No longer is it acceptable or wise for two separate security teams to exist independently of each other, says Bill Boni, director of information protection services at Coopers & Lybrand.
'The focus use to be on tangible assets for the physical security manager, and on information for the information systems manager, but the importance of intellectual property to an organization necessitates a merger between the two,' Boni says. 'You have to understand that your major values are now your intellectual property, trade secrets and other proprietary information. That requires legal, investigative and systems skills in a collaborative environment.'
Protecting intellectual property is tricky, because it includes every level and every facet of an organization.
'In the traditional structure, the physical security manager says everyone wears a badge, so we're done. The traditional IS manager says everyone has a password, so we're done. The lawyers say everyone signed a nondisclosure, so we're done. Each one of those is necessary, but cannot really protect the company's intellectual property information assets because information moves between the different environments so quickly,' Boni notes. 'If these groups maintain their segregation and are not part of some sort of cross-organizational team, the losses begin where each one's boundaries end.'
To truly protect your intellectual property, it is clear that these two security teams must work closely together. But that is more easily said than done. Training differences, cultural differences, and a long history of working independently make this kind of cross-functional cooperation difficult to institute.
WarRoom Research LLC, an Annapolis, Md. systems security company and thinktank, has just released a report that finds that physical security personnel and information security personnel simply do not communicate.
'There are literally no communication pipes. This is a serious problem, because as our economy becomes more digital, we run into a situation of data information and corporate knowledge being more accessible over cyberspace links than over traditional dumpsters and Xerox machines,' says Mark Gembicki, president of WarRoom Research. 'It is more accessible over the Internet and by intercepting somebody's e-mail and phone conversations than the physical security of somebody coming in with a false ID or somebody jumping over a barbed wire fence.'
But even though it is difficult, it is crucial for the two sides not only to communicate, but to work together seamlessly. Moreover, there is no time like the present to get your house in order. If you wait for a disaster to occur, it is simply too late. 'Forming an organization and having it work together before there is an incident to contend with is very important,' Boni says. 'It is almost inevitable that there will be a security breach of some type. Typically, it will be a theft or loss of a trade secret or intellectual property.'
By avoiding the inevitable melding of physical and information security, companies are opening themselves up to tremendous risk, says Dan Withers, president of the Santa Clara, Calif.-based High-Tech Crime Investigative Association. Even though physical security personnel may be able to stop the crime, intellectual property may already have been stolen through electronic means. If there is no input from the information security team, the efforts of the physical security team may be for naught, Withers says. 'They really open themselves up from a liability standpoint,' Withers says. 'Companies can really have their reputations destroyed by certain types of security breaches. Once information gets into the wrong hands, it can adversely affect your business. You may never fully recover.'
This type of integrated approach pays dividends in all types of businesses, but perhaps more so in high-tech leading edge organizations that have a significant amount of intellectual property.
'In these types of businesses, your biggest risk is an insider who will try to walk off with information,' Boni says. 'If security is strictly an information systems function, (information security personnel) may detect the incident and do nothing more than suspend that person's logon ID. If it is a physical security person, the guard might be looking for the guy to walk out the door with a box of tangible product, but that probably won't be how he does it. He is more likely to use the Internet to transmit source code or files. It is that kind of organization that needs the coordinated, cross-organizational perspective the most.'
Security = Survivability
A guard behind a desk and a couple of network passwords probably do not protect your company's ability to function.
Take a hard look at your security procedures and ask a few eye-opening questions:
- Are you protecting the things that keep your doors open for business ' not just facilities, equipment, and data, but critical processes?
- Can you complete your mission in a crisis - be it a security breach, power outage, LAN failure, or a natural disaster?
- Can you afford the resulting losses (in dollars, lost customers, other resources) if you couldn't function for an hour? a day? a week?
Your company is not secure unless you are protecting all of the things you need - people, places, and processes - to get the job done.
Restructuring your security plan to minimize losses in times of crisis creates survivability - the key to comprehensive security for any business.
Getting Your House in Order
Here are some key steps to follow in assembling a comprehensive security plan for your organization.
Michael Braham is Director of CommGuard, Enterprise- Wide Continuity Services at Bell Atlantic Federal Systems. Braham serves on the National Board of Directors of the Association of Contingency Planners and is Sub-Committee Chair for the Leadership Coalition for Global Business Protection.