SUBSCRIBE
Get what you need to know about information technology solutions to grow your business.
subscribe now »
| » comment |  del.icio.us |
 digg this |
|
 rss feeds |
Fortigate 330A Tutorial
Connor Anderson looks at unified threat management products from Fortigate.
View video »
Connor Anderson looks at unified threat management products from Fortigate.
View video »
| RELATED | MOST POPULAR |
|
Get E-mail Under Control with Personal Archives
Microsoft Exchange Server 2010 provides an alternative to Outlook PST files by offering users a secondary storage area for archiving. The Great Storage Debate
How do businesses know if moving to a SAN makes sense? Ready to Buy
Before signing off on a software license agreement, make sure you address a few crucial legal issues. Pssst: Can You Keep a Secret?
With threats around every corner, companies take steps to effectively secure their data. Save the Trees
Kofax Express 2.0 helps businesses reduce costs and ease management by eliminating paper. Keep Your Mobile Data Locked Down
Try these five tips to enhance mobile security. Dashboard
Few businesses take reducing their carbon footprint as seriously as Guidance Solutions, which designs, builds and maintains e-commerce websites for online and multichannel retailers. Migrating to Windows 7
Which desktop deployment scenario is right for you? Pssst: Can You Keep a Secret?
SMBs take a multilayered approach to security to achieve defense in depth. Securing Virtual Machines in the Data Center
Learn ways to address the challenges of VM security. |
|
Mix It Up
Adhere to the four commandments of security — deter, detect, delay and respond — with blended physical and technology security teams.
Rick Patterson, Director of Security, Sidley Austin
The battered economy is forcing many businesses to reduce operational costs and cut back on traditional “cost centers.” Every category of IT spending — including security — is under scrutiny, even with an increasing need to ensure that systems remain tight as a drum.
One way to reduce costs and more closely align technology with business goals is to consolidate security programs at the management, staff and process level, develop a risk-based approach to security and provide upper management with more meaningful metrics.
Consolidate. Physical and technological security should be managed as a single function. This management convergence allows for a singular focus on operational risk management and replaces the vertically isolated approach that most businesses take toward security.
Physical security is typically a concrete discipline that is tangible and easy to visualize — locks, guards, badges — compared with IT security, which tends to be abstract. The concept of an IP packet is somewhat theoretical, and grasping the complexities of network protocols is not a trivial undertaking. Still, absent philosophical differences, physical and technological security professionals share many characteristics that would support convergence. Both focus on managing risk, protecting assets, and conducting investigations that involve evidence collection, hypothesis development and report writing.
Cross-training your security teams on physical and IT security methods is the first step. Through staff convergence, certain processes can be consolidated to reduce overlap and leverage synergies.
For example, an IT security professional may be more effective at deploying traditional physical security devices that reside on IP networks. With a better understanding of technology concerns, an IT security professional is better positioned to assess IP-based security tools and provide controls that protect the production network.
Align to Business Goals. To align IT closely to core business objectives, security should focus on risks to the business as determined by a qualitative risk assessment. Such assessments support efficient and effective allocation of resources during leaner times and should focus on a 360-degree landscape. For example, when assessing a new data center location, a converged physical and IT security team could provide a single analyst to complete the assessment, assured that all threats to the data center would be considered.
The assessment would include not only the risks associated with IT systems, but also risks inherited from third parties, such as a hosting company. The assessment should address all third-party security policies, not just for information security but also for HR, workplace violence, fraud, waste and abuse programs — all areas that have the potential to interrupt business services or otherwise affect your employees. And all are areas within the expertise of your converged security team.
Provide Meaningful Metrics. For this new approach to work, you need to showcase your success by providing metrics and reports that resonate with executives. These metrics must clearly demonstrate how security provides value to the business.
For example, after completing a risk assessment, identify and track implemented controls that address improved security. Develop a single nomenclature for physical and IT security that can apply to all incidents. Monitor the security software deployed by the organization to see if it’s effectively tackling the specific security challenges.
A converged security team that’s aligned with the goals of the business — one that communicates effectively with upper management — will achieve better results and ensure it’s viewed as a critical business partner.
Rick Patterson is director of security, which includes IT security, physical security, and business continuity and disaster recovery programs, at the law firm Sidley Austin in Chicago. He is a former secret service agent specializing in physical security assessments, electronic crime and computer forensics.
Home | Contact Us | About Us | Subscribe | Meet the Editors | Privacy | Site Map | Terms and Conditions
Copyright ©2010 CDW LLC | 300 N. Milwaukee Avenue, Vernon Hills, IL 60061