This article is based on a soon-to-be-released videocast interview with Stephen Jackman, Director Global Corporate Security for Barclays Capital at Infosec 2009. Mr Jackman was part of a panel discussing the issues of heightened converged threats. Essentially the convergence of IT and Physical security has become more important because those that pose a threat to organisations and the organisations’ employees are using blended converged attacks using physical and IT vectors. IP based technologies such as IP CCTV and VoIP are also increasing these risks.

In fact many are predicting that the two physical and information technology security roles should be integrated or two people should report to a single Chief Security Officer role. The situation is further exacerbated as many predict Cloud Computing will actually reduce the need for the many responsibilities that a CISO.

Let’s take a hypothetical example. Imagine sometime in the future, where the majority of computer processing is outsourced into the cloud and dumb terminals are used to access the compute resources. In this situation, the Cloