Ask the Expert: Practicing Physical Security
I’m curious as to why it is felt that a new wheel needs to be invented regarding physical security. I have been kicking around the security profession for over 30 years now, as an Intelligence Officer, Law Enforcement Officer and Senior Corporate Security Executive at Fortune 500 and 100 firms. We have been developing these standards and best practices and practicing this art for some time. Is the IT community just now discovering this? If so, we have done a terrible job of educating and communicating. Or perhaps there is some realization that server farms and electrical room doors should not be blocked open by IT people who have found it to be “a hassle” or “too heavy handed.” If you will look to professional colleagues who have practiced their craft and be open to working with them, you will find that a new holy grail is unnecessary and a waste of energy.
I don’t have the feeling that emphasizing or calling attention to the importance of physical security represents a new discovery, but I do think it’s an area that’s been somewhat overlooked in the usual IT professional’s quest to learn more about “cool tools and technologies.” Physical security is the cornerstone for any other kind of security, because if physical security is circumvented, no other kind can completely make up for its breach.
How did you get the idea that I thought of physical security as a new holy grail as you put it? Perhaps you’ve read some of my recent writings and are reacting to them. I do agree that there’s a lot to learn in this area, and that many IT professionals could stand to benefit from the knowledge and skills of other professionals, as you so nicely put it.
Every information security certification I’m aware of, from beginner’s credentials like Security+, SANS GSEC, or TICSA to advanced credentials like the CISSP or the PSP (Physical Security Professional) stress physical security as one of the key elements in establishing and maintaining information security. Thus, I can’t agree more about its importance, and have to thank you for bringing it to everyone’s attention.
Let me therefore go on to say that an analysis of physical security requirements and current practices should be a key element in any security audit, and that such audit should be conducted no less frequently than once a year. Make sure your next audit includes a thorough physical security review, and that follow-up brings security practice in line with security policy.
Thanks for writing.