Aligning Risk with Security Solutions

IT organizations almost never conduct a risk assessment before they implement security. How smart is that? Well, not very. The standard practice in, say, configuring a firewall is to see what traffic comes through and then configure it to block that traffic. Wait for and block the next set of traffic to come and then repeat this process until satisfied.

Think about securing your house in the same manner: Well, people walk in front of the building so you put locks on the front door. People walk by and look in the windows so you lock the front windows. The garage door is left open at times and people walk by, so you lock the door from the garage to the house. Let's say that is the extent of traffic for about a week. Is your house secure? Hardly...and neither are IT systems, and for the very same reason.

I actively advocate having physical security people work with IT people in conducting risk assessments. Physical security people have risk-based assessments etched into their DNA. They can provide a lot of guidance to IT people when it comes to securing IT systems.

I like to think of this as one step in integrating physical and data security: This is also call convergence in security circles. I exhort my clients to integrate the two organizations, physical and data security, before they try to integrate systems such as access controls. IT learned many years ago that automating a bad procedure only makes the matter worse: Integrating the IT systems of physical and data systems before the organizations are working together will also make the system worse.

In addition to conducting risk-based assessments, I encourage my clients to have physical security provide guidance in development enforceable policies for IT change controls and to provide third-party oversight when those change procedures are being performed. Collaboration in these three areas represents a satisfactory prerequisite to integrating various access control systems.