Should IT Take Over Physical Security?

JH
John Honovich
Published Jan 18, 2009 15:37 PM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.

Frequent discussions of IT taking over physical security often turn to not simply if it will happen but when it will happen. Such convergence is viewed broadly as a key issue in the future of the security industry.

Perhaps more important than will it happen is should it happen. Would it be better for end user organizations to have IT run physical security? Would we save money or be more secure or possibly both?

The Case for IT Taking Over

Proponents see 3 major advantages for IT taking over physical security:

  • Physical security systems are becoming increasingly more sophisticated
  • IT personnel can quickly learn what they lack in physical security
  • IT personnel are strong at maximizing business benefits of technology

The rise of IP telephony is the most commonly cited example of a domain that IT has successfully taken over.

Why IT Should Not Take Over

I believe it would be dangerous for IT to take over physical security. If IT did take over, this would increase security and liability risks.

Unlike telephony, physical security is significantly more involved than integrating and deploying the technologies employed. It is impossible to manage physical security simply through technology. Physical security, by its nature, requires extensive expertise in physical construction, organizing responders and interacting with suspects/attackers. Indeed, physical security is intricately intertwined with security management (e.g., see the US Army physical security guide [link no longer available]).

Physical security practitioners offer three 3 characteristics that will be difficult to impossible for IT to successfully replace:

  • Toughness to physical conditions and physical threats
  • Ability to handle deception and lies
  • Deep domain expertise in criminal justice

The technologies used in physical security help security execute their responsibilities but do not and will eliminate the need for these characteristics.

Toughness

Security managers routinely deal with violence or threats of violences – it is an essential and necessary part of the job. Even if you get an image of the person on your IP video system, you still need to deal with the person (an especially difficult issue when dealing with internal issues).

Security managers, often with a military or police background, have years of training dealing with violence and threats. As such they tend not to be intimidated or overwhelmed when faced with this.

Most IT managers lack the temperament and training to be competent in these situations . If the IT manager is handling incidents, it is an easy and obvious choice for the suspect to intimidate the IT manager.

Deception and Lies

Most suspects will not immediately admit full guilt. This is the whole point of investigations – which is a key element of security organizations both in the public and private sector. Security managers need to be trained and able to handle this type of interaction.

IT managers do not have any of this training. This could lead to lower cases resolved, less restitution and if they conduct the investigation inappropriately to lawsuits.

Criminal Justice

What is legal is a key element in security decisions every day. From how suspects can be treated to how policies and procedures are setup, criminal justice issues are critical to properly running security.

We often talk about the IT needing to learn about lenses, camera positioning, recording duration, etc but that's just a small part of real security management. Check the PSP and CPP certification requirements and you can see the hundreds of elements involved.

Maybe IT Can Just Runs the Systems?

Some people may argue: Let security handle all the criminal and investigation aspect, just let IT handle physical security systems.

Accounting and sales provides a good examples (indeed, counter examples to telephony). The accounting and sales organization are heavily dependent on information systems. However, the IT department rarely selects the software. While the IT department absolutely has influence and makes recommendations, the accounting and sales organization ultimately choose the system that best meets their particular goals. This practice is equally sound for physical security.

Conclusion