Is Security One Discipline?
In speaking with end-users, I never cease to be amazed at the expectation for a consultant’s knowledge-base and skill-set. I have been working in physical security for over 30 years and I feel just recently I have begun to grasp the full picture in this discipline. When I share this observation, the response is often surprise.
Physical Security is impacted by threat assessment, risk analysis, vulnerability assessment, formulation of mitigation strategies, development of processes and procedures, changing technology, network infrastructure, information security, system design, etc. How does one person gain an “expert” level understanding of all these elements?
Who are “Security” Consultants?
- Physical security threat and vulnerability assessment is best handled by Ex Law Enforcement Personnel.
- Risk analysis is best performed by legal counsel and/or insurance actuaries.
- Mitigation strategies and physical security processes and procedures are best devised by physical security specialists (CPP).
- Physical protection systems should be designed by security engineers (PSP).
- Technology management, planning and data infrastructure is best handled by automated systems engineers: Electrical Engineers (EE), Professional Engineers (P.E.), Network Infrastructure Engineers (RCDD).
- Information security and hardening of data transport networks should be handled by system software and coding/encryption experts (nod to CISSP).
In even three lifetimes, I am not sure one person could put this kind of experience together.
End-User Discovery & Needs Assessment
The critical developing need is for an individual who has enough experience to provide program management for all these disciplines. I have begun creating design development tools… there are too many related concerns that must be incorporated into integrated security design: checklists, process schedules, best practices review, etc.
Honestly, the program manager role would not be best handled by my discipline, but then who should it be? Can architects and/or construction managers offer this capability? Maybe, by assembling massive teams… but this approach is not financially viable for any other than the largest corporations. So, which discipline will become the project leader capable of providing a cross-discipline needs assessment and assist in funding prioritization? This may be where some of you can help me? I have seen a new class of consultant pop up, calling themselves “Technology Consultants” and offering design services for ALL low-voltage automated systems (security, fire, A-V, telephony, etc.). These companies are growing out of construction engineering consulting and industrial automation engineering firms.
All these different disciplines are growing together, being driven by end-user need. Personally, I have learned more about data technology and security in the last year, than in the previous thirty combined. It has been out of necessity. I am being asked questions now that I have never heard before:
- Have your IP controllers been penetration tested?
- Can your IP controllers support typical network encryption strategies?
- Are your drivers and firmware using open source-code and if so, has it been properly vetted?????????
Speaking to other security industry professionals here… continuing education is a bigger priority than at any time I can remember. It will be critical to learn not just your area of specialty, but also an overview of related disciplines. Client patience for excuses in this area has been precious little.
Douglas Levin is a consultant employed by ASSA ABLOY. If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, his blog Security Integration, or his Twitter feed @DLSecTech.