Corporate IT risks and physical threats are changing security deployment

Computerworld - PHOENIX -- Growing IT and physical risks and emerging regulatory requirements are transforming the manner in which security functions need to be viewed, implemented and managed, said executives at the SecurIT 2003 Summit here this week.
For instance, it is becoming increasingly important for companies to look at IT and physical threats from a common, unified risk-management perspective, said Dennis Treece, director of corporate security at the Massachusetts Port Authority in Boston.
As one of the executives in charge of securing Boston's Logan International Airport, three seaports and a major toll bridge, Treece is focused primarily on physical infrastructure protection. But he also oversees the IT side as well, sitting in, for example, on all meetings regarding the implementation of a new Gigabit Ethernet campus LAN at Logan Airport.
Such unified oversight of security functions is not only necessary, but inevitable, he said. "At the end the day, the board is going to see no difference between network and physical security. There's going to be a single security budget line item. It's all the same risk," he said.
The need to comply with emerging privacy regulations and other laws also means that IT security organizations will have to collaborate better with other corporate functions such as legal, audit and human resources, said Robert Degen, senior vice president of corporate security at First Data Corp. in Englewood, Colo.
Such alliances will become crucial in securing the money and support needed to implement enterprisewide security in future, he said.
"You can't go it alone like a Don Quixote," said Degen, who, like Treece, oversees both IT and physical security for First Data. Degen reports to First Data's chief auditing officer, an arrangement that he said has allowed security to remain a top issue at the board level.
It is crucial for security executives to be proactive in overcoming notions of security as an expensive and non-revenue-generating function, users said. And that means being able to put a dollar value on risk as much as possible, especially at a time when IT spending overall has been considerably tightened, Treece said.
Jude Ogunleye, a systems administrator at Cascade Natural Gas Corp. in Seattle, is thinking of getting his company's network tested and analyzed by a third party to highlight weaknesses that could be exploited in future. The idea is to demonstrate just "how much money you can lose with a downtime," he said.
While getting funding for security initiatives is easier than it was a few years ago, "a business case for information security