Real, virtual worlds share same concerns
Cybersecurity and physical security traditionally are separate practices at most organizations. Physical security concerns have been around a lot longer than computing and networking, and the two have been characterized by separate concerns, goals and even languages.
The growing interconnection of the two worlds could be bringing this distinction to an end. Physical security controls are increasingly networked, and networks depend on physical security for their protection. Merging the two shops can bring advantages of scale to both, said Scott Borg, director of the U.S. Cyber Consequences Unit, a government-funded independent research group. But merger is not without its pitfalls, he warns.
The obvious advantages are improvements in efficiency and economy as planning and response are consolidated under a single department. Risk analysis and budgeting can be brought under a single head and handled by a single staff.
Disaster recovery and continuity of operations need to address both physical and IT problems. A disruption on one side can affect the plans for the other side, and having a single team facilitates this.
There are several potential pitfalls.
n Senior management does not understand both sides of this equation. A merger will require a change in the way they are managed.
If done properly, improved management and better reporting could create the impression that security is worsening as more problems are detected. It is like the early days of firewalls: No one had a security problem until the firewall was plugged in.
Although convergence should produce overall savings, ancillary costs of merging operations could make it appear more expensive. Document the savings and cost avoidance that have been achieved.
Physical and IT shops have different cultures and may not work and play well together. Basic training will be needed on both sides.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.