As devices are increasingly being designed to connect and share information, physical security and IT teams need to work more closely together, explains Chip Epps from security firm HID Global.
13 March 2017 | Chip Epps
A unified approach is needed to develop a comprehensive strategy for combatting both physical and cybersecurity threats more holistically.
As more devices are designed to connect and share information within today's smart buildings, the physical security team needs to incorporate the IT team in its proposal, design, implementation discussions and decisions.
Collaboration isn't a one-way street. If the IT team hasn't involved the physical security team in its cyber assessments and incident response processes, the business suffers. Everyone in the physical security team should know where the critical technology resources are, and should have been involved in plans to protect those assets.
While security cameras are generally overseen by a physical security team, the Internet of Things allows for cameras to be connected with other devices, systems or networks that would traditionally not be under the team's remit.
It is important to get ahead of the inevitable convergence between IT and physical access as cybersecurity concerns escalate. The first step is to establish a communications channel and develop the relationships and processes to make it work.
Many facilities are still running on old legacy access control systems that are often not updated until after a security breach. Moving to a more sophisticated IP-based access control system that incorporates physical and cyber or IT security principles brings greater advantages to a site. But security teams must not work in isolation from one another.
1. Do the physical and IT security teams ultimately report in to the same organisation or a chief security officer? If not, they should, so that the CSO or organisation leader can get a complete overview of the site's security and take the necessary steps to enhance security, whether this is for physical security or IT security.
2. Has the IT team implemented more advanced security policies that incorporate location attributes, or data often available from physical access systems? Monitoring who is entering your building and facilities and what your employees are accessing requires a cohesive approach. IT teams need to make sure that their systems are integrated with physical access control systems to accurately track employees and visitors within a building, thus providing greater context in analysing user behaviour and activity.
3. Is there a regular forum to discuss and approve projects that cross the line between the teams? Security cameras, for example, fall under the domain of the physical security team. But now IoT connects these with other devices that formerly might not have been considered under the domain of the physical security team. Having devices like cameras connected to other systems and networks can deliver significant value by turning data into actionable intel - but can also open you up to broader public exposure and risk.
4. Are team members participating in any cross-functional projects with members from the IT or physical security team? Collaboration on projects that combine implementing IT and physical access control solutions is critical to helping develop a robust, holistic approach to an organisation's security strategies. This will also nurture an organisational culture of bringing IT and physical access control teams together.
5. Is there collaboration on corporate compliance training or is there a separate curriculum/content? Making sure the physical and IT security teams are trained together to develop security practices throughout the site is imperative. By working together on compliance, teams can discover where their domains cross over and whether there are any gaps in either their practices or regulations.
Chip Epps is vice president of product marketing solutions for IAM solutions at HID Global