Is convergence between physical and information security something that should be welcomed?

Opinion by Dan Raywood

In the last couple of weeks I have looked at a fairly fringe but relevant area to the end of security that SC covers, physical security.

In the last couple of weeks I have looked at a fairly fringe but relevant area to the end of security that SC covers, physical security.


This week I visited the IFSEC show in Birmingham NEC to get an idea of ‘how the other half live', and amongst several halls stuffed with surveillance equipment, fire detection materials and enough CCTV screens and cameras to make feel like I was in a giant high street full of branches of Dixons, there was enough mention of information security to keep me interested and make my journey worthwhile.


One presentation that was especially interesting was given by Cisco and Loughborough University, where assistant IT director Dave Temple talked on the recent installation of a new security system at the university, and what considerations had to be made to ensure that the system both met the security needs and worked with the IP network.


Temple mainly focussed on the needs of the ‘PFT' building plans and how it was important to ensure that all security plans are written in at the first draft, how the university wanted the right to pick and choose solutions that worked for them, and how they wanted something where the network was key from day one, where Temple was free to buy products and how he wanted to run on commodity services to buy into a software solution.


In conclusion of his address, Temple claimed that the project was achieved by the combination of physical and IT security working together. Temple said: “You need IT, estates and security to make this work, when me and the security manager came together it was met with approval, and the comment was ‘it is nice to see you working together'.”


So the question is, how rare is it for this to happen? Is there a wall between physical and information security or do they work together happily? Using the word ‘convergence' can stimulate quite a passionate response from most people in this industry, and there does not seem to be a lot of black and white in terms of whether it would be welcomed or not.


I attended a seminar at the recent Infosecurity Europe exhibition about convergence that was hosted by Information Security Awareness Forum (ISAF) and ISACA. David King, joint deputy chair ISSA UK advisory board and chair of the ISAF, claimed that there is a question about it, and that it is ‘a new term bringing together teams of different people.'


King said: “If we look at the people they are an asset and a threat, so we need to look at a way to manage the internal and external threat. How do we respond to a converged threat? Through strategy and offering complimentary process – it is about people, process and technology coming together.”


At the same seminar Martin Smith, chair of the security awareness special interest group, claimed that there is no crossover between all of the security sections, human resources and other departments. He also claimed that companies needed to find a solution and that it is not good enough to impose the problem on someone else.


Smith said: “The business requires the cheapest solution that integrates industries that have grown up. Apart from knowledge they have nothing in common with each other. The patient is dying of the common cold and we're focussing on brain surgery. We're not focussing on the customer, and if we don't focus on each other we can't help them.”


So what instances are there where convergence would be beneficial? One area is the data centre, where information security is paramount to the companies using their servers, and there is a need for premium physical security to protect the hardware and their valuable contents.


I spoke to Geoff Donson, group security manager for Telecity Group, who claimed that data centres don't get involved with people's data and are not overly interested in what they do with the data as it is on servers that they simply manage.


Donson claimed that there ‘is not an enormous amount of convergence between IT and physical security, and if you step out of that, it is a different issue for businesses.'  


“Some convergence in the area would be useful, it would be nice to have everyone in one office – if you are going down the route you need good management as you have people who are interested in ones and zeroes and others who look after digital data,” said Donson.


He further said that: “Ultimately the policy should be set by security and not someone inside IT and this is another good reason for convergence, you would have someone who is neutral. Security does need board support, whether we like it or not, it doesn't stop people doing things wrong.”


So to move back to an earlier point, is this a case of there need to be a wall between physical and information security or not? Donson said: “It is both; you want IT and security to converge but work apart. What if someone was to break into the IT department, you're going to be investigated by the security people and they need information from IT.”


David King claimed that he was ‘seeing convergence become stronger, it's as if using security will disclose responsibilities' while Martin Smith agreed with Geoff Donson claims that it is not being driven at the board level.


Overall there is no right and wrong answer here; indeed it can depend on the scenario of both departments in a company to determine whether or not convergence would be a positive thing for them. While a wall between the departments is hardly likely to be a positive thing, what would undoubtedly be more damaging is convergence that does not work.






Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events