As a security system design consultant, my dealings with multiple businesses over the course of a decade or more have given me a front row seat from which to watch the unfolding battle between IT and security professionals. Beginning ten years ago, my contact at the client company was typically the security director, although sometimes it was the safety director, the facilities manager, or an executive-level manager. Three years ago, IT managers began showing up at these meetings. And in the past year, at numerous facilities, the IT manager has not only called me in, but he has been the only person with whom I met to discuss security technology. The security director was not involved.
The change, as everyone knows by now, has been fueled by the integration of security systems with the corporate network. It was inevitable that IT managers would become more involved in the security arena. The remaining question is: How should security directors be responding to the new dynamic and what outcome would most benefit the overall organization? I would argue that security directors have important contributions to make, and they should not accept being relegated to a secondary role in the selection of systems.
Consider, for example, that while IT personnel may understand the inner workings of any system well, they may not fully understand its function in the sense of what the corporation needs the security system to accomplish. Only the security director has that big-picture perspective.
In my experience, when IT personnel design security systems, they do not base those designs on vulnerability studies and risk assessments; they also do not factor in other security principles, such as the concepts of crime prevention through environmental design, for example.
Moreover, IT personnel set up complex security systems without regard for whether those systems will be user friendly for the security department. The primary concern for IT managers I have worked with was whether the equipment would fit within the existing networks and meet bandwidth restrictions.
This is not to say that security was not a concern of IT. On the contrary, they were very interested in providing the best security they could find. The issue was education, experience and qualifications in security.
On the other hand, I have seen companies where security takes the lead, relies on the security system sales representative for advice, and fails to involve internal IT personnel. The result is often a system that won't work with the network or that causes network problems. In some cases, the systems proposed were designed to use the organization's network for communication without any understanding of its capabilities and restrictions.
IT departments have a legitimate need to be involved in the selection process when security systems are proposed by the security director. Unfortunately, the IT department is not included in some cases until systems are purchased or up for bid.
IT managers, when they can, will specify security systems with an eye toward ensuring that the systems meet the standards for the network. When shut out of the process, IT may play its trump card and simply ban the security systems from the network. When that occurs, it can significantly increase the cost of the installation and reduce the system's capabilities. It also elevates the friction between the two departments. And benefits no one.
At some organizations, senior management recognizes the problem and tries to mediate. In some cases, they settle the issue by hiring outside security consultants to assist both departments in the design or update of new systems. In other cases, companies are replacing managers who can't bridge the gap between security and IT with personnel who understand what is needed for the survival of the organization, not just the individual department.
The new managers are usually cross trained in IT and security and understand the need for cooperation. The message--work together--is reinforced by the removal of people who are not willing to collaborate.
Whichever approach a company takes, the bottom-line question becomes: "Who should take the reins in security?" For those of us able to look in from the outside of an organization the answer is simple: Security directors must prevail, but they must abandon the turf mentality. They must, instead, form alliances with IT, because today's security is inescapably intertwined with IT.
Ultimately, security must operate with or without the latest technology. If the system or the network goes down, security can't go down with it. That's why IT must be a consideration of the security director and not vice versa.
But if security directors are to take the lead, they must have a thorough understanding of the IT world. Everything from computer software encryption to networking hardware must become familiar territory.
The new environment requires the involvement of IT for the proper operation of the complex security systems now being installed. Similarly, IT must take security into account in all aspects of day-to-day operations.
Security directors must also work more closely with human resource personnel to consider the type of security officer that must be hired to operate the more sophisticated security equipment. Executives are beginning to understand that these types of officers have a higher price tag.
Above all, security directors must embrace teamwork and the delegation of duties. They must understand that they can transfer or share some tasks--such as allowing IT to ensure that the security system meets network criteria--without ceding ultimate responsibility for the security solution. In so doing, the security director avoids a turf battle and ends up with more, not less, control over areas that affect organizational risk.
Joseph T. Witmer is senior security specialist with Brinjac Engineering. He works in the company's Harrisburg, Pennsylvania, office, where he focuses on security threat assessments and security design projects.