Get Instant Access
to This Blueprint

Security icon

Integrate Physical Security and Information Security

Securing information security, physical security, or personnel security in silos may secure nothing.

Physical security is often managed by facilities, not by IT security, resulting in segmented security systems. Integrating physical and information security introduces challenges in:

  • Understanding the value proposition of investment in governing and managing integrated systems, including migration costs, compared to separated security systems.
  • Addressing complex risks and vulnerabilities of an integrated security system.
  • Operationalizing enhanced capabilities created by adoption of emerging and disruptive technologies.

Our Advice

Critical Insight

  • Integrate security in people, process, and technology to improve your overall security posture. Having siloed systems running security is not beneficial. Many organizations are realizing the benefits of consolidating into a single platform across physical security, cybersecurity, HR, legal, and compliance.
  • Plan and engage stakeholders. Assemble the right team to ensure the success of your integrated security ecosystem, decide the governance model, and clearly define the roles and responsibilities.
  • Enhance strategy and risk management. Strategically, we want a physical security system that is interoperable with most technologies, flexible with minimal customization, functional, and integrated, despite the challenges of proprietary configurations, complex customization, and silos.

Impact and Result

Info-Tech's approach is a modular, incremental, and repeatable process to integrate physical and information security to:

  • Ensure the integration will meet the business' needs and determine effort and technical requirements.
  • Establish GRC processes that include integrated risk management and compliance.
  • Design and deploy an integrated security architecture.
  • Establish security metrics of effectiveness and efficiency for senior management and leadership.

Integrate Physical Security and Information Security Research & Tools

1. Integrate Physical Security and Information Security Storyboard – A step-by-step document that walks you through how to integrate physical security and information security.

Info-Tech provides a three-phased framework for integrating physical security and information security: Plan, Enhance, and Monitor & Optimize.

2. Integrate Physical Security and Information Security Requirements Gathering Tool – A tool to map organizational goals to IT goals, facilities goals, OT goals (if applicable), and integrated security goals.

This tool serves as a repository for information about security integration elements, compliance, and other factors that will influence your integration of physical security and information security.

3. Integrate Physical Security and Information Security RACI Chart Tool – A tool to identify and understand the owners of various security integration stakeholders across the organization.

Populating a RACI chart (Responsible, Accountable, Consulted, and Informed) is a critical step that will assist you in organizing roles for carrying out integration steps. Complete this tool to assign tasks to suitable roles.

4. Integrate Physical Security and Information Security Communication Deck – A tool to present your findings in a prepopulated document that summarizes the work you have completed.

Complete this template to effectively communicate your integrated security plan to stakeholders.


Integrate Physical Security and Information Security

Securing information security, physical security, or personnel security in silos may not secure much

Analyst Perspective

Ensure integrated security success with close and continual collaboration

From physical access control systems (PACS) such as electronic locks and fingerprint biometrics to video surveillance systems (VSS) such as IP cameras to perimeter intrusion detection and prevention to fire and life safety and beyond: physical security systems pose unique challenges to overall security. Additionally, digital transformation of physical security to the cloud and the convergence of operational technology (OT), internet of things (IoT), and industrial IoT (IIoT) increase both the volume and frequency of security threats.

These threats can be safety, such as the health impact when a gunfire attack downed wastewater pumps at Duke Energy Substation, North Carolina, US, in 2022. The threats can also be economic, such as theft of copper wire, or they can be reliability, such as when a sniper attack on Pacific Gas & Electric’s Metcalf Substation in California, US, damaged 17 out of 21 power transformers in 2013.

Considering the security risks organizations face, many are unifying physical, cyber, and information security systems to gain the long-term overall benefits a consolidated security strategy provides.

