Physical security and IT teams are vital to the security of any large organization. This is especially true in today’s connected enterprise, where every physical security device lives within a network.
In order to protect a business, both teams must work in tandem to solve the many security challenges that can arise — device availability issues, cyberattacks, compliance issues, device vulnerabilities, etc.
But there’s been a longstanding disconnect between the two groups, stemming from limited visibility over physical security devices, a lack of tools and systems to see and manage their infrastructure, and lack of a common language and shared data to properly collaborate.
This overarching problem has been compounded by the fact that Internet of Things (IoT) and physical security devices have exploded in number in the enterprise. Companies deploy anywhere from dozens to tens of thousands of security cameras, access control and other physical security devices.
To be fair, the relationship between IT and physical security has certainly made progress, but there is plenty of residual misalignment. In many cases, there is still tension and mutual frustration: each side feels the other makes their job more difficult and at times presents demands that are unreasonably outside the scope of their respective purview.
Who owns the devices, who manages them, and why it’s hard to talk about
Physical security departments own the devices they rely on — video cameras and access controls, etc. — while IT owns the network where the devices live. This results in an awkward problem: while physical security teams introduce these devices into the network, they mostly lack the technology to properly manage them. IT teams typically aren’t the experts when it comes to physical security devices; are not responsible for managing these devices; nor do they see whether they are operational and secure. And because companies today have massive fleets of physical security devices deployed, managing and maintaining them at scale is very difficult.
Furthermore, IT’s domain has always been on the technology side, while physical security focused on operations. This resulted in a language barrier between the two groups. Luckily, the relationship has been improving, due in part to a growing and healthy overlap of domain knowledge.
From then to now: root causes of the tension
Once upon a time, not so long ago, IT and physical security teams worked in separate silos. That’s not fully the case today. But the relationship can certainly stand to improve.
There are practical reasons for the historical misalignment. The migration from analog to internet protocol (IP)-based devices in recent years amplified communication issues and friction between the teams. That’s because virtually all physical security devices live on networks managed by IT — unlike analog devices of yesteryear. The physical security group is responsible for their devices, but are having a hard time upgrading firmware, rotating passwords and other “standard IT” operations. That has created unnecessary risk at some organizations.
Today, the biggest impediment is that most physical security teams still lack tools to see and manage their devices properly. This creates more blind spots. If a physical security manager sends IT a spreadsheet list of its devices and compliance-related information, that’s merely a static snapshot. It’s not how IT is used to working today. They’re equipped with numerous systems to manage, maintain and secure any asset on their network — but their physical security group lacks a system to handle those functions. This can put the company at risk. For its part, physical security teams still have to get their job done every day. The end result? Frustration on both sides.
When misalignment impedes problem solving
IT points out that physical security devices cause cybersecurity and operational problems because they often have outdated firmware, easily guessed passwords, ports left open, and other vulnerabilities. Hackers may target physical security devices as entry points to attack enterprise IT infrastructure. As one director of physical security at a global manufacturer said, “IT does not like me.” Others comment, “When we turn to IT for tech guidance, we are given low priority.” This pattern became a sore point over the years.
A typical story: A camera goes offline. IT says, “It’s the device, not us.” The physical security team alerts the integrator responsible for maintenance. They dispatch a technician to find and check the non-working camera. The technician reports back that the camera is actually working and needs no repair. Meanwhile, a half dozen other cameras go offline, and IT discovers that a network switch was having intermittent failures. No one is to blame, but the lack of visibility and diagnostic data created expense, inconvenience and friction. This type of situation might take several days to fully resolve. In the meantime, it feeds the disconnect between the two teams.
Luckily, these issues can be largely overcome today with appropriate tools.
Strengthening the relationship between IT and physical security
When two parties speak the same language and use the same currency (data), they can cooperate easily and resolve issues quickly. With the right data, physical security teams would know quickly on their own if a network switch was causing the outage, for example, and then provide IT with the required information to help resolve this issue in no time.
Luckily, there are Software as a Service (SaaS) solutions that can help manage, secure and maintain devices — and provide the level of insight to give both teams peace of mind. Having this type of technology will be a key enabler to level the playing field and elevate the capabilities of physical security. These tools equalize the data about connected devices, and satisfy IT standards.
By eliminating the problem of device visibility, stress between the two departments can recede. IT will begin to see their physical security colleagues as the strategic partners they are. The relationship will shift from one filled with tension to one marked by collaboration. This will be particularly important during outages and cyberattacks, and will ultimately save both teams time and money.
This article originally ran in Security, a twice-monthly security-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.