The Guardian

Most companies wouldn't think of putting information security, physical security and facilities into one unit. Yet 12 years ago, Eduard Telders made combining the management of these units a condition of his employment at Pemco Financial Services in Seattle.

Now, Telders says he knows of a dozen or so Fortune 500 companies, including Microsoft Corp., that have put physical and technical security management together as a single function. And at both Microsoft and Pemco, the position was handed to a technical security manager, not the physical security manager.

It takes a unique technologist to make this leap. Managing these once-disparate groups calls for thinking far beyond "making the wires hum," Telders explains. This renaissance position calls for a manager who can think about how those wires open the company to the risk of internal embezzlement and fraud, data theft and customer privacy violations.

That means the corporate security manager must also stay up to speed on the physical risks to corporate data, such as building-access violations like "shoulder surfing" (following a badged employee through an open door). Telders stays up-to-date through his memberships in organizations such as the American Society of Industrial Security and by maintaining his standing as a certified protection professional, which he received in 1999.

Today, most investigations into security threats or violations require both physical and technical investigative techniques. For example, when Pemco had problems with employees sending hate mail and surfing the Web for pornography late at night a year ago, Telders' team first tracked physical access to areas of the building through its key-entry system. Then they checked to see who was logged on in those areas at night. Finally, they examined the log files on those systems to see what was being accessed.

"All companies have . . . abuses of systems and other [human resources] problems," Telders notes. "Computers have just become one of the tools to commit [electronic] indiscretions."

Along with knowledge of the IT and physical aspects of data protection, Telders must rally every employee around protecting the company's data in all forms. For example, when users said no one would mess with their computers left on at night, Telders suggested that they cash their paychecks and leave the money on the keyboard over the weekend to see if it would still be there Monday. That clicked with them.

"The first thing I learned about managing the physical was that communication is extremely important with users whom you are trying to put tight controls around," Telders says. "They need to understand in their own terms the whys and wherefores of how the entire security system works. And you must be very responsive to their problems."

Ironically, it's the workers on his old stomping grounds, the IT group, who he has to keep the closest eye on, he says. They're the ones trying to punch holes in the firewall to drop in Digital Subscriber Lines and download the latest cool stuff. And they're the ones who see his security policies as an opposition to them accomplishing their mission of making the wires hum. In fact, Telders has to occasionally quash rebellions among IT group employees when they try to wrestle information security management away from Telders' unit.

Although Telders can empathize, he says his real responsibility is to the owners of the data - the shareholders and the board.

"We represent the owners of the data. And based on the rules of the data owners, we make determinations of what is and is not appropriate," he says.

Profile:

NAME: Eduard Telders TITLE: Corporate security manager REPORTS TO: Chief technology officer DIRECT REPORTS: Security compliance officer (physical security management) Safety and security coordinator (safety and physical security administration) Senior information security analyst (engineering and design, penetration and intrusion detection, forensics) Two information security analysts(daily administration/project work) REQUIREMENTS: Basic understanding of operating systems, networking and IT security Risk-management background Physical security certifications and training Master's degree (Telders' is in biology) Be adaptable, ethical and a strong business communicator

Security Risk and Reward

Stories in this report:

• Want to Save Some Money? Automate Password Resets
  
• Knowldge Quest
  
• Companies Need Security Pros With More Varied Skills
  
• Finding Answers
  
• The Enemy Within
  
• The Threat of XML
  
• SOAP, Other Protocols Specify Security for XML
  
• The Problem With Power
  
• Top 10 Security Mistakes
  
• Playing By Europe's Rules
  
• False Alarm?
  
• An Ounce of Intrusion Prevention
  
• Deadly Pursuit
  
• IDS Products and Prices
  
• Should You Outsource IDS?
  
• Who He Is
  
• Manager Offers Primer On Computer Forensics
  
• Unlocking Secure Online Commerce
  
• Too Late For Digital Certificates?
  
• Giving Users Back Their Privacy
  
• Feeling Safe With IT Security Deals
  
• Finjan's Software Bolcks Active Content Threat
  
• Security Statistics
  
• The Guardian
  
• Congress Considers Slew of Bills That Will Affect IT, E-Commerce
  
• U.S. Legislators Ponder Masses of Bills; Outlook Remains Murky
  
• Rule Changes May Further Protect Company Security Data
  
• Getting Started in Computer Forensics
  
• PKI Carries the Mail for U.S. Postal Service
  
• Security by Syntax