Tactical Advice

Mix It Up

Adhere to the four commandments of security — deter, detect, delay and respond — with blended physical and technology security teams.
This story appears in the March 2009 issue of BizTech Magazine.

Rick Patterson, Director of Security, Sidley Austin

The battered economy is forcing many businesses to reduce operational costs and cut back on traditional “cost centers.” Every category of IT spending — including security — is under scrutiny, even with an increasing need to ensure that systems remain tight as a drum.

One way to reduce costs and more closely align technology with business goals is to consolidate security programs at the management, staff and process level, develop a risk-based approach to security and provide upper management with more meaningful metrics.

Consolidate. Physical and technological security should be managed as a single function. This management convergence allows for a singular focus on operational risk management and replaces the vertically isolated approach that most businesses take toward security.

Physical security is typically a concrete discipline that is tangible and easy to visualize — locks, guards, badges — compared with IT security, which tends to be abstract. The concept of an IP packet is somewhat theoretical, and grasping the complexities of network protocols is not a trivial undertaking. Still, absent philosophical differences, physical and technological security professionals share many characteristics that would support convergence. Both focus on managing risk, protecting assets, and conducting investigations that involve evidence collection, hypothesis development and report writing.

Cross-training your security teams on physical and IT security methods is the first step. Through staff convergence, certain processes can be consolidated to reduce overlap and leverage synergies.

For example, an IT security professional may be more effective at deploying traditional physical security devices that reside on IP networks. With a better understanding of technology concerns, an IT security professional is better positioned to assess IP-based security tools and provide controls that protect the production network.

Align to Business Goals. To align IT closely to core business objectives, security should focus on risks to the business as determined by a qualitative risk assessment. Such assessments support efficient and effective allocation of resources during leaner times and should focus on a 360-degree landscape. For example, when assessing a new data center location, a converged physical and IT security team could provide a single analyst to complete the assessment, assured that all threats to the data center would be considered.

The assessment would include not only the risks associated with IT systems, but also risks inherited from third parties, such as a hosting company. The assessment should address all third-party security policies, not just for information security but also for HR, workplace violence, fraud, waste and abuse programs — all areas that have the potential to interrupt business services or otherwise affect your employees. And all are areas within the expertise of your converged security team.

Provide Meaningful Metrics. For this new approach to work, you need to showcase your success by providing metrics and reports that resonate with executives. These metrics must clearly demonstrate how security provides value to the business.

For example, after completing a risk assessment, identify and track implemented controls that address improved security. Develop a single nomenclature for physical and IT security that can apply to all incidents. Monitor the security software deployed by the organization to see if it’s effectively tackling the specific security challenges.

A converged security team that’s aligned with the goals of the business — one that communicates effectively with upper management — will achieve better results and ensure it’s viewed as a critical business partner.

Rick Patterson is director of security, which includes IT security, physical security, and business continuity and disaster recovery programs, at the law firm Sidley Austin in Chicago. He is a former secret service agent specializing in physical security assessments, electronic crime and computer forensics.
Sign up for our e-newsletter

Security

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
Tools to Maintain Mobile Sec... |
Far-flung devices pose serious challenges, but a variety of technologies can help protect...

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...
XP-iration Date: Today Is th... |
It’s officially lights out for Windows XP as an operating system. Here’s how the world is...