Physical security becoming an IT problem

Security experts from the Royal Mail, Proctor & Gamble and Barclaycard agree that the systems used to secure company facilities and IT systems are merging

The proliferation of technologies such as identity management mean more IT managers are having to take responsibility for physical security, according to a panel of leading IT security managers.

Speaking at the Business Continuity Expo in London's Docklands, IT security experts from the Royal Mail Group, Proctor & Gamble and Barclaycard acknowledged that their companies are increasingly merging systems used to authenticate employees' entry to physical facilities with those used to control access to computing resources.

"I have worked in a lot of different areas of our company and I have found that physical and IT security are coming together, especially around the area of identity management," said David Lacey, director of information security, Royal Mail Group.

David McCaskill, section manager for global security solutions at Proctor & Gamble, explained that the pharmaceutical giant had also integrated its physical and IT authentication systems. "We are also seeing these authentication systems come together. Before, if you forgot your passcard to access the building that wasn't a major problem, but now it is."

Companies have generally treated physical security as the responsibility of the facilities department and computer security as that of IT. But employee information has increasingly become integrated, allowing businesses to link the two systems, Steve Hunt, an analyst with Forrester Research, said in a recent report.

"Locks, cameras, entry systems, and even guard desks will be upgraded to work with the same computing systems that control computer and network sign-on, identity management and security incident management," Hunt wrote. "Consequently, IT security vendors will rush to merge or find partnerships with their physical security brethren to respond to the new opportunities."

The link between physical security systems and network security is another ripple emanating from the terrorist attacks of September 11, 2001. Twice as much will be spent on such integration this year compared with 2004, reaching $1.1bn in Europe and the United States, according to Forrester.

Jamie Watters, business continuity manager at Barclaycard, agreed that IT and physical security were coming together, but said it was more important to unite the disparate groups in charge of IT security to create a single body with responsibility for protecting an organisations infrastructure. "For me the most pressing issue is not the coming together of IT and physical security but more importantly the coming together of IT security groups. Companies I have worked for have two or three different IT security organisations.

Lacey agreed it was vital that companies had one single group with overarching responsibility otherwise decisions on IT security would be delayed by a "court of infinite appeals". He advocated creating one single business continuity group with cross-organisational responsibility for physical and IT security.