Physical security staffs predominantly consist of former law enforcement officials who report to legal, compliance or risk management departments, whereas information or logical security departments typically have employees with technical backgrounds who are part of the IT organization. Physical security divisions tend to focus on the three G's -- guards, guns and gates -- while logical security groups usually concentrate on safeguarding information systems.
There are a few companies where the two entities are structurally connected, but most are not. Still, a growing number of executives have recognized the value of having these groups collaborate to share tactics such as loss-prevention techniques for retailers or the use of card systems to restrict personnel access within a facility.
According to a survey of 8,200 IT and security executives in 63 countries conducted in March and April of 2005 by PricewaterhouseCoopers and CIO magazine, 53 percent of organizations have some level of integration between their physical and IT security divisions. That's up from just 29 percent in 2003.
"People are recognizing that the two groups can't stay in their own towers," says Anne Rogers, vice president of marketing at the Information Systems Security Association (ISSA), a not-for-profit international organization of information security professionals and practitioners.
Collaboration can be as simple as having an information security group send an e-mail warning staffers about a fast-moving Internet virus while the physical security group posts signs around the building as a secondary reminder, suggests Angel Cruz, chief information security officer at Freescale Semiconductor Inc. in Austin.
Different Worlds
Although the benefits of security convergence are obvious, there are huge cultural challenges to collaboration that physical and information security organizations must overcome. For starters, IT workers typically embrace new systems and like to play with them to see how they might be applied to their work, whereas physical security personnel are usually more skeptical and standoffish about emerging technologies, says Steve Hunt, president of 4A International LLC, a security consulting firm in Chicago. Those differences can lead to a disparity in terms of how the two groups evaluate and adopt security technologies, he adds.
Compensation is another bugaboo. Hunt says a physical security chief for a Fortune 500 company with 20 years of experience typically earns about US$60,000 a year, while an IT security manager who has been with the same firm for just two years generally commands twice as much. "It can be a real train wreck, and you can't normalize the salaries," Hunt adds.
Ownership battles can lead to increased isolation rather than collaboration. "In a lot of places where you have a strong physical security component and an information security program, the worst that happens is they shut each other out and say, 'This is our problem; we'll take care of it,'" says Jon Miller, president and founder of InfraGard Long Island Members Alliance Inc. InfraGard is a chapter of the cybercrime security initiative set up by the FBI in 2001 to improve cooperation between federal law enforcement officials and the private sector.
Gaps in training are another problem. These can include things as simple as a patrolling security guard not understanding the importance of turning off workstations that have been left on, says Dave Cullinane, president of the ISSA and chief information security officer at Washington Mutual Inc. in Milwaukee.
Despite the difficulties, security convergence has progressed among leading-edge companies where physical and logical security groups have collaborated frequently, says Vish Ganpati, senior associate of enterprise resilience at Booz Allen & Hamilton Inc. in New York. "Some companies don't realize that convergence is needed. Others see the need to do something about it," he says.
Ganpati points to a pharmaceutical company where the IT department had started installing a virtual private network security system and the physical security division was implementing a card identification system. After recognizing that there was a lot of overlap, the two groups collaborated and knocked 15 percent off their combined costs. They also impressed the CEO, he says.
The two teams also work closely together at Bank of America Corp., where collaboration is so ingrained in the corporate culture that cooperation between departments doesn't need to be structurally imposed, says Doug Smith, corporate information security and business continuity executive at the Charlotte, N.C.-based bank.
"When I came to the bank [in 2002], I asked for an organizational chart and people laughed at me. There isn't one," says Neil Gallagher, Bank of America's homeland security executive.
Smith says the bank's reliance upon Six Sigma processes helps its managers and staffers to recognize "opportunities when we can do something better" -- even when there aren't formal convergence points between its physical and information security groups.
A prime example of this kind of teamwork is the collaboration between the bank's information security division and its internal and external auditors to root out Nigerian investment scams, says Gallagher. In most fraud investigations, the bank's corporate security department conducts the financial investigation, along with related interviews and research. But when the scams are based on e-mail solicitations, the information security group supports the investigative efforts.
While the details change with the specifics of each case, the information security group may, for example, conduct research on network activity to support the fraud investigation. "The key here is that these efforts are not separate but closely coordinated," Gallagher says. And this collaboration resulted from conversations between managers for each group, not a corporate mandate, he adds.
The diversity of both groups' staffs also facilitates teamwork. Bank of America's physical security division has a lot of staffers with technical backgrounds, and the information security department has several people with Secret Service experience and other government security backgrounds, says Smith.
"Effective investigations demand drawing all of the talent you have available to you," says Gallagher.
