A clash of cultures between different security factions within the same
company is putting security efforts at risk, according to a new study.
A trio of corporate security groups — or silos — is responsible for
safeguarding a company’s information, financial resources and people.
Getting those groups to work together is a problem that, if overlooked,
could put all three in jeopardy, says Tom Cavanagh, a senior research
associate with The Conference Board, a non-profit research group with
2,000 corporate members.
The three groups — physical security forces, IT security and financial
risk management executives — are at the heart of the problem.
”Increasingly, the security field is seeing a lot of convergence of
different disciplines, but it’s been tough to pull everything
together,” says Cavanagh. ”The people in the various silos have a
tough time communicating with each other… And the failure to share
information can have devastating consequences.”
Cavanagh says the problem is one of culture. Think back to high school
and how the different ‘clicks’ looked down on one another and wouldn’t
be caught actually speaking to the other. The corporate scenario isn’t
all that different.
The people in charge of keeping corporate buildings and employees safe
are thought of as the cop wanna-bes. The IT workers are considered to be
the geeks. And the risk management executives are the bean counters in
the suits. None are very flattering images, and they’re detrimental to
building a sense of team work.
”To effectively manage their total security needs, companies must
bridge this clash of cultures and create a common frame of reference for
this function,” says Cavanagh. Walling off assets produces silos on the
organization chart, and it also produces a culture in which vital
information may be hoarded rather than shared.”
If the physical security people aren’t communicating with the network
security workers, they might, for instance, miss clues that someone is
approaching employees outside the building and tricking them into
divulging information that would help them to hack into the network.
This kind of social engineering is best fought by a multi-tiered
approach.
And for that, companies need their security people communicating with
each other.
To make that happen, Cavanagh says there is no magic bullet. Just drag
them all into the same room.
”It’s about bringing them to the table,” he adds. ”It’s getting them
to share information, but it’s pretty darn challenging… You can sit
them down together but that doesn’t mean they’ll understand each
other.”
To that end, Cavanagh says someone needs to oversee the meeting to make
sure that no one is talking in jargon — especially the IT folks. Speak
using words that everyone at the table — cop, geek and bean counter
alike — will understand. Look for common problems and tackle them
together.
But don’t expect this culture clash to clear up overnight, warns Gordon
Haff, an analyst with Illuminata, an industry research firm based in
Nashua, N.H.
”This has been a long-standing issue,” says Haff. ”It’s no surprise
to anyone that physical security isn’t particularly integrated with IT
security… It’s sort of motherhood and apple pie to say that everyone
should just communicate.”
But Haff adds that starting the conversation is the only way to begin
the process mixing these cultures, breaking down the stereotypes and
ultimately making companies more secure.