Convergence - Information and Physical Security

Although executives and CEOs include protecting data, assets, people and premises among others when describing security, life’s different when it comes to information and physical security. Mark Willoughby said it right in Computer World when he wrote that information security is from Venus and physical security is from Mars.

Either one working in isolation leads to half security measures. And if each believes that the other has little to offer to their own domain, they are mistaken. What is needed for convergence is a first look at the type of organization. This determines the basics of convergence needed.

Closed Entry Organizations – Generally, when we refer to security in our discussions, it is to these - and they include all corporations and any organization that has a good amount of physical entry check. Here again, the factors that drive convergence differ depending on the vertical, say, healthcare, power & utilities, banking and finance, sensitive institutions like NASA, ISRO, etc.

Open Entry Organizations – Generally ignored in our security discussions, these are institutions which remain open to the general public with just a reasonable physical entry check. Yet, today the world has changed, terrorism is a daily reality and reasonable security is not enough security. Hotels, retail industry, educational institutions, government offices, where people can walk in with little obstruction need to be turned into less open ones. Unlike closed space institutions, since the public walking into these institutions constitutes anywhere from 70 % to 90 % of members / employees, strong validation is needed and the first that comes to mind is the national identity proof – social security, passport, etc.

Global / National Scale – Countries too are moving towards this – well-known example being USA. USA strengthened its homeland security by introducing biometrics at the time of visitor entry into the country and not relying only on physical passports.

Convergence brings about not just greater security of information assets, but greater security of the individuals and the institution itself – both in the intangibles like brand image and tangibles of physical destruction.

What information and physical security converge around is the user identity – the binding factor that brings them into a single seamless line. It is ultimately the user data that you are collecting and collating to gauge who is a member and who is not in case of closed entry institutions or who is harmful and who is not in case of the others.

But bringing the 2 together is not just a matter of bringing in technology. Obstacles like cost and knowledge gap need to be addressed, but more importantly, of bringing the human resources of two disparate departments that have little in common to work together.

It’s great to note that some institutions are beginning to do just that and looking at the role of a Chief Risk Officer as a central authority. Needless to say, this initiative succeeds when driven top-down.

This was part of the panel discussion titled “Converging Information and Physical Security – A Holistic Approach” which I was part of at the NASSCOM security conference in Hyderabad, India.