Ida Siahaan
Ida Siahaan

Research Director, Security and Privacy Practice
Info-Tech Research Group

Executive Summary

Your Challenge

Physical security is often managed by facilities, not by IT security, resulting in segmented security systems. Meanwhile, integrating physical and information security introduces challenges in:

  • Value proposition of investment in governing and managing integrated systems including the migration costs compared to separated security systems.
  • Addressing complex risks and vulnerabilities of an integrated security system.
  • Operationalizing on enhanced capabilities created by adoption of emerging and disruptive technologies.

Common Obstacles

Physical security systems integration is complex due to various components such as proprietary devices and protocols and hybrid systems of analog and digital technology. Thus, open architecture with comprehensive planning and design is important.

However, territorial protection by existing IT and physical security managers may limit security visibility and hinder security integration.

Additionally, integration poses challenges in staffing, training and awareness programs, and dependency on third-party technologies and their migration plans.

Info-Tech's Approach

Info-Tech’s approach is a modular, incremental, and repeatable process to integrate physical and information security that enables organizations to:

  • Determine effort and technical requirements to ensure the integration will meet the business needs.
  • Establish GRC processes including integrated risk management and compliance.
  • Design and deploy integrated security architecture.
  • Establish metrics to monitor the effectiveness and efficiency of the security program.

Info-Tech Insight

An integrated security architecture, including people, process, and technology, will improve your overall security posture. These benefits are leading many organizations to consolidate their siloed systems into a single platform across physical security, cybersecurity, HR, legal, and compliance.

Existing information security models are not comprehensive

Current security models do not cover all areas of security, especially if physical systems and personnel are involved and safety is also an important property required.

  • The CIA triad (confidentiality, integrity, availability) is a well-known information security model that focuses on technical policies related to technology for protecting information assets.
  • The US Government’s Five Pillars of Information Assurance includes CIA, authentication, and non-repudiation, but it does not cover people and processes comprehensively.
  • The AAA model, created by the American Accounting Association, has properties of authentication, authorization, and accounting but focuses only on access control.
  • Donn Parker expanded the CIA model with three more properties: possession, authenticity, and utility. This model, which includes people and processes, is known as the Parkerian hexad. However, it does not cover physical and personnel security.

CIA Triad

The CIA Triad for Information Security: Confidentiality, Integrity, Availability


Parkerian Hexad

The Parkerian Hexad for Security: Confidentiality, Possession, Utility, Availability, Authenticity and Integrity

Sources: Parker, 1998; Pender-Bey, 2012; Cherdantseva and Hilton, 2015

Adopt an integrated security model

Adopt an integrated security model which consists of information security, physical security, personnel security, and organizational security.

The security ecosystem is shifting from segregation to integration

Security ecosystem is shifting from the past proprietary model to open interfaces and future open architecture

Sources: Cisco, n.d.; Preparing for Technology Convergence in Manufacturing, Info-Tech Research Group, 2018

Physical security includes:

  • Securing physical access,
    e.g. facility access control, alarms, surveillance cameras
  • Securing physical operations
    (operational technology – OT), e.g. programmable logic controllers (PLCs), SCADA

Info-Tech Insight

Why is integrating physical and information security gaining more and more traction? Because the supporting technologies are becoming more matured. This includes, for example, migration of physical security devices to IP-based network and open architecture.

Reactive responses to physical security incidents

April 1995

Target: Alfred P. Murrah Federal Building, Oklahoma, US. Method: Bombing. Impact: Destroyed structure of 17 federal agencies, 168 casualties, over 800 injuries. Result: Creation of Interagency Security Committee (ISC) in Executive Order 12977 and “Vulnerability Assessment of Federal Facilities” standard.
(Source: Office of Research Services, 2017)

April 2013

Target: Pacific Gas & Electric’s Metcalf Substation, California, US. Method: Sniper attack. Impact: Out of 21 power transformers, 17 were damaged. Result: Creation of Senate Bill No. 699 and NERC- CIP-014 standard.
(Source: T&D World, 2023)

