Companies should consider merging physical and information security into a converged program -- it might be challenging but it will be worth it, Ronald Woerner, security compliance manager at online brokerage TD Ameritrade, said Thursday at the RSA Conference.
“If you differentiate physical and information security, you silo yourself,” Woerner said.
A convergence effort might be met with challenges in dealing with educational differences between physical and information security employees, company politics and the notion of one part of the business stepping on the other's "turf," Woerner said. But he claimed a successful convergence effort can provide many benefits, including an alignment of goals, information sharing and a single focal point for security within the business.
In merging its physical and information security parts of the business, TD Ameritrade ran into a few hurdles along the way. The effort took more than a year, and one of the most difficult aspects was figuring out salary adjustments for employees, Woerner said. The company tapped into physical security employees to do some elements of information security, and vice versa, so it was necessary to work with human resources to alter pay based on new responsibilities that employees took on.
One of the problems with convergence is that physical security employees are generally not comfortable with the idea of merging with information security, but this is something that seems to be changing, Doug Wheaton, manager of marketing communications at HID, a company that provides physical and information security convergence products, told SCMagazineUS.com Thursday. He added that there is a “strong recognition” that physical security employees who don't accept IT will be left behind.
Woerner challenged companies to “break out of your silo” and start thinking about convergence and the benefits it can bring. As a start, take your counterpart in physical security out to lunch and begin the conversation, he suggested. He added that companies should create a risk model that includes both physical and information security threats.
First, determine your company's assets, and then determine the risks to those assets, Woerner said.