Physical and IT security should merge

The creation of positions such as chief security officer (CSO), and a growing focus on security in enterprises more generally, has started to create interest in whether CIOs and IT managers should be involved in decisions relating to physical security.

Greg Ryan - from the network and integration services division of IBM Global Services in Australia - believes that greater communication between the IT department and the business about physical security is important.

Ryan said that some organisations in the past had not had the CIO involved in the company's physical security, because there was a separate security department which handled this area. However, he believed, the increasing need to link physical security systems into IT infrastructure meant a growing involvement by the IT department.

Increased return-on-investment of business infrastructure was another reason IT departments were becoming more involved in an enterprise's physical security, Ryan believed. If the security department and IT department are seen as working together, IT was seen as adding value, rather than just being a cost, Ryan said.

People should move away from the mindset of separating IT security and physical security, argues information security consultant Daniel Lewkovitz. Yet he also cautions that the actual implementation of IT and physical security systems shouldn't consequently be seen as requiring similar technical skills. "Someone who knows how to install a firewall may not know how to assess camera technology," he said.

But Lewkovitz said that over-riding concepts such as risk assessment, risk treatment and overall approaches were similar for physical and IT security. "The risk of anonymous hackers may be as great as someone coming and setting fire to your building," he said. "So the concepts are very similar - if you're protecting a computer, a person, or a building".

Lewkovitz also warned about taking a reactive approach to security, or using fear tactics. Instead, he suggested identifying the genuine risks to a particular organisation and treating those effectively.

Analysts are also finding increasing connection between physical and IT security in organisations. In a research note, industry analyst Gartner also commented that some enterprises were looking at combining information security and physical security departments under one roof. It credited this to an overlapping of responsibilities, such as investigations and user provisioning, as well as protecting organisational assets.

"This arrangement takes a strong management team and a lot of communication because the skillsets of each group are very different," it said.

Vivienne Fisher writes for ZDNet Australia