Steve Hunt, President of 4A International, discusses some of the challenges associated with integrating physical security and IT and offers some practical solutions.
A chief financial officer recently told 4A International that in one month he received two purchase order requests that he could not approve. One came from the security department for an €1 million upgrade to the access control infrastructure to manage people and their privileges to corporate assets. Then he received a request for a €1 million “identity management” solution from the IT department. It too was designed to manage people and their privileges to corporate assets. One system managed physical privileges and the other data, but that subtle difference was lost on the CFO who declared the expense redundant, demanding that the two groups work together to save costs.
Bringing two very distinct security solutions together into one is complex, but achievable. 4A International suggests making changes in technology, attitude, processes, and how you “sell” the project.
Technology
4A research has found that in 5 years, the systems on which most access and event management deployments will rely will be software written by IT companies. Physical security dealers and integrators need to adopt, to a certain extent, some “IT awareness” or sensitivity. Here are other issues, which, if ignored, could get you knocked off the ladder by an angry IT techie.
Recommendations
- Watch the bandwidth - Remember that the IT department has each network “tuned” to expect a certain traffic level. Always ask your customer sponsor to communicate your bandwidth needs to the network operations team.
- Wireless worries - adding one new wireless access point effects load on all others.
- Backup & Recovery - The IT department has a plan for backing up and restoring any critical device on the network. Be sure your DVRs, NVRs, and access control systems are listed in the IT recovery plan.
- Maintenance - If you don’t know the maintenance schedule, you can lose contact with your cameras or panels indefinitely.
- Use of closets - The last person to touch the closet is at fault. Whenever possible, take a digital before and after picture of the wiring configuration, or video tape your installation.
IT professionals are very possessive of “their” network and servers. Similarly, physical security professionals have been doing security for a long, long time and feel they’ve earned the right to decide what’s best for their clients. 4A research shows that corporate security personnel are by-and-large inexperienced with computers and networking technology, and are not inclined to learn computing skills independently. Conversely, IT personnel are highly inclined to learn new technology skills. The best approach for convergence work is to highlight the capabilities and expertise of all members of a project team.
Recommendations
- Respect their turf - Document every way you touch on the network.
- Be secure in your identity - You’re not the only “security” professional. The IT department has a very skilled group of IT security experts. Refer to yourself as a “physical security” professional, and to your counterparts as IT security professionals.
Processes & Policies
Most IT managers are rigorous about policies and processes. You’ll go far by conforming your systems to the policies of your customer’s IT department.
Recommendations
- Passwords matter - If any of your systems utilize passwords, you must conform to existing IT password policies.
- Change management - The IT department has a 3-ring binder lying around somewhere outlining the steps for approving a change to any software or computer on the premises. Find it, read it.
- System security - Some companies comply with IT security standards like Generally Accepted Information Security Principles (GAISP), COBIT, or ISO 17799, which give guidelines on the security of software, servers and network connections. Familiarize yourself with the standards of your customer.
- Regulatory compliance - Besides standards, there are also regulations. Be ready to answer questions about how information about employees or visitors is stored and managed.
Selling the project
Take a cue from the IT guys who over the years have become adept at gaining support for their projects directly from business unit managers. Getting the buy-in for security products and services today means understanding what drives your customer’s security purchase decisions. Fear, uncertainty and doubt are not the cleverest tools to use anymore.
No one cares about security. Outside of the security profession, everyone in the company thinks security is an annoying layer of cost and inconvenience. Couch all project descriptions in terms of value, and enabling the business. Value wins every time.
Conclusion
The security profession’s growing use of software, computers, and network connectivity will drive a steady increase in interactions between physical security and IT groups. Done well, these projects will yield millions of pounds of value in improved efficiency, reduced costs, elevated security and increased ability to respond to new needs. After all, it’s not our job to secure the building. It’s our job to secure the business.