Security is a Process...Not a State

It is second nature to most of us that security is a process and not a state. However, many of us overlook the implications of this fact in regard to data security. Let's consider the implications now.

The breach of sensitive information is different than a breach of security in regard to physical items and is discussed more than once in previous postings on this blog. The actual loss derives not from the breach, but from the litigation and bad press the results. The risk applies to brand and shareholder value. It is for this reason that the process of security must be formalized. If the loss results from bad press and litigation then the defense is the ability to demonstrate the a reasonable standard of care was being provided. This is best demonstrated by producing a written plan, evidence of effective management with third party oversight and evidence of the progress being made on the plan.

Formalizing the security process does not need to be burdensome or costly, and as a risk mitigation measure, it is almost instantaneous in its effect and unassailable in its cost effectiveness.

Access Control Moving to IT?

Two years ago, physical security appeared to be the sole domain of the traditional security organization. Maybe it is me, but it seems that in small and large organizations alike, I am seeing the IT organization as the prime mover in access control... and often surveillance. In the just the last week, I have visited a hosting company for 40,000 realtors, the company responsible for 80% of all transmissions of digital cinema films and one of the oldest large residential communities in Los Angeles.

In each case, the Technology Director, the Network Administrator or Facilities Technician (in the IT department) has been the primary point of contact. Two of these companies are part of very large organizations that have traditional security, yet it is as though they do not exist. What does this mean?

It seems to be the beginning of a trend. It seems to me that while the physical security professionals get comfortable with the concept of convergence, the IT professionals are filling the void of indecision. In my opinion, all that has to happen for physical security to re-establish its rightful place is to understand that IT wants to be the custodian of the access control system and they want security to be the owner of the data. This can be an easy arrangement to negotiate and one that serves both professional communities.