In many respects, the physical and information security groups that coexist within companies are as different from each other as J. Edgar Hoover and Bill Gates.
Physical security staffs predominantly consist of former law enforcement officials who report to legal, compliance or risk management departments, whereas information or logical security departments typically have employees with technical backgrounds who are part of the IT organization. Physical security divisions tend to focus on the three G's -- guards, guns and gates -- while logical security groups usually concentrate on safeguarding information systems.
There are a few companies where the two entities are structurally connected, but most are not. Still, a growing number of executives have recognized the value of having these groups collaborate to share tactics such as loss-prevention techniques for retailers or the use of card systems to restrict personnel access within a facility.
According to a survey of 8,200 IT and security executives in 63 countries conducted in March and April of 2005 by PricewaterhouseCoopers and CIO magazine, 53 percent of organizations have some level of integration between their physical and IT security divisions. That's up from just 29 percent in 2003.
"People are recognizing that the two groups can't stay in their own towers," says Anne Rogers, vice president of marketing at the Information Systems Security Association (ISSA), a not-for-profit international organization of information security professionals and practitioners.
Collaboration can be as simple as having an information security group send an e-mail warning staffers about a fast-moving Internet virus while the physical security group posts signs around the building as a secondary reminder, suggests Angel Cruz, chief information security officer at U.S.-based Freescale Semiconductor.
Different Worlds
Although the benefits of security convergence are obvious, there are huge cultural challenges to collaboration that physical and information security organizations must overcome. For starters, IT workers typically embrace new systems and like to play with them to see how they might be applied to their work, whereas physical security personnel are usually more skeptical and standoffish about emerging technologies, says Steve Hunt, president of 4A International, a security consulting firm. Those differences can lead to a disparity in terms of how the two groups evaluate and adopt security technologies, he adds.
Compensation is another bugaboo. Hunt says a physical security chief for a Fortune 500 company with 20 years of experience typically earns about US$60,000 a year, while an IT security manager who has been with the same firm for just two years generally commands twice as much. "It can be a real train wreck, and you can't normalize the salaries," Hunt adds.
Ownership battles can lead to increased isolation rather than collaboration. "In a lot of places where you have a strong physical security component and an information security program, the worst that happens is they shut each other out and say, 'This is our problem; we'll take care of it,'" says Jon Miller, president and founder of InfraGard Long Island Members Alliance. InfraGard is a chapter of the cybercrime security initiative set up by the FBI in 2001 to improve cooperation between federal law enforcement officials and the private sector.
Gaps in training are another problem. These can include things as simple as a patrolling security guard not understanding the importance of turning off workstations that have been left on, says Dave Cullinane, president of the ISSA and chief information security officer at Washington Mutual.