In addition to the potential trouble spots when collaborating with IT, security also has to keep an eye on the financial side of what it wants to do. Every department is working together more these days, and not only is security a consideration for the business units, but business is also a consideration for security, which means that the department has to be able to make the business case for what it wants to do. Managing financial factors is a key component of IT-security convergence.
"We, as security people, cannot go into that C-suite and say, 'Look, we need to do this because it's important, it's a good security measure," Craighead says. "That doesn't relate to them. What relates to them is, 'If we don't do it this way, this could potentially have an impact on the business, and these are the possible bad things that could happen.'"
When making your case to the CFO or CEO for an investment — especially one that may involve lots of whiz-bangy technology — remember, Craighead says, to not promise that the technology is all you need to be able to achieve complete security.
"If you really want to 100 percent do away with that risk, just shut the building down and don't let people operate in there," he says. "You'll never absolutely have 100 percent protection against (a) threat; but having said that, you do what is appropriate under the circumstances in order that the organization feels comfortable that it can live with that risk and continue on with its business."
This extends out to security planning and risk assessment as well. As Craighead says, there's no way to eliminate all risks, especially as portable devices that can be used to gain access to the network proliferate and employees spend more time working remotely. After all, you can have top-of-the-line cameras and three layers of access control on the door to the server room, but how do those things stop somebody from logging in from their bedroom?
"Security involves a lot more than just the electronic system," says Duda. There are security officers and personnel that have to be maintained, there's policies and procedures and people that run that."
Those policies, procedures, and personnel all have to be working in concert. If they aren't, then you run the risk of what happened to a client of Ahrens, who once received a call from the director of security to fill him in on the consequences of a seemingly innocent email from IT letting employees know that the network would be down for maintenance over the weekend.
"Guess what the security system was on?" Ahrens says. "They took the whole network down. When they took the network down, they took the connectivity to the security down. So guess who got robbed?"
As IT And Security Converge, Physical And Information Security Challenges Increase
Defining Network Responsibilities Is A Key Component Of IT, Security Convergence
Financial Factors Are Key Element Of IT, Security Convergence
