Many clients and more than one IT security ‘expert’ have told me that there are few differences between the processes and organizational constructs of IT security and physical security. Both are concerned with protecting the company from bad guys, whether their assaults be on the ground or on the wire.
Is this true? It would seem that the jury is still out – while I know one company where this has been implemented, many others are still managing IT and physical security as separate groups.
Both CSO Online and Computer World have written about this topic, and the issues seem to be related to cultural and pay. IT culture is experimental and dynamic, whereas traditional security takes a more conservative approach. And because salaries for employees in IT shops can be quite a bit higher than those paid for physical security staff, there is a risk of staff conflict if these groups are combined.
But there are many opportunities to share process and management efforts. Identity proofing process are (or should be) virtually the same. Authentication/access devices can be combined and managed together. Monitoring of IT and physical security feeds can be made more efficient. And a single point of contact (CSO) – with easy information sharing – can reduce impacts of breaches and false alarms. All these add up to big cost savings, improved efficiency and improved security.
Do the benefits out-weigh the difficulties of merging and then managing all security staff as a single unit?