Sep. 2022

Target: Nord Stream gas pipelines connecting Russia to Germany, Baltic sea. Method: Detonations. Impact: Methane leaks (~300,000 tons) at four exclusive economic zones (two in Denmark and two in Sweden). Result: Sweden’s Security Service investigation.
(Source: CNBC News, 2022)

Dec. 2022

Target: Duke Energy Substation, North Carolina, US. Method: Gunfire. Impact: Power outages of ~40,000 customers and wastewater pumps in sewer lift stations down. Result: State of emergency was declared.
(Source: CBS News, 2022)

Info-Tech Insight

When it comes to physical security, we have been mostly reactive. Typically the pattern starts with physical attacks. Next, the impacted organization mitigates the incidents. Finally, new government regulatory measures or private sector or professional association standards are put in place. We must strive to change our pattern to become more proactive.

Physical security market forecast and top physical security challenges

Physical security market forecast
(in billions USD)

A forecast by MarketsandMarkets projected growth in the physical security market, using historical data from 2015 until 2019, with a CAGR of 6.4% globally and 5.2% in North America.

A forecast by MarketsandMarkets projected growth in the physical security market, using historical data from 2015 until 2019, with a CAGR of 6.4% globally and 5.2% in North America.

Source: MarketsandMarkets, 2022

Top physical security challenges

An Ontic survey (N=359) found that threat data management (40%) was the top physical security challenge in 2022, up from 33% in 2021, followed by physical security threats to the C-suite and company leadership (35%), which was a slight increase from 2021. An interesting decrease is data protection and privacy (32%), which dropped from 36% in 2021.

An Ontic survey (N=359) found that threat data management (40%) was the top physical security challenge in 2022, up from 33% in 2021, followed by physical security threats to the C-suite and company leadership (35%), which was a slight increase from 2021. An interesting decrease is data protection and privacy (32%), which dropped from 36% in 2021.

Source: Ontic Center for Protective Intelligence, 2022

Info-Tech Insight

The physical security market is growing in systems and services, especially the integration of threat data management with cybersecurity.

Top physical security initiatives and operations integration investments

We know the physical security challenges and how the physical security market is growing, but what initiatives are driving this growth? These are the top physical security initiatives and top investments for physical security operations integration:

Top physical security initiatives

The number one physical security initiative is integrating physical security systems. Other initiatives with similar concerns included data and cross-functional integration

A survey by Brivo asked 700 security professionals about their top physical security initiatives. The number one initiative is integrating physical security systems. Other initiatives with similar concerns included data and cross-functional integration.

Source: Brivo, 2022

Top investments for physical security operations integration

The number one investment is on access control systems with software to identify physical threat actors. Another area with similar concern is integration of digital physical security with cybersecurity.

An Ontic survey (N=359) on areas of investment for physical security operations integration shows the number one investment is on access control systems with software to identify physical threat actors. Another area with similar concern is integration of digital physical security with cybersecurity.

Source: Ontic Center for Protective Intelligence, 2022

Evaluate security integration opportunities with these guiding principles

Opportunity focus

  • Identify the security integration problems to solve with visible improvement possibilities
  • Don’t choose technology for technology’s sake
  • Keep an eye to the future
  • Use strategic foresight

Piece by piece

  • Avoid taking a big bang approach
  • Test technologies in multiple conditions
  • Run inexpensive pilots
  • Increase flexibility
  • Build a technology ecosystem

Buy-in

  • Collaborate with stakeholders
  • Gain and sustain support
  • Maintain transparency
  • Increase uptake of open architecture

Key Recommendations:

Focus on your master plan

Build a technology ecosystem

Engage stakeholders

Info-Tech Insight

When looking for a quick win, consider learning the best internal or external practice. For example, in 1994 IBM reorganized its security operation by bringing security professionals and non-security professionals in one single structure, which reduced costs by approximately 30% in two years.

