Companies can improve their ability to detect and respond to both cyber and physical threats by tying their IT security to other aspects of corporate security.
But the cultural and business-process changes involved in implementing such a holistic view of security can be daunting for most corporations, users said this week at a conference held in Chicago and organised by ASIS International, a Virginia-based organisation of security professionals.
“The benefits of integrating corporate security with IT security can be tremendous,” said Lew Wagner, chief information security officer at the MD Anderson Cancer Center at the University of Texas in Houston.
Coordinating IT security functions with areas such as physical protection, facilities management, human resources and legal and audit functions has helped enhance overall threat-detection and incident-response capabilities at the hospital, Wagner said.
“It streamlines corporate investigations. Whenever somebody runs afoul of the policies of the institution, you don’t have a bunch of people doing stovepipe things,” he said.
A holistic view of enterprise security can help plug gaps that might otherwise be missed, said James Litchko, president of Litchko & Associates, a security consultancy in Maryland.
For instance, the majority of IT-related security threats still stem from procedural and process flaws — such as failure to secure access to crucial systems, inadequate backups and lack of auditing — rather than from technology glitches, Litchko said. Consequently, it’s important to factor in physical and personnel security when implementing IT security, he added.
“To some degree, this is happening naturally as IT becomes intertwined in almost all aspects of corporate life,” said David Rymal, director of technology at Washington-based Providence Health System.
“Even physical security is tied to IT, as all of our electronic access controls feed databases,” Rymal said.
In the case of the health care industry, regulations such as the Health Insurance Portability and Accountability Act are driving such collaboration further in order to protect patients’ privacy, Rymal said.
As more computing devices become mobile, “we must guard against not only theft of the devices but [also] protection of the data on those devices,” he said.
Integration of security functions can also lead to better operational efficiency, said Steve Hunt, an analyst at Forrester Research in the US.
“The greatest sin of all for a CEO is to have different business units with the same mission so everyone is feeling some pressure to justify what they are doing,” Hunt said.
Even so, few corporations are embarking on such a venture, he said. That’s because implementing an enterprisewide security and risk management program can be a cultural and business-process challenge, given the silos that security-related functions are relegated to within many corporations, users said.
For instance, IT functions may report to a CIO, while facilities management is handled by finance and risk management and business continuity are handled by yet another group.
Connecting these silos can lead to “better identification and mitigation” of risks, said Robert Gerden, director of corporate and systems security at Nortel Networks during a presentation at the conference.
But it can be “very hard to quantify the ROI” on the benefits gained from such integration, Gerden said.