BP points way to integrated security

BP's plans to align physical and IT security to combat emerging threats offer lessons for other firms looking to implement integrated security strategies

BP's plan to link its IT and physical security teams could provide an approach for other firms looking to better protect key systems from new threats, such as targeted attacks.

BP is combining IT and physical security to combat a predicted rise in global attacks. The oil company believes that separate security teams do not offer adequate protection, as they are unable to check whether someone whose workstation is logged on to the network is physically in the building, for example.

BP plans to bring together 530 employees from its security divisions worldwide over the next two years, so that IT and physical security departments can work together to address these threats.

Robert Martin, manager of digital security services at BP, said the project would not have got off the ground without boardroom support and an awareness of new threats among senior management.

"BP's board were very much aware of the combined threats the business faced, and so having their sponsorship really helped drive the process," he said.

Martin said one of the key challenges was coming up with metrics to prove that combining IT and physical security would be better.

"Proving return on investment for a new approach to security is difficult you cannot prove the worth of security by the fact that no breach occurs," he said.

One way Martin overcame this was to identify BP's critical assets and determine the cost of failure to the business should a physical or IT security breach occur.

Bill Nagel, researcher at analyst firm Forrester, said, "What businesses do not realise is that not preventing physical access to the premises can lead to unauthorised access to IT systems, which could cost them much more."

He said that security teams were increasingly looking to metrics to show the business value of combining IT and physical security and to get a better idea of how effectively they are doing their job.

Business metrics were particularly useful in organisations where senior management had a low awareness of the dangers, said Nagel, as they could increase the visibility of threats to the board.

Martin said, "The conversation security teams have with the business must come through as a unified voice if it is to carry any weight. In BP's case, the fact that our IT and physical security teams were both concerned about similar threats helped drive the point of converging security."

Converging security may also require dedicated board-level leadership. Nagel said, "It is not entirely clear to me that it is the IT director who should be making the plan." He said that, if possible, a chief information security officer should be in charge of setting security policy. They would then work with the CIO to determine how best to implement that policy.

Martin agreed that having a figurehead at senior management level was helpful, but for companies with a global reach, the entire board needed to buy in to the idea.

Offering a counterpoint to BP's approach, Ant Allan, research vice-president at analyst firm Gartner, said linking physical and IT security could be desirable, but not doing so did not necessarily create an unacceptable risk.

"The hybrid approach does not provide significant protection against insider attacks - it is not a substitute for stronger authentication implemented solely at the PC and network level. Insider attacks remain the source of many of the most financially significant data breaches," said Allan.

To counter the threat from the "enemy within", BP is working to ensure that staff with legitimate access to buildings cannot gain unauthorised access to systems.

BP to save £600m in global IT process standardisation >>

Work beyond the firewall, CIOs urged >>

BP spells out disaster recovery plans >>

David Lacey's security blog >>

Malware learning guide >>


Read more on IT risk management