Report: Corporate security undermined by lack of cooperation

Computerworld - A lack of information sharing and cooperation between IT security, physical security and risk management functions is hindering efforts to upgrade corporate security, according to a report released this week by The Conference Board Inc.
The separate silos in which many businesses put those functions can create a corporate culture that encourages the hoarding of vital security information, said the report, which was based on interviews with more than 200 senior executives at major companies.
Businesses need to bridge the gap and develop a "common frame of reference," said Tom Cavanagh, a security expert at The Conference Board, a New York-based research organization. "What you need to have is a way for everybody to be on the same page and speaking the same language" when it comes to implementing companywide security policies, he said.
Cavanagh's advice echoed comments made at last month's ASIS International 2004 conference in Dallas, where corporate managers and analysts cited a growing need to unify the management of IT and physical security (see story).
That viewpoint is "absolutely right," said Dennis Treece, director of corporate security at the Massachusetts Port Authority (Massport) in Boston. "Until the various factions stop bickering over turf, we're going to find any holistic security improvements terribly difficult" to achieve, he said.
Treece, who oversees both physical and IT security at Massport, said that the separate security-related functions within companies "all have different points of view, different cultures, different career paths, different educations and even different vocabularies."
Physical security practitioners who typically deal with human intelligence issues and technologies such as intruder alarm systems often have little in common with IT security professionals, said Eddie Schwartz, chief technology officer at Securevision LLC, a consultancy in Fairfax, Va.

Similarly, risk management executives tend to come from financial backgrounds and often have little technology savvy, said Schwartz, a former chief information security officer at Nationwide Insurance Co. in Columbus, Ohio.
The resulting communications breakdowns often lead to gaps in security, said Lew Wagner, CISO at Clarian Health Partners Inc. in Indianapolis. "The secret to any long-lasting and effective security practice is to have IT security dovetail with physical security, risk management and human resources" functions, he said.
Wagner added that long-established corporate hierarchies and territorial boundaries make this integration hard to achieve. "Each of these groups have already carved out their niches and protected areas and are resistant to change and have to be shown that this [integration] is a way to enhance what they are doing," Wagner said.
Demonstrating the value of information