A lack of information sharing and cooperation between IT security, physical security and risk management functions is hindering efforts to upgrade corporate security, according to a study released this week by The Conference Board Inc.
The separate silos in which many businesses put those functions can create a corporate culture that encourages the hoarding of vital security information, said the study, which was based on interviews with more than 200 senior executives at major companies.
Businesses need to bridge the gap and develop a “common frame of reference,” said Tom Cavanagh, a security expert at The Conference Board, a New York-based research organization. “What you need to have is a way for everybody to be on the same page and speaking the same language” when it comes to implementing companywide security policies, he said.
Cavanagh’s advice echoed comments made at last month’s ASIS International 2004 conference in Dallas, where corporate managers and analysts cited a growing need to unify the management of IT and physical security.
That viewpoint is “absolutely right,” said Dennis Treece, director of corporate security at the Massachusetts Port Authority (Massport) in Boston. “Until the various factions stop bickering over turf, we’re going to find any holistic security improvements terribly difficult” to achieve, he said.
Treece, who oversees both physical and IT security at Massport, said that the separate security-related functions within companies “all have different points of view, different cultures, different career paths, different educations and even different vocabularies.”
Physical security practitioners who typically deal with human intelligence issues and technologies such as intruder alarm systems often have little in common with IT security professionals, said Eddie Schwartz, chief technology officer at Securevision LLC, a consultancy in Fairfax, Va.
Similarly, risk management executives tend to come from financial backgrounds and often have little technology savvy, said Schwartz, a former chief information security officer at Nationwide Insurance Co. in Columbus, Ohio.
The resulting communications breakdowns often lead to gaps in security, said Lew Wagner, CISO at Clarian Health Partners Inc. in Indianapolis. “The secret to any long-lasting and effective security practice is to have IT security dovetail with physical security, risk management and human resources” functions, he said.
Wagner added that long-established corporate hierarchies and territorial boundaries make this integration hard to achieve. “Each of these groups have already carved out their niches and protected areas and are resistant to change and have to be shown that this (integration) is a way to enhance what they are doing,” Wagner said.
Demonstrating the value of information integration to all stakeholders in corporate security can be a challenge, Schwartz said. “But one of the mistakes that people often make is to assume that everybody needs to be in the same room with the same colour shirt to make this work,” he said.
Instead of necessarily breaking down silos and establishing chains of command, companies should emphasize building a comprehensive “situational awareness” capability, where executives from different groups can compare high-level information and look for trends, Schwartz said.
“Most firms don’t understand how and why holistic security is a profit multiplier and a market differentiator,” said Thomas Varney, vice president of forensic services at TrustWave Corp. in Annapolis, Md.
Varney served most recently in the U.S. Office of the Secretary of Defense and the Coalition Provisional Authority in Iraq, “where we understood the necessity of the holistic security perspective,” he said.