Enterprises where the chief information security officer, or the equivalent, and the traditional physical security officer have merged operations -- or even those where they simply engage in regular dialogue -- have earned the label "forward-thinking."
Five years from now, that convergence may be the rule rather than the exception, according to current CISOs and industry observers.
Ideally, the two should have been talking all along, experts say. Securing data center assets like servers and routers with intrusion detection and antivirus protection does little good if the doors to the rooms are left unlocked.
"It's a little like buying a Doberman to protect your home and leaving the doors and windows open," said Allan Carey, program manager for information security services at International Data Corp., Framingham, Mass.
Physical and IT security have merged on some levels already -- in the areas of access control and authentication, for example. Many enterprises use the same smart card or common access card to enter the building they work in as well as access their desktops, networks or secure rooms within the building, like the data center.
"It depends on the company and the corporate culture," said Kenia Rincon, information security manager for the Reader's Digest Association Inc., Pleasantville, N.Y. "At our company, physical security is handled by the facilities people. Our objectives and disciplines are different. His line of
Rincon points out that she does have a working relationship with the traditional security officer, and the two have collaborated on securing laptops, personal digital assistants and handheld computers. The data stored on the lost device is valuable and has to be recovered and, in instances of theft, the loss must be reported to authorities.
"I talk to them more than ever now about access keys and badges and laptops," Rincon said. "Those are the areas where we cross. It's not likely that someone is going to get into my data center and steal a tape library. It's just not likely. Someone is likely to leave their PDA on the train, however."
This kind of dialogue is happening more and more, as is the integration of physical and IT security, especially in the government and financial services organizations. Both are more likely to be on the leading edge of new technologies.
"It's not happening in too many places, except those organizations that are forward thinking and are trying to execute a complete security strategy," said IDC's Carey. "It's a slow trend. Security programs are only as strong as their weakest link. Weak physical safeguards leave enterprises open to social engineering techniques."
Some enterprises are training employees to be vigilant about physical security, in particular, making sure access to restricted areas like a data center remains controlled and knowing who belongs where. In short, there's only so much that a security camera and a Halon system can defend against.
"Enterprises are concerned about raising the level of awareness and educating employees about security and proper policies and procedures," Carey said. "People have to know what the proper procedure is and how to behave."
Ironically, technology may forge the eventual merger of physical and IT security.
"The interesting twist is that it's the technology tail wagging the dog," said David W. Stacy, global IT security manager for St. Jude Medical Inc., St. Paul, Minn. "The technology is converging to the point where integrating the two is feasible. That's what's doing it, not a philosophical notion where the two are related."
The security of data centers, meanwhile, will remain the domain of the chief information security officer for the time being, experts said. The level of integration between traditional and IT security will expand, and the dialogue between CISOs and traditional security officers will as well.
"It's going to be some time," Stacy said, "before you can call it a trend."
FOR MORE INFORMATION:
FEEDBACK: What is the biggest threat to your data center?
Send your feedback to the SearchSecurity.com news team.