Tactical Advice

Mix It Up

Adhere to the four commandments of security — deter, detect, delay and respond — with blended physical and technology security teams.
This story appears in the March 2009 issue of BizTech Magazine.

Rick Patterson, Director of Security, Sidley Austin

The battered economy is forcing many businesses to reduce operational costs and cut back on traditional “cost centers.” Every category of IT spending — including security — is under scrutiny, even with an increasing need to ensure that systems remain tight as a drum.

One way to reduce costs and more closely align technology with business goals is to consolidate security programs at the management, staff and process level, develop a risk-based approach to security and provide upper management with more meaningful metrics.

Consolidate. Physical and technological security should be managed as a single function. This management convergence allows for a singular focus on operational risk management and replaces the vertically isolated approach that most businesses take toward security.

Physical security is typically a concrete discipline that is tangible and easy to visualize — locks, guards, badges — compared with IT security, which tends to be abstract. The concept of an IP packet is somewhat theoretical, and grasping the complexities of network protocols is not a trivial undertaking. Still, absent philosophical differences, physical and technological security professionals share many characteristics that would support convergence. Both focus on managing risk, protecting assets, and conducting investigations that involve evidence collection, hypothesis development and report writing.

Cross-training your security teams on physical and IT security methods is the first step. Through staff convergence, certain processes can be consolidated to reduce overlap and leverage synergies.

For example, an IT security professional may be more effective at deploying traditional physical security devices that reside on IP networks. With a better understanding of technology concerns, an IT security professional is better positioned to assess IP-based security tools and provide controls that protect the production network.

Align to Business Goals. To align IT closely to core business objectives, security should focus on risks to the business as determined by a qualitative risk assessment. Such assessments support efficient and effective allocation of resources during leaner times and should focus on a 360-degree landscape. For example, when assessing a new data center location, a converged physical and IT security team could provide a single analyst to complete the assessment, assured that all threats to the data center would be considered.

The assessment would include not only the risks associated with IT systems, but also risks inherited from third parties, such as a hosting company. The assessment should address all third-party security policies, not just for information security but also for HR, workplace violence, fraud, waste and abuse programs — all areas that have the potential to interrupt business services or otherwise affect your employees. And all are areas within the expertise of your converged security team.

Provide Meaningful Metrics. For this new approach to work, you need to showcase your success by providing metrics and reports that resonate with executives. These metrics must clearly demonstrate how security provides value to the business.

For example, after completing a risk assessment, identify and track implemented controls that address improved security. Develop a single nomenclature for physical and IT security that can apply to all incidents. Monitor the security software deployed by the organization to see if it’s effectively tackling the specific security challenges.

A converged security team that’s aligned with the goals of the business — one that communicates effectively with upper management — will achieve better results and ensure it’s viewed as a critical business partner.

Rick Patterson is director of security, which includes IT security, physical security, and business continuity and disaster recovery programs, at the law firm Sidley Austin in Chicago. He is a former secret service agent specializing in physical security assessments, electronic crime and computer forensics.
Sign up for our e-newsletter


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.