Late last year, Howard Schmidt, Microsoft Corp.’s director of security, quietly wrestled the software vendor’s physical and IT security functions into one burgeoning unit that’s now dubbed the information assurance program.
With so many assets to protect in so many locations, it’s something that begged to be done, he said to an audience of 150 security directors and law enforcement officers attending a cybercrime summit being held this week in Framingham Mass. by the American Society for Industrial Security (ASIS) of Alexandria, Va.
“We get over nine million voice calls a month [and] four million e-mail messages a day spread out across 200,000 PCs and 18,000 servers from Silicon Valley to London to Sierra Leone,” said Schmidt, who holds the new title of general manager of information assurance at Microsoft. “That’s a lot of information to manage, whether it’s in someone’s head, on a piece of paper or in a computer,” he added.
The daunting task of protecting all that data was illustrated by a series of hacking incidents and denial-of-service attacks that have targeted Microsoft in recent months. In one case, intruders who broke into the company’s internal computer network in the fall were able to gain access to the source code for an unspecified future product.
After Schmidt’s speech, the merging of physical and IT security efforts became the main topic of debate during breaks at the ASIS conference. On one hand, some security directors said they could see the need for such a combination because there are so many physical risks to corporate data — ranging from unauthorized persons following employees through an open door to data theft or sabotage by employees or temporary workers.
But at least a dozen attendees at the conference claimed that moves such as the one made by Microsoft are direct assaults on the sovereignty of IT managers. They also said hybrid information assurance managers may lack the technical knowledge needed to safeguard data from malicious hackers and other cybercrime perpetrators.
“The main question is, who’s going to be in charge?” said the security director at a European pharmaceutical maker who asked not to be identified. “When physical security [managers] for our company dictated [the use of] a biometric thumbprint reader recently, the IT guys didn’t want to hear it.”
Both Microsoft and PEMCO Financial Services, a US$1.5 billion insurance and banking organization owned by Seattle-based PEMCO Mutual Insurance Co., put oversight for their blended information assurance programs in the hands of technology managers. But those units were then set up as separate entities that the IT departments at the two companies have to consult with before working on new project development.
IT workers also have to answer to the information assurance teams when something goes awry, said Schmidt and Eduard Telders, the security manager at PEMCO. Telders persuaded PEMCO to merge its physical and IT security efforts under a single group after being hired by the company 13 years ago.
Occasionally, PEMCO’s technology managers “try to take over the IT security aspect of our unit,” Telders said. “It’s basically a turf war. But IT guys are the worst [security] offenders. Culturally, they don’t have the suspicious thought processes needed to bring security to the enterprise.”
The primary responsibility of technology managers “is to make the pipes hum,” Telders added. “Ours is to make sure things are implemented securely.” And conference attendees opposed to merging their physical and technical security units better get used to it, he added, saying he knows of at least a half-dozen other Fortune 500 companies taking such steps.
“Those lines between traditional physical corporate security and IT computer security are already being blurred,” agreed Bill Neimuth, director of e-business security at Kimberly-Clark Corp., a $13 billion manufacturing conglomerate in Irving, Tex. “Our goal is loss mitigation, and I don’t care if it’s run by the physical side or the IT side.”
