How to Blend IT and Physical Security
Oil and vinegar make flavorful salad dressings, but they require vigorous shaking to combine. Even then, the combination is only temporary. These essentially incompatible elements will separate and require further shaking.
The same can be said of converging physical security with cybersecurity. Although these seem to be firmly entrenched as separate security silos in many organizations, merging them can yield great overall benefits. The more we consolidate functions, the more efficient they become. Maintaining two security silos in an organization is costly and complicates coordination across the enterprise.
Separate Ingredients
Typically handled by a chief security officer or security director, traditional security includes physical security measures such as human guards, loss prevention, locks and keys, access control systems, fences and gates, and surveillance cameras. Then there's personnel security such as background checks for government workers, force protection, VIP protection, identity verification and security badges. And don't forget document security, including filing cabinet locks, secure transport and storage, and effective destruction of nonpublic records.
Cybersecurity oversight generally falls under a CIO, IT director, chief information security officer or network manager. These responsibilities include ensuring the confidentiality, availability, integrity and accountability of corporate networks achieved through effective network architecture and access rights, intrusion prevention and monitoring, spam filtering, antivirus, spyware detection, auditing, staff training, acceptable-use policies and compliance monitoring. Today, where these security disciplines are separate, they each see only their small part of the enterprise risk picture. The consequence is that each separate security discipline worries only about its own lane. This results in an uncoordinated security effort that can leave the organization unprotected or employees confused by possibly conflicting security policies. Leaders and elected officials don't want to hear "that's not my job" when there's a security breach.
One Big Job
I've always thought that all forms of risk should be managed by one senior executive — a single person who stands behind all security matters affecting the organization. This role would preempt conflict and duplication, provide the organization's leadership with a more accurate overall picture, enable better decisions and keep the organization out of the headlines.
A converged security leader directs a team across the enterprise that executes a coordinated, comprehensive security program protecting against all forms of risks. This official works with the organization's top leaders, is an integral part of the governance structure, and is the official spokesperson to senior leadership on security matters.
As chief security officer for the Massachusetts Port Authority, I have the good fortune to also serve as the information security officer, which makes me accountable for both physical and cybersecurity. Because I don't have an IT staff working under me, I collaborate with the CIO and his staff to ensure that we are protecting physical and IT systems and data appropriately. I have the security policy piece and the compliance assurance piece, while the CIO has the direct mission for cybersecurity. This is a great way to achieve convergence without tipping the apple cart, so to speak.
Too often in convergence discussions, there's the underlying concern that somebody will lose their job. That's unfortunate because it stifles effective conversation that can lead to meaningful reform. The solution we have crafted here is a great one for us from a governance, oversight, cost and practical standpoint, and we didn't need to hire additional staff to make it work. Though this may not work for everyone, it's a way to achieve some degree of convergence without making radical changes to the organizational chart.