BP's plan to link its IT and physical security
teams could provide an approach for other firms
looking to better protect key systems from new threats, such as
targeted attacks.
BP is combining IT and physical security to combat a predicted
rise in global attacks. The oil company believes that separate
security teams do not offer adequate protection, as they are unable
to check whether someone whose workstation is logged on to the
network is physically in the building, for example.
BP plans to bring together 530 employees from its security
divisions worldwide over the next two years, so that IT and
physical security departments can work together to address these
threats.
Robert Martin, manager of digital security services at BP, said
the project would not have got off the ground without boardroom
support and an awareness of new threats among senior
management.
"BP's board were very much aware of the combined threats the
business faced, and so having their sponsorship really helped drive
the process," he said.
Martin said one of the key challenges was coming up with metrics
to prove that combining IT and physical security would be
better.
"Proving return on investment for a new approach to security is
difficult you cannot prove the worth of security by the fact that
no breach occurs," he said.
One way Martin overcame this was to identify BP's critical
assets and determine the cost of failure to the business should a
physical or IT security breach occur.
Bill Nagel, researcher at analyst firm Forrester, said, "What
businesses do not realise is that not preventing physical access to
the premises can lead to unauthorised access to IT systems, which
could cost them much more."
He said that security teams were increasingly looking to
metrics to show the business value of combining IT and physical
security and to get a better idea of how effectively they are doing
their job.
Business metrics were particularly useful in organisations
where senior management had a low awareness of the dangers, said
Nagel, as they could increase the visibility of threats to the
board.
Martin said, "The conversation security teams have with the
business must come through as a unified voice if it is to carry any
weight. In BP's case, the fact that our IT and physical security
teams were both concerned about similar threats helped drive the
point of converging security."
Converging security may also require dedicated board-level
leadership. Nagel said, "It is not entirely clear to me that it is
the IT director who should be making the plan." He said that, if
possible, a chief information security officer should be in charge
of setting security policy. They would then work with the CIO to
determine how best to implement that policy.
Martin agreed that having a figurehead at senior management
level was helpful, but for companies with a global reach, the
entire board needed to buy in to the idea.
Offering a counterpoint to BP's approach, Ant Allan, research
vice-president at analyst firm Gartner, said linking physical and
IT security could be desirable, but not doing so did not
necessarily create an unacceptable risk.
"The hybrid approach does not provide significant protection
against
insider attacks - it is not a substitute for stronger
authentication implemented solely at the PC and network level.
Insider attacks remain the source of many of the most financially
significant data breaches," said Allan.
To counter the threat from the "enemy within", BP is working to
ensure that staff with legitimate access to buildings cannot gain
unauthorised access to systems.
BP to save £600m in global IT process standardisation
>>
Work beyond the firewall, CIOs urged >>
BP spells out disaster recovery plans
>>
David Lacey's
security blog >>
Malware learning guide >>