The convergence of security disciplines
The term “convergence” has become a bit of a buzz word in security of late. This has come about as a result of physical security technologies becoming more akin to information security technologies and the cross over between the two disciplines.
It was always going to happen. Physical security has been gradually embracing proven information technology (IT) practices for some years now.
Firstly, our network communications started to migrate to ethernet cables and RJ45 connectors. Our CCTV systems (finally!) adopted raid arrays for critical storage and our cameras became powered over ethernet (POE).
As a result, there has been a noticeable shift in the global physical security market with traditional IT manufacturers and distributors expanding their product range to include physical security offerings. Blue-chip IT companies like Cisco and Ingram Micro have entered the market with physical security playing a prominent role in their business growth strategies.
This however creates some challenges, particularly for the end-user.
IT companies will rarely have the skill sets to advise on physical security solutions and the physical security integrators will not have the skills that the IT companies have. So what you end up with is both market sectors ploughing on regardless, promoting their respective wares and offerings.
And there are risks associated with this from both angles of the spectrum.
In the physical security world, security networks are traditionally closed-loop; they start and finish within a defined premise and are not connected in any way to the internet or the outside world. From a security perspective, this means we haven’t had to concern ourselves with the risk of hacking or cyber crime because it was rarely a factor.
This is where the two security disciplines are going to need to work together to advise their clients on the risks and opportunities of consolidating the respective technologies and combining security networks. Sure, this will create some challenges initially, but there are advantages and efficiencies to be gained if it can work properly.
A really easy one is making use of Microsoft Active Directory and centralising user databases. Active Directory is well-known to both industry groups and is a staple of many enterprise level access control alarm and CCTV systems as well as the majority of IT systems.
By centralising user databases, new rules can be applied to network security. For example, before a person is allowed to log-on to their work computer, they must have entered the workplace through a known entry point. The credential they used to get in the front door can also be used provide access to their work computer. It’s entirely logical, easily managed and adds another layer of security to the business.
However, it will take both sides of security to ensure it works effectively and without added risk. In the physical security space, we will not understand IT security products as well as our IT counterparts will. While we might understand the basics, we certainly won’t be able to appreciate the differences between manufacturers and product offerings.
Conversely, in the physical security space, we have all the knowledge and expertise to advise on physical security offerings that the IT guys are unlikely to have.
Both security disciplines share many terms and phrases such as:
- Access control
- Intrusion detection
- Penetration testing
- Defense in depth
- Vulnerabilities
- Threat assessments
- Network
- Countermeasure
However, in the IT world they apply to one thing and in the built environment, something different altogether. This needs to be acknowledged and respected by both parties.
So while there definitely is a converging of technologies, to get it absolutely right, both disciplines need to stick to their respective areas of expertise and work together so that we do not create new risks by getting ahead of ourselves.