More ‘holistic’ view of IT security needed

Tying IT security with physical and other non-IT-related security functions could help companies better manage threats to their business, users said during a conference in Chicago organized by ASIS International, an organization of security professionals.

But the cultural and business-process changes involved in such integration could prove daunting for most corporations, they said.

“The benefits of integrating corporate security with IT security can be tremendous,” said Lew Wagner, chief information security officer at the MD Anderson Cancer Center at the University of Texas in Houston.

Coordinating IT security efforts with physical protection, facilities management, human resources and legal and audit functions has helped enhance overall threat detection and incident response capabilities at the hospital, Wagner said. “It streamlines corporate investigations. Whenever somebody runs afoul of the policies of the institution, you don’t have a bunch of people doing stovepipe things,” he said.

A holistic view of enterprise security can help plug gaps that might otherwise be missed, said James Litchko, president of Litchko & Associates Inc., a security consultancy in Kensington, Md.

For instance, a majority of IT-related security threats still stem from procedural and process flaws – such as failure to secure access to crucial systems, inadequate backups and lack of auditing – rather than technology glitches, Litchko said. As a result, it’s important to factor in aspects such as physical and personnel security when implementing IT security.

“People are trying to bridge the gaps between physical, personnel and IT security,” he said.

From a philosophical point of view, such an effort makes perfect sense, said Alan Snow, a security professional at Boston Properties Inc. in Boston. “Whether it is physical security or IT security, the bigger picture is to mitigate risk. Both talk about the same concepts of protection and access controls,” he said.

“The greatest sin of all for a CEO is to have different business units with the same mission so everyone is feeling some pressure to justify what they are doing,” said Steve Hunt, an analyst at Forrester Research Inc. in Cambridge, Mass.

The growing need to integrate and manage technologies such as biometric and other specialized physical-access control devices is also driving interest in linking IT with physical security, Hunt said. Even so, few corporations have embarked on such a venture, he said.

That’s because implementing an enterprise-wide security and risk management program can be a challenge from a cultural and business-process point of view, given the silos in which different security-related functions are handled within corporations today, users said.

For example, while IS functions may be handled by a company’s CIO, facilities management may fall under the purview of finance officials, whereas risk management and business continuity are tackled by yet another group. Connecting these silos can lead to “better identification and mitigation” of risks, said Robert Gerden, director of corporate and systems security at Nortel Networks Ltd.

But organizational issues, lack of processes and a dearth of common understanding of security threats can be barriers to making those connections. Plus, it’s often difficult to quantify the return on investment of the mainly qualitative benefits gained from such integration, Gerden said.