A Meeting of Two Cultures with Identical Goals

I recently conducted a joint security discussion at a $5 billion beverage company. I moderated the discussion, which was between the physical security organization and the data security organization. The physical security personnel fit the stereotype of burly, blue collar and rough hewn language skills. The data security folks also fit their stereotype: brainy and articulate. Yet, during the meeting, it became clear that the physical security folks had a lot to offer the IT people. It is true, the physical security folks might be able to persuade, but it was clear to me and to the IT people that physical and data security can and should work together.

We found that physical security had skills in conducting risk-based assessments that were sorely lacking in the IT people. We also discovered that the physical security people would immediately view change procedures as an area of high vulnerability. Yet, such procedures at this company were incomplete and inadequate. Finally, the parties reached consensus that third-party oversight might benefit IT's security efforts.

Convergence is a term used to imply the integration of physical and data security. Most people think this means the integration of entry control systems for facilities and the computer network. In the case of this global company, convergence means integrating the two organizations in a way that allows both to contribute to improving the protection of assets.

Operational Risk and Organizational Risk

Electronic crime has increased the organizational risk that corporations face. With physical crime operations tend to bear the greatest risk. Six or seven years ago organizations could focus on securing its operations in order to deal with it greatest risk. If a truckload of product were stolen, the loss would often be the company's greatest exposure. The Internet has initiated such changes as: i) Financial identities can be obtained (i.e. stolen) and sold by people thousands of miles away; ii) Laws have been implemented to protect consumers and employees from having their identities stolen as a result of corporate negligence; and iii) Penalties and sanctions can, when made public, result in a loss of approximately 17% of a corporation's market capitalization for at least a year following the breach, in addition to damages. This loss of shareholder value along with a loss by the brand makes the organizational risk greater than that borne by the operations. The corporation suffers very little, it at all, when its customers' financial identities are purloined...at least the direct loss is very little. The litigation that follows is now the major risk factor. A competent security plan protects the corporation from this organizational risk.