Companies move to combine physical, IT security efforts

[InfoSec News <isn () C4I ORG>]

http://www.computerworld.com/cwi/stories/0,1199,NAV47-68-84-88_STO58119,00.html

By DEBORAH RADCLIFFE
February 27, 2001

WASHINGTON -- Late last year, Howard Schmidt, Microsoft Corp.'s
director of security, quietly wrestled the software vendor's physical
and IT security functions into one burgeoning unit that's now dubbed
the information assurance program.

With so many assets to protect in so many locations, it's something
that begged to be done, he said to an audience of 150 security
directors and law enforcement officers attending a cybercrime summit
being held here this week by the American Society for Industrial
Security (ASIS) in Alexandria, Va.

"We get over 9 million voice calls a month [and] 4 million e-mail
messages a day spread out across 200,000 PCs and 18,000 servers from
Silicon Valley to London to Sierra Leone," said Schmidt, who holds the
new title of general manager of information assurance at Microsoft.
"That's a lot of information to manage, whether it's in someone's
head, on a piece of paper or in a computer," he added.

The daunting task of protecting all that data was illustrated by a
series of hacking incidents and denial-of-service attacks that have
targeted Microsoft in recent months. In one case, intruders who broke
into the company's internal computer network in the fall were able to
gain access to the source code for an unspecified future product (see
story).

After Schmidt's speech, the merging of physical and IT security
efforts became the main topic of debate during breaks at the ASIS
conference. On one hand, some security directors said they could see
the need for such a combination because there are so many physical
risks to corporate data -- ranging from unauthorized persons following
employees through an open door to data theft or sabotage by employees
or temporary workers.

But at least a dozen attendees at the conference claimed that moves
such as the one made by Microsoft are direct assaults on the
sovereignty of IT managers. They also said hybrid information
assurance managers may lack the technical knowledge needed to
safeguard data from malicious hackers and other cybercrime
perpetrators.

"The main question is, who's going to be in charge?" said the security
director at a European pharmaceutical maker who asked not to be
identified. "When physical security [managers] for our company
dictated [the use of] a biometric thumbprint reader recently, the IT
guys didn't want to hear it."

Both Microsoft and PEMCO Financial Services, a $1.5 billion insurance
and banking organization owned by Seattle-based PEMCO Mutual Insurance
Co., put oversight for their blended information assurance programs in
the hands of technology managers. But those units were then set up as
separate entities that the IT departments at the two companies have to
consult with before working on new project development.

IT workers also have to answer to the information assurance teams when
something goes awry, said Schmidt and Eduard Telders, the security
manager at PEMCO. Telders persuaded PEMCO to merge its physical and IT
security efforts under a single group after being hired by the company
13 years ago.

Occasionally, PEMCO's technology managers "try to take over the IT
security aspect of our unit," Telders said. "It's basically a turf
war. But IT guys are the worst [security] offenders. Culturally, they
don't have the suspicious thought processes needed to bring security
to the enterprise."

The primary responsibility of technology managers "is to make the
pipes hum," Telders added. "Ours is to make sure things are
implemented securely." And conference attendees opposed to merging
their physical and technical security units better get used to it, he
added, saying he knows of at least a half-dozen other Fortune 500
companies taking such steps.

"Those lines between traditional physical corporate security and IT
computer security are already being blurred," agreed Bill Neimuth,
director of e-business security at Kimberly-Clark Corp., a $13 billion
manufacturing conglomerate in Irving, Texas. "Our goal is loss
mitigation, and I don't care if it's run by the physical side or the
IT side."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".