The creation of positions such as chief security officer (CSO), and a growing focus on security in enterprises more generally, has started to create interest in whether CIOs and IT managers should be involved in decisions relating to physical security.
Greg Ryan—from the network and integration services division of IBM Global Services in Australia—believes that greater communication between the IT department and the business about physical security is important.
Ryan said that some organizations in the past had not had the CIO involved in the company’s physical security, because there was a separate security department which handled this area. However, he believed, the increasing need to link physical security systems into IT infrastructure meant a growing involvement by the IT department.
Increased return-on-investment of business infrastructure was another reason IT departments were becoming more involved in an enterprise’s physical security, Ryan believed. If the security department and IT department are seen as working together, IT was seen as adding value, rather than just being a cost, Ryan said.
ZDNet White Papers
But Lewkovitz said that over-riding concepts such as risk assessment, risk treatment and overall approaches were similar for physical and IT security. "The risk of anonymous hackers may be as great as someone coming and setting fire to your building," he said. "So the concepts are very similar—if you’re protecting a computer, a person, or a building".
Lewkovitz also warned about taking a reactive approach to security, or using fear tactics. Instead, he suggested identifying the genuine risks to a particular organization and treating those effectively.
Analysts are also finding increasing connection between physical and IT security in organizations. In a research note, industry analyst Gartner also commented that some enterprises were looking at combining information security and physical security departments under one roof. It credited this to an overlapping of responsibilities, such as investigations and user provisioning, as well as protecting organizational assets.
"This arrangement takes a strong management team and a lot of communication because the skill sets of each group are very different--preventative versus after-the-fact and physical, respectively," it said.