Sources: Create and Implement an IoT Strategy, Info-Tech Research Group, 2022; Baker and Benny, 2013; Erich Krueger, Omaha Public Power District (contributor); Doery Abdou, March Networks Corporate (contributor)

Case Study

4Wall Entertainment – Asset Owner

Industry: Architecture & Engineering
Source: Interview

4Wall Entertainment is quite mature in integrating its physical and information security; physical security has always been under IT as a core competency.

4Wall Entertainment is a provider of entertainment lighting and equipment to event venues, production companies, lighting designers, and others, with a presence in 18 US and UK locations.

After many acquisitions, 4Wall Entertainment needed to standardize its various acquired systems, including physical security systems such as access control. In its integrated security approach, IT owns the integrated security, but they interface with related entities such as HR, finance, and facilities management in every location. This allows them to obtain information such as holidays, office hours, and what doors need to be accessed as inputs to the security system and to get sponsorship in budgeting.

In the past, 4Wall Entertainment tried delegating specific physical security to other divisions, such as facilities management and HR. This approach was unsuccessful, so IT took back the responsibility and accountability.

Currently, 4Wall Entertainment works with local vendors, and its biggest challenge is finding third-party vendors that can provide nationwide support.

In the future, 4Wall Entertainment envisions physical security modernization such as camera systems that allow more network accessibility, with one central system to manage and IoT device integration with SIEM and MDR.

Results

Lessons learned in integrating security from 4Wall Entertainment include:

  • Start with forming relationships with related divisions such as HR, finance, and facilities management to build trust and encourage sponsorship across management.
  • Create policies, procedures, and standards to deploy in various systems, especially when acquiring companies with low maturity in security.
  • Select third-party providers that offer the required functionalities, good customer support, and standard systems interoperability.
  • Close skill gaps by developing training and awareness programs for users, especially for newly acquired systems and legacy systems, or by acquiring expertise from consulting services.
  • Complete cost-benefit analysis for solutions on legacy systems to determine whether to keep them and create interfacing with other systems, upgrade them, or replace them entirely with newer systems.
  • Delegate maintenance of specific highly regulated systems, such as fire alarms and water sprinklers, to facilities management.
Integration of Physical and Information Security Framework. Inputs: Integrated Items, Stakeholders, and Security Components. Phases, Outcomes and Benefits: Plan, Enhance and Monitor & Optimize.

Tracking progress of physical and information security integration

Physical security is often part of facilities management. As a result, there are interdependencies with both internal departments (such as IT, information security, and facilities) and external parties (such as third-party vendors). IT leaders, security leaders, and operational leaders should keep the big picture in mind when designing and implementing integration of physical and information security. Use this checklist as a tool to track your security integration journey.

Plan

  • Engage stakeholders and justify value for the business.
  • Define roles and responsibilities.
  • Establish/update governance for integrated security.
  • Identify integrated elements and compliance obligations.

Enhance

  • Determine the level of security maturity and update security strategy for integrated security.
  • Assess and treat risks of integrated security.
  • Establish/update integrated physical and information security policies and procedures.
  • Update incident response, disaster recovery, and business continuity plan.

Monitor & Optimize

  • Identify skill requirements and close skill gaps for integrating physical and information security.
  • Design and deploy integrated security architecture and controls.
  • Establish, monitor, and report integrated security metrics on effectiveness and efficiency.
Integrate Physical Security and Information Security preview picture

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.

Unlock Sample Research

Author

Ida Siahaan

Contributors

  • Amy L. Meger, Information and Cyber Governance Manager, Platte River Power Authority
  • Andrew Amaro, Chief Security Officer (CSO) & Founder, KLAVAN Security
  • Bilson Perez, IT Security Manager, 4Wall Entertainment
  • Dan Adams, VP of Information Technology, 4Wall Entertainment
  • Erich Krueger, Manager of Security Engineering, Omaha Public Power District
  • Kris Krishan, Head of IT, Waymo
  • Owen Yardley, Director, Facilities Security Preparedness, Omaha Public Power District
Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019