Integrating Physical and Data Security for Money

I continue to bang the drum for integrating physical and data security. It makes too much sense not to. Not only does it dramatically improve security, make electronic crime much more difficult to perpetrate, it is even inexpensive. Think of the situation in this way:

A company with 3,000 employees in three buildings has to issue changes orders for every new employee, every departing employee and every employee who relocates in the buildings. This means HR must document the changes, physical security must update its various (one for each building) access control lists, and IT must modify the server configuration. This 300 change requests times three, 900 per month, assuming 10% of the employees have change monthly. By the way, I hear that Cisco has 10,000 change requests a day! They manage those requests with 5 people. You know how: They have integrated their systems.

Integrating physical access control and computer accounts for our hypothetical corporation will provide a full return on its investment (estimated at $160,000) in 16 months, based on compensation levels in Los Angeles circa 2004.

Why isn't this being done across all corporations? I maintain that the obstacle is simply the cultural gap between physical security organizations and the information technology organizations. I spend a good deal of my professional time explaining and showing physical security personnel how to bridge the gap with IT. I identify and describe how to integrate with IT even before the access control systems are integrated.

Integrating access control systems and the computer network will produce tremendous gains in both security and productivity. If Cisco can process 10,000 change requests a day with five people then certainly access control can become the low-level administrative task it should be.