Cooperation, Not Convergence
Amit Yoran, who served as director of the National Cyber Security Division in the Department of Homeland Security until he stepped down late last year, has some unconventional views on how IT and physical/operational security departments should be structured in the corporate world. “Tech Talk” recently talked with him about those views.
Tech Talk: What do you think about having IT and physical security departments converge?
Amit Yoran: I think the current trend in industry, and what the Department of Homeland Security has been advocating, is an integrated risk-management approach, meaning you look at your business operations and look at where those could be affected either through physical or cyber disruption, and then go about protecting your infrastructure accordingly.
Where things start breaking down is when you force integrated cyber and physical operations. Each of these fields is increasingly specialized, and with a forced convergence in two increasingly specialized fields, I think you start becoming counterproductive.
TT: So you don’t think that, for example, IT security personnel should report to a physical security manager?
AY: I think that’s a mistake. He doesn’t speak the language, and you don’t want to pull the responsibility for IT security out of the CIO’s shop, because the CIO is responsible for IT security. I think we need to be very careful in advocating a particular organizational structure.
TT: So, what kind of relationship between physical and IT security departments would you recommend?
AY: Again, I think it’s important to have integrated risk management. Also, it’s great to have physical and cybersecurity organizations speaking to one another. Obviously, there’s a lot of reliance on cybersecurity for the physical folks, so encouraging a productive relationship there is important. I think where we need to be careful is in advocating a particular organizational structure or advocating either cybersecurity becoming part of physical security or vice versa.
You do need folks who understand organizational risk, who understand the organization’s business processes and can help evaluate risk for the organization and consider both physical and cyber threats, so I think that is all to be encouraged.
Do you pull physical and cybersecurity pieces out from other parts of the organization and do you have them report to somebody doing that integrated risk management? I believe that’s not a prudent approach for most organizations.