How does the IT department influence security purchases?
In recent years, information technology (IT) departments at end user companies have often been seen as adversaries of traditional security departments – or, at least, as a thorn in their side. One of the issues is territorial: As physical security products have migrated to use of Internet protocols and the network infrastructure, the IT and security departments have clashed – erm… make that interacted – more and more often. New realities such as cybersecurity have made it critical that the two entities work in harmony, and IT professionals often provide useful insights into product selection, among other issues. We asked this week’s Expert Panel Roundtable: What is the influence of the IT department on security purchases at an end user company?
Not that long ago, the industry viewed IT involvement in security buying decisions as an impediment. However, the tide has shifted, and it is critical that these professionals be brought into the fold early in the process, now that virtually every security component either lives on or somehow touches the IT infrastructure. The ever-present threat of cybersecurity breaches alone is enough to mandate their involvement, but IT also has the benefit of overseeing all the systems within an enterprise. Through this lens, they can offer suggestions of ways that security products and services may also serve needs in other areas of the business that are not directly tied to security (e.g., video analytics, process improvements).
It is critical for IT departments to be involved at the very onset of physical security projects because so many of today’s security devices and systems, such as surveillance cameras, are connected to the network. IT departments need to gauge the impact of the devices on the network, especially if the devices – such as IP cameras – use a significant amount of network resources. IT departments also need to influence the way the devices are managed on the network and how they interact and/or integrate with other systems such as user databases. Given that cyberattacks continue to rise in occurrence and complexity and pose a serious threat, IT departments also need to make sure that physical security devices are not susceptible, and if they are compromised, the damage is minimised. Furthermore, IT departments can provide advice on whether cloud-based applications would be a better fit for an organisation.
IT departments are becoming more and more involved with security purchases due to the ever-greater integration of systems. This was very evident right from the introduction of IP CCTV and video analytics, which at the time required considerable amounts of network and bandwidth resources. Bandwidth usage is less of a problem with modern systems, but overall vulnerability is still a concern. Network security is also heavily involved with preventing online attacks on physical security systems, with SSL encryption now commonly used. Possible data breaches and online attacks are an unpleasant reality for 21st Century businesses. Equally, though, if a company’s network data can be corrupted, there will inevitably be potential consequences for security systems that also use these resources. In a hyper-connected world, a potential vulnerability could come from any direction. As well as internal security, it is important that companies ensure their suppliers/partners maintain vigilance as well.
The influence of the IT department in end user companies can be both positive and negative. It really depends on the attitude and knowledge of the department managers and staff. What I mean is, if the staff are very technically aware of both current and new developments in the market, and the benefits of various technologies, then they can have a positive influence by championing new technologies and the need to implement them in the correct way. Conversely, if they aren’t aware, then they can adversely influence the uptake of new technologies, or even actively suppress it! Some of this can also be attributed to the finance departments and the allocation of budgets. Some companies allocate annual budgets, but fail to take into account the lifespan of the equipment being purchased, meaning they buy sub-standard equipment to fit the budget but it ultimately costs more in the longer term.
IT and security have become much more tightly integrated over the past several years. Gone are the days when security solely operated on its own. Today, security oftentimes must reside on IT’s network. In many cases, the IT managers are responsible for the security solution.
The best organisations have departments that work together to solve complex business challenges. Every day, technology advances are adding more strain to IT infrastructure and increasing cybersecurity risk. To accommodate this changing climate, both IT and physical security departments must diversify, adding staff with competencies in other areas of business/security/IT and forming strategic alliances with each other to ensure all sides are pulling in the same direction. IT should have a seat at the table to mitigate cyber-risk, ensure proper infrastructure support, evaluate performance, and integrate the applications into the existing IT framework. Physical security departments should have specialists in cybersecurity to assist in mitigation and response. This should all be done while balancing the needs of the end users and the goals of the organisation – and can only be accomplished with a highly functioning working relationship between departments whose contributions will evolve over time.
High-profile data breaches have put great deal of stress on chief security officers (CSOs) who are responsible for their organisations’ physical security systems and networked operations. Further, because of the growing implementation of networked systems, security personnel are tasked with closely evaluating any security and surveillance device under consideration in terms of how it may affect overall network security. One outgrowth from the focus on network security is that CSOs are increasingly looking towards physical security information management (PSIM) solutions, which have the power to aggregate multiple disparate systems into a single operational view. In addition to the inherent integration, management, and control benefits that PSIM solutions provide, they consolidate user access to security sub-systems to a single application at the SOC level, making the deployment and monitoring of cybersecurity protocols easier to maintain.
The IT department’s responsibility continues to expand as the network and interconnectivity of devices on that network add more functionality. As telephones – and later video cameras – moved from analogue to IP, the IT group’s migration and merger with the facilities group have put their hands and budgets in more systems; giving them a louder voice and influence into product selection. Now as access control has joined the IP realm and is moving to cloud software solutions, the input and influence of IT have grown vastly in security purchases, and in some cases, they are the sole decision maker. This voice, in turn, is increasing the IT integrator’s footprint into the security market. IT integrators are being asked if they provide additional solutions on the network specific to security, and this presents them with an opportunity to expand their business and leverage their network expertise into the physical security market.
If an end user has an internal IT department, they are critical in the decision process and implementation of security systems. With cyberattacks and breaches being a common threat, and an all-too-often occurrence, cybersecurity and system hardening is a critical component of physical security and access control. The integrity of proposed and/or deployed systems falls squarely on the shoulders of IT professionals. As IT professionals share the common goal of protecting sensitive data, system integrity and corporate policies, they can efficiently assess in coordination with security professionals to assure the proposed system meets corporate IT data and security policies as well as the organisation’s required functional capabilities.
Our market’s recent concerns about cybersecurity seem to ensure an ongoing role of IT departments in the physical security buying process. In fact, cybersecurity worries have further aligned the overall goals of the security and IT departments in the face of a challenging common threat. At the end of the day, security is security, and the IT department’s role to keep its systems and networks safe is in perfect alignment with the security department’s role of protecting facilities and assets. Cooperation is the name of the game, and both the IT and security departments must be on board.