Andrews Apologetics

Years ago I was a network and physical security director.  That meant that aside from network security, I had the honor of making badges, recommending security measures within the physical office, and such.  I can honestly say that it caused headaches many days, but was rewarding as well. 

I see this as being a trend in that we are unifying both disciplines.  There are definite pros and cons to this method of security.

Pros:  Unified security policies, and a one stop shopping (if you will) to security.  Streamlined responses which are complete from the day of hire to termination.  By complete, I mean that when you suspend someones account for the network, you follow up yourself with locking out their badges to the properties as well.  In many locations where security is an afterthought, this helps in locking down your environment where it can be safe for the employees.    Similarly, when creating  new user for their start of employment, you have the complete portfolio to give them, and offer an education “boot camp” on policies and expectations for the use of the security tools.

 Cons:  It is a handful to manage, as it takes two different thought processes to master.  Lets face it, network and physical entry take on different methods and practices.  Staff is another “con”. Typically when having both pieces on your plate, you are typically left with less staff than what you need, or would have been assigned if the two were separate.  In short, you get less resources, more responsibility.  Budget is strained as you have to accommodate for both camps, and management only sees one line item on the roll up ledger labeled “security”.  They don’t like to spend for security – period.  It does not make them money, it is an expenditure in their eyes….and “ hey?!  Nothing happened so far!”   (Don’t go there).

In short, it seems like this is becoming a trend to unify both.  The motive could be resources (money, staff, training), or what ever it maybe.  My take is that if you are going to take a job which incorporates both, make sure you have the following:

1) Board and Corporate buy in.

2) The security department reporting up to a board member, president/CSO/CIO (directly), or the legal head of the company (think risk management)

3) a budget which incorporates the right amount of staff, tools (or else you become the fall guy/gal when laws of plumbing apply from a crisis), and education formalized in a budget somewhere.   Don’t fall for the promise of “we will get to it when you tell us”   – spell it out for them that security costs less than the risk of something happening and ruining their production.  Ask for their Risk assessment from their business continuity plan.  This should be in line with there security budget to some degree where it should be a realistic ratio of expenditure.

4) lastly, the time-frame:  Make sure that if they are holding you to a time-line, make sure you buy into it before accepting the position.  Buying in would require full disclosure of their skeletons in the closet in order to be pulled in to that meat grinder.  Make sure you ask a LOT of questions.

I am up for your experiences.  Drop me a note and we could compare security scars.