Waste Management Inc. began converging its physical and logical security groups three years ago to monitor its fire alarm, burglar alarm, facility access and digital video recording systems. Now, instead of paying security firms to monitor fire and burglar alarms, Waste Management does it in-house. It also netted $500,000 in first-year cost savings and cost avoidance, says Rogers, who in addition to her role at the ISSA is director of information safeguards at the Houston-based trash hauler.
Internal monitoring of digital video systems also contributes to other cost savings and business efficiency. Verifying alarm situations with video, for example, can help Waste Management avoid having to pay fire and police penalty charges for false alarms.
The convergence efforts helped the two groups link in-house video with an automated scale transaction system that functions like a point-of-sale (POS) system for the trash-hauling business, says Rogers. Dump trucks are weighed at landfills and transfer stations and are charged based on the weight of their loads. These transactions feed into Waste Management's revenue and billing systems. The in-house video system records images of the trucks so that the firm can track license plate numbers, identify the types of vehicle and view each truck's contents.
"When we integrate the transaction data with the digital images of the truck, we have both the visual image and the transaction information stored together," says Rogers. That helps reduce data storage costs, and network access to the digital video systems also reduces the time and cost required for camera audits of its scale transactions.
In the retail industry, security convergence is most prominent in the area of loss prevention, where some merchants are using electronic article surveillance tags (which trigger an alarm if not inactivated by the cashier), and may eventually progress to RFID tags, says Steve Stone, CIO at Lowe's Companies Inc. in Mooresville, N.C.
Stone gives this example of how information and physical security can complement each other: The IT group at Lowe's produces a set of reports that evaluate point-of-sale trends. If managers identify a pattern of suspected malfeasance at any of the registers, they can use in-store cameras to see if there's anything that corroborates the POS data, which is time-stamped.
At some companies, however, collaboration is still pretty basic. Last year, C. Warren Axelrod, director of global information security at Pershing LLC, which provides services to investment banks, oversaw a project for sending the company's storage tapes off-site. He enlisted the aid of Jersey City, N.J.-based Pershing's physical security and facilities departments to physically secure the tapes en route. "There are times when it makes sense to combine both areas," he says.
But Axelrod, like many of his peers, acknowledges that security convergence is still an evolving area. "There's a lot of cross-support and information-sharing that takes place," says Axelrod. "But most of the time, we're working on completely different things."
SIDEBAR
Security Convergence: The Compliance Component
By some accounts, regulatory requirements such as the Sarbanes-Oxley Act have led physical and information security departments to work more closely with each other.
For instance, under Section 404 of Sarbanes-Oxley, executives at publicly held companies are required to attest to both the physical and logical controls they have in place for data centers where sensitive financial information is processed and stored, says Chris Pick, vice president of corporate strategy at Houston-based NetIQ Corp., a provider of integrated systems and security management tools.
Another regulation that may be helping to drive convergence is the Gramm-Leach-Bliley Act, which requires that financial services firms notify customers if there are any breaches in the security of customer information. The law has led physical and logical security groups at banks, brokerages and insurance companies to work more closely together to address threats to privacy, such as the theft of a laptop containing customer information or a hacker gaining access to sensitive customer data, says Dave Cullinane, president of the Information Systems Security Association.
But while some security managers see a connection between regulatory compliance and convergence, others downplay it. "I haven't seen regulations drive changes in behavior" between the two constituencies, says Mark Lobel, a partner in PricewaterhouseCoopers' process improvement practice in New York.
Most likely, regulatory requirements have reinforced security convergence one company at a time. For example, at Waste Management, the regulations have raised the risk level and "have highlighted security in everyone's view," says Anne Rogers, director of information safeguards at the company.
At the very least, regulatory requirements such as Sarbanes-Oxley are prompting security professionals in each camp "to open up a dialogue about what's needed, with each other and with their legal and audit divisions," says Vish Ganpati, senior associate of enterprise resilience at Booz Allen & Hamilton.
SIDEBAR
Security Convergence: The Human Factor
Three of the most prominent user groups for security professionals have recently begun working together to address convergence.
In February 2005, the Information Systems Audit and Control Association (ISACA) in Rolling Meadows, Ill., and the Information Systems Security Association formed an alliance with Alexandria, Va.-based ASIS International, an association of physical security specialists. The alliance will address risk management and emerging regulations through a more thorough, collaborative, enterprisewide approach to security.
As part of this collective effort, each of the three groups has opened up its user conference to the others' members, says Marios Damianides, past president of the ISACA and a partner at Ernst & Young LLP in New York. In addition, the three groups have agreed to add a convergence track to each of their conferences, he says.
"It's almost like the [physical and information] security organizations aren't talking to each other, and they need to be," says Damianides.
Last November, the alliance members commissioned a study by Booz Allen & Hamilton of factors that are driving convergence, and executives plan to gather early this year to discuss a three-year action plan for the alliance.