically isolated approach that most businesses take toward security.

Physical security is typically a concrete discipline that is tangible and easy to visualize — locks, guards, badges — compared with IT security, which tends to be abstract. The concept of an IP packet is somewhat theoretical, and grasping the complexities of network protocols is not a trivial undertaking. Still, absent philosophical differences, physical and technological security professionals share many characteristics that would support convergence. Both focus on managing risk, protecting assets, and conducting investigations that involve evidence collection, hypothesis development and report writing.

Cross-training your security teams on physical and IT security methods is the first step. Through staff convergence, certain processes can be consolidated to reduce overlap and leverage synergies.

For example, an IT security professional may be more effective at deploying traditional physical security devices that reside on IP networks. With a better understanding of technology concerns, an IT security professional is better positioned to assess IP-based security tools and provide controls that protect the production network.

Align to Business Goals. To align IT closely to core business objectives, security should focus on risks to the business as determined by a qualitative risk assessment. Such assessments support efficient and effective allocation of resources during leaner times and should focus on a 360-degree landscape. For example, when assessing a new data center location, a converged physical and IT security team could provide a single analyst to complete the assessment, assured that all threats to the data center would be considered.

The assessment would include not only the risks associated with IT systems, but also risks inherited from third parties, such as a hosting company. The assessment should address all third-party security policies, not just for information security but also for HR, workplace violence, fraud, waste and abuse programs — all areas that have the potential to interrupt business services or otherwise affect your employees. And all are areas within the expertise of your converged security team.

Provide Meaningful Metrics. For this new approach to work, you need to showcase your success by providing metrics and reports that resonate with executives. These metrics must clearly demonstrate how security provides value to the business.

For example, after completing a risk assessment, identify and track implemented controls that address improved security. Develop a single nomenclature for physical and IT security that can apply to all incidents. Monitor the security software deployed by the organization to see if it’s effectively tackling the specific security challenges.

A converged security team that’s aligned with the goals of the business — one that communicates effectively with upper management — will achieve better results and ensure it’s viewed as a critical business partner.

Rick Patterson is director of security, which includes IT security, physical security, and business continuity and disaster recovery programs, at the law firm Sidley Austin in Chicago. He is a former secret service agent specializing in physical security assessments, electronic crime and computer forensics.