Challenges and benefits of physical IT security

There has been much talk in the physical security market concerning the imminent arrival of IT manufacturers and the likely impact it will have on the...

There has been much talk in the physical security market concerning the imminent arrival of IT manufacturers and the likely impact it will have on the industry, often couched in negative terms by those fearful of change. The expectation has been an 'invasion' spearheaded by the storage-led vendors, but to many's surprise the impact of these systems has yet to be felt and, to be frank, I'm finding it quite hard to be certain how these products (or are they solutions?) will be taken to the wider market, writes John Kirtland, sales and marketing director at independent security integrator and Cisco security partner Quadrant Security Group.

Instead, the significant impact in the electronic security market is being made right now from the network end of the system from the likes of Cisco, rather than from the storage end, where many of the mainstream IT providers are still operating. What they call "physical security" provides solutions that bring together a number of exciting video surveillance, management and storage products with the formation of an expanding range of IP cameras to create a portfolio of products that are truly network-friendly. The solutions really are very good and they will challenge the traditional brands who are offering weak IP-based solutions.

However, the noticeable difference that network solution providers will make in this respect is that their understanding and support doesn't stop when they get to the network port. When we look at most traditional security manufacturers and resellers we find that their knowledge of IP networks does not go very deep and their experience of converged networks is, at best, limited. This disconnected approach does not lend itself very well to providing a seamless security solution as it tends to lead to a breakdown in communication between security and IT simply because they don't share the same language.

I believe the changes afoot will have a number of positive effects for the end user and their IT department. It will ensure that the weak gaps present in most of the models used in the security industry will be filled. As customers compare the standards of design and delivery they will soon begin to take advantage of the networked model. I'm thinking here of adequate product knowledge to complete good designs as well as providing ample support without falling back on the manufacturer every time.

Furthermore, there are substantial cost benefits all round. For the security department, the savings can be as much as 30%, as existing infrastructure can be utilised and on-going savings can be made in maintenance. For the IT department, migrating electronic security onto the existing network increases the value of that network and provides an improved ROI. Furthermore, you can provide a valuable added disaster recovery service for the security system. Everyone's happy, not least the FD.

A further key benefit will be the advanced IP knowledge that these new breed of resellers will gain and they will provide an important bridge between the world of security and the world of IT. That bridge is key and has more often than not been a major stumbling block to success.

The issues here are trust and understanding - from both sides of the divide. My experience from the security team's point of view is that they don't see the IT department as reliable enough as, unlike security, it doesn't operate 24/7 which is clearly essential for effective security. There is also a very real concern of trust as security involves monitoring and recording people from within an organisation as well as visitors. When an incident has occurred and information needs to be obtained from the security system as part of an enquiry, can they trust the IT staff and how far? After all, those staff do not report directly to them. These are genuine concerns, but ones that can be readily overcome.

And, of course, it works the other way round. To establish a good rapport requires an understanding on your part of the basics of physical security. Whilst no one would expect you to know how to design a security system, there are certain misconceptions commonly held by IT departments about physical security. The most common of these is that putting security system feeds - especially cameras - on to your network will slow it down, or even bring it down. The good news is that cameras don't have to be streaming constantly and most video feeds are much less than 2Mb each. Even a substantial system in a high security environment is still easily manageable across your network and can be designed to accommodate both the needs of the security department and those of the network.

The other big misconception is that security - with its CCTV, access control, intruder detection etc - is a poor relation to the IT industry in terms of skills and technology. Well we've already seen that on the technology front the move to IP addressable equipment is a genuine break through. In terms of expertise, don't underestimate the skill set required to conduct a comprehensive risk assessment, identify operational requirements and design a system that meets all those needs.

To borrow a much quoted IT analogy, a security risk assessment creates a solution that is very much like the rings of an onion; you start at the edge, in this case the perimeter of the site, and work your way back layer by layer - to the car park, to the building exterior, through reception and other external doors and in to the heart of the building. You define what the risk is, where it comes from and then you must decide how to prevent, deter, delay and detect the attack. The latter aspect is essential as you can have all the cameras in the world installed, but they won't help you if you haven't decided on an appropriate response. For example, if you have a high security site the main focus is on prevention and deterrents, whereas a lower security site may rely more on delay tactics. The higher the risk, the greater the number of layers of security are required to prevent and deter intruders.

Security companies also face the challenge of designing systems using equipment from different manufacturers without an open protocol. They must therefore have an excellent understanding of product to ensure they are not drawn down a route where they end up with a proprietary system. Manufacturers' proprietary software has held the security industry back for years and although an open protocol has been developed it is less than a year old.

Another source of confusion, this time from both sides - IT and security - are the issues of budgets and ownership. Who pays for a security system that runs over an existing network? I fail to see why this should cause so much upset as the security system is just another business application; why treat it any differently from other departments and applications such as HR and Finance? Each organisation will clearly have its own way of working but my experience is that as converged solutions are deployed the security system budget for equipment and support will be transferred to the IT department whilst the operational requirements and staffing will still be the responsibility of the security department.

So change is afoot and as the key decisions and budgets for electronic security technology migrate to the IT department then the availability of technology from an IT-centric supplier will only hasten this change. I expect this will lead to many of the traditional security companies quickly falling at the barriers of skill, time and money as they are incapable of stepping up to the required standard. But for forward thinking IT departments and resellers, there is a very real opportunity to pave a path of excellence.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.