The Future Is Holistic Security:
from ST&D
Article ID: D144710
Management consulting firm Booz Allen Hamilton recently surveyed firms with more than $1 billion in annual revenues and found that 54 percent of those surveyed have a chief security officer in place. The rise of the C-level security position marks a dynamic change in the structure of security, which has historically been an under-managed and fragmented function in many organizations. It is evidence of a powerful trend toward a holistic approach to security, through which various elements such as information security, building systems and physical security are integrated into a single function.
Three Integral Concepts
A report released by the U.S General Accounting Office on April 25, 2002, described the importance of holistic security specifically in reference to federal buildings. The report noted that though various effective security technologies are available to address most vulnerabilities, 'the overall security of a federal building will hinge on establishing robust risk management processes and implementing the three integral concepts of a holistic security process: protection, detection, and reaction.'
Later it went on to describe these three concepts: 'Protection provides countermeasures such as policies, procedures, and technical controls to defend against attacks on the assets being protected. Detection monitors for potential breakdowns in protective mechanisms that could result in security breaches. Reaction, which requires human involvement, responds to detected breaches to thwart attacks before damage can be done. Because absolute protection is impossible to achieve, a security program that does not also incorporate detection and reaction is incomplete' (GAO Report GAO-02-687T, 'Technologies to Secure Federal Buildings').
Separation Between Information and Physical Security Prior to 1995, information security and physical security management were completely separated. Information security began as simple data center security, and then grew as the IT environment expanded to include online computers on every desk. Because the computer systems operations were managed out of the MIS department, the information security officer function remained there as well.
By contrast, the physical security officer was usually a former policeman, or someone with a military background, whose main responsibility was creating and managing a uniformed guard service, keeping track of keys and managing a visitor badging program in the front lobby. As the information and physical security functions move closer together, the historical differences between these two positions tend to cause tension. The information security officer may have little interest in maintaining physical controls such as barriers, badges and alarms, and the physical security officer may not care to delve into the technical realm of networks and IT. At this point, terminology also becomes an issue. Many security elements are given the same names by both physical and information security, but those names mean something completely different for each department. Access control in physical security means controlling how people gain physical access to a facility. Access control in information security means a software solution for controlling which network users are able to access what information. The terms 'audit trail,' 'intrusion detection,' 'security policy,' 'emergency response,' 'disaster recovery' and 'maintenance' all have a different meaning in each of the two departments.
However, the state of the nation, the changing landscape of security technology and new federal government security efforts are conspiring to bring the realms of information and physical security together, despite their historical differences.
The Need for Holistic Security
Since 9/11, security has become more and more important, and more expensive, because organizations are seeking a higher level of security than ever before. However, many organizations don't have enough money to implement every security safeguard. How does an organization decide whether to put an authentication program in place to identify network users, or to instead create a stand-off from the front of the corporate lobby? Holistic security programs can help organizations solve these problems by facilitating proper allocation of the security budget through risk analysis and prioritization."