Physical and Network Security Merging?

MonMotha writes "CSO reports that physical and network security may be merging in an effort to eliminate redundant jobs, create a more secure security plan, and make security procedures more standardized across the company. This would seem to be a logical step forward as businesses become more and more dependent on their computers, and as the old adage goes, an attacker with physical access already has you owned."

this scares me

[GoatPigSheep]

does this mean we are going to be giving network admins guns? I don't really trust those guys, with all their quake playing and all.

Somewhere, a BOFH is smiling....

[wowbagger]

I cannot wait until the Bastard Operator From Hell gets in on this....

Bad idea

[techmuse]

I do network security for a living. I also know the physical security people in my company. We have completely orthogonal skill sets and cultures. Most (non-guard) physical security posititions require knowledge of police work, evidence handling, physical monitoring equipment, etc. (Good) Network security requires advanced understanding of network theory, operating systems, programming, algorithms, network protocols, etc. It's not about watching an intrusion detection system all day. It's about influencing how programs and entire systems and networks are designed and operated, outthinking attackers, and so forth.

ISC^2 already defines this

[phreakmonkey]

... as the article points out. To me, the bigger relevation to "geeks" here should be that information security is about a lot more than OS vulnerabilities and firewalls.

The International Information Systems Security Certifications Consortium (ISC^2) defines ten domains of information security.

Physical Security is one of them... a big one. So is network security, auditing, forensics, and liability, amongst other things.

Anyone interested in the relations of risk management and physical/information security should aim their research towards ISC^2 related documentation.. in addition to being fairly comprehensive you will be better prepared when you become experienced enough to apply for your CISSP certification. ;-)

(ISC^2 can be found here)

-PM

CSIS and other agencies have known for decades

[kaladorn]

Contrary to the parent poster's rather foolish statements, physical security people who help assess (perform threat/risk assessments) and implement solutions in physical security can be quite sharp and quite technically savvy.

For example, in evaluating a server room for the RCMP, I saw a physical security guy assess things like smoke detectors, fire extinguishers, construction of the ceiling, construction of the floor and walls, construction of the doorjamb and the locks used, etc. And he had to know his stuff as well as knowing what the pertinent standards for good practice (and in the case of government, for government standards for physical security). His prior job involved some assessments of some CSIS facilities (managing construction of same or something like that IIRC).

It is a very different skillset, but it makes total sense to combine expertise in both into one entity if organizational security is a requirement (and when is it not?). Ideally, in such a group, people will be cross-trained and particular experts in network/computer and site/physical/emission security will be retained. In practice, some poor sysadmins may get stuck trying to ensure physical security as well - depends on who is implementing the rationalization.

I recall reading a security text which devoted about twenty pages to encryption, network security, etc. and about 200 pages to other organizational security processes (including audits, risk assessments, emergency response plans, etc). If it costs me $100,000 to hack your network electronically or $5K to payoff a janitor, which do you think the bad guys will target?