Physical Security and IT: Separated by a Common Language

Print Friendly, PDF & Email

A unique challenge to physical security and IT collaboration is the terminology used in each domain. While the concepts are basically the same for most terms, a single term can refer to different items in each domain. For example, “IP” means “Intellectual Property” to corporate security, but “Internet Protocol” to IT security folks. For example, a physical security manager might say, “We have removed all the IP from the corporate network,” meaning that all critical intellectual property documents have been removed from computers connected to the corporate network. This would eliminate the threat of documents being accessed by a hacker on an internal or Internet network connection. That sentence would sound absurd to IT personnel, because network communications are based on IP messaging!

Preventing Meeting Mental Fog

What happens when these terms come into play is that discussions go along fine until a particular term is utilized. Then the participants who have another definition than the speaker, start developing strange ideas about what is being said. If it happens too much, one side or the other gets into a “mental fog”, and can’t really track with the rest of the discussion. Parts of major initiatives have gone off the rails over this specific phenomenon.

Table 1 provides some examples of the terminology differences. Once aware of this phenomenon, participants can recognize when the definition difference has come up and address it on the spot.
   

Table 1. Examples of Terminology Differences
Term Physical Security IT
IP Intellectual Property Internet Protocol
Credentials ID Badge; Passport Digital Certificate
Key Key for physical lock Encryption key
Perimeter Fence line or exterior building walls Network connection to outside or public networks
Intrusion detection Door/window alarm system Computer & network hacker detection
Directory Lobby Building Directory Electronic Network Directory
Security Logs Reception sign-in sheets; Journal of security officer shift notes Lists of access attempts to computers and networks
Revocation Canceling and retrieving a security ID badge Canceling a digital certificate
Signature Written signature Digital signature

   
On the other hand, there are a lot of common concepts between physical security and IT domains—after all, they both deal with security—and so Table 2 provide examples of the commonalities between the two domains in terms of security concepts.
   

Table 2. Examples of Common Concepts
Security Component Physical IT
Perimeter Barriers
  • Walls and fences
  • Firewalls
Access Control
  • Locks & Keys
  • Keypad Pin Codes
  • Biometrics
  • Access Cards
  • Password Codes
  • Biometrics
  • Smart Cards
Alarms
  • Intrusion Detection: Motion Detectors, Glass Breaks, Door Contacts,  Fence or Perimeter Intrusion Detection Systems (IDS)
  • Intrusion Detection:  Network Intrusion Detection Systems (IDS)
Investigative Tools
  • Interviews
  • Collection of Evidence (Forensic Physical Science)
  • Evidence Analysis
  • Identify Cause or Suspect
  • Interviews
  • Collection of Evidence (Computer Forensics)
  • Evidence Analysis
  • Identify Cause or Suspect (Network Forensics)
Notice i.e. “No Trespassing”
  • Physical Signs (“Keep Out”)
  • Computer Messages (“Keep Out”)
  • Acceptable Use Agreements
Security Resources
  • Contract Security Officers
  • 911 – Law Enforcement Response
  • Community Law Enforcement Programs
  • Consultants
  • High Tech Crime Units
  • FBI Infraguard Program
  • Carnegie Mellon/CERT
Risk Assessment or Security Surveys
  • Inspection
  • Threat and Vulnerability Analysis
  • Testing
  • System Configuration Inspection
  • Threat and Vulnerability Analysis
  • Attack and Penetration Testing
Awareness and Training
  • Bomb Threat Training
  • Workplace Violence Training
  • Security Awareness Training
  • Incident Response Training
  • Protection of Information Training
  • Security Awareness Training

 

Additionally, some terms that are in common use are not fully understood even by some of the people using them. For example, the term bandwidth is commonly used to refer to how busy a person is (“I don’t have the bandwidth for that today”). People can also get all kinds of strange ideas when they try to take definitions from the context of the sentence. For example, “Look at the screen, you can see there isn’t enough bandwidth,” can give someone the idea that the width of the visual image on the screen is what is meant by bandwidth, when the person was talking about the display of available network bandwidth. This has actually happened. And there have been people who think that CCTV refers to a cable television station like MTV rather than a camera surveillance system—Closed Circuit TV.

This is why a strategy is needed to guard against miscommunication:

Establish, publish and follow meeting guidelines for cross-functional communication that account for the educational differences among the participants. Also apply them to your personal communications.

An example meeting guideline follows below.

With practical strategies like these in place, you have an excellent chance of success in addressing the risks from putting physical security systems on your corporate network, and helping ensure that the business receives the full potential value of the systems.

Physical Security and IT Meeting Guidelines

Here are some guidelines that can be applied to all meetings, but which are especially important for meetings where both Physical Security and IT topics will be discussed:

  • List the topics to be covered. At the start of the meeting, list the various knowledge domains that will be covered in the meeting. Ask for a show of hands if a domain is not a primary subject of expertise. If any hands go up, emphasize the importance of not going past any point that isn’t completely understood. Explain that the success of the meeting and the follow up actions is important enough to take the time to clear up any questions.
  • Schedule attendance for mixed agenda meetings. Try scheduling the topics so that people won’t be unnecessarily subjected to domain-specific discussions. Someone from accounting should not be expected to sit through a lengthy technical discussion. Skip the technical discussion and give a plain English summary, or schedule the technical discussions first with a limited group and bring others into the meeting at a later point.
  • Specify who can answer questions. Sometimes people can think they understand something, to find later that they don’t. By the conclusion of any meeting, make sure you have identified who should be contacted about questions specific to each topic of discussion.
  • Check for questions. At the conclusion of each topic, not just at the end of the meeting, check for questions. If being considerate of questions is something new in your organization or department, you may have to overcome the reluctance of some people to ask questions.
  • Clearly define terms. Be sure to define each topic term clearly when you first use it, and make it obvious when you are switching topics. You should have definitions written out in advance, that use plain language and avoid references to other words that would not be known to the meeting attendees.
  • Be brave. Ask a question when you don’t understand. Often others will have the same question. Lead by asking. Others will follow your example.
  • Be considerate. Be patient in helping someone else understand what you are saying. It’s your responsibility as the person speaking to make sure that you get your message across. This means you have to take the steps necessary to clearly explain what you are saying at the level of the listener. Remember what Einstein said: “If you can’t explain it to a six year old, you don’t understand it well enough yourself.”