The convergence of physical and IT security calls for infosec practitioners to adopt ‘a design principle', says Eduard Emde, president of professional body ASIS International.
The convergence of physical and IT security means that we need to adopt a more holistic approach to dealing with security, as opposed to the traditional functional and departmental line of attack. This convergence is a reaction to the convergence of risks resulting from inter-dependencies between corporate functions, developments in technology, physical and IT environments and new threats. Therefore organisations must take an integrated approach to dealing with the challenges, risks and solutions.
We are confronted with a very complex environment. The methods of attack go far beyond organisational boundaries such as IT or physical security. The aim of convergence is to enable businesses to better detect the multiple types of threats and prevent and respond to the attacks we face today including terrorism, cyber security, fraud, environmental disasters, leakage of information – and physical attacks. Therefore physical and IT security must work together to devise a solution that seamlessly secures both environments.
Professionals must take an outward approach to securing enterprises. Aiming for solutions and mechanisms that can catch every potential security incident is perhaps a naïve goal, and absolute security is an impossibility. Organisations must identify their crown jewels from a security standpoint and focus on the areas that really matter for business continuity. It allows businesses to be flexible and nimble where security is concerned.
Security requires a cross-functional approach – every member of the enterprise needs to think beyond the limits of their business area and unit. Security knowledge must be shared as security is no longer the sole remit of security professionals alone. This will facilitate more visibility of risks and enable businesses to harmonise processes and streamline actions to mitigate them.
Security must become a design principle across physical and IT environments, integrated deeply into organisations' systems and processes. Second, it must be part of businesses' day-to-day operations and not considered a standalone function. Finally, security must be a shared responsibility. Organisations must execute coherent strategies encompassing all internal and external stakeholders, but individuals, too, must be alert to risks and behave responsibly.
Meanwhile, skills must extend across business areas. Cross-training between business planning and IT, or widening understanding of how risk management is undertaken in other industries, are examples of how security professionals can gain an informed approach.
Most security programmes are aimed at the Masters level, but Bournemouth University's forensics computing and security course is for undergraduates. Lecturer Dr Michael Jones explains: “We found that undergraduate students did not view the security field as a career option. Our assessment showed that the field's growing significance would soon alter student perception, which led us to develop this course.”
The emphasis is on applied computing, software engineering and information assurance. “We go beyond the concept of security, focusing on the importance of software quality, information analysis and how to deal with related issues. It's not just about knowing how to prevent security breaches, but having the ability to make the right business decisions,” says Jones.
The course is designed to give students the independence to explore their own approach to security. Jones adds: “We have created a special piece of software that creates unique cases for each student to investigate.”
Contributors to the course include companies, the police, the Ministry of Defence and the Royal School of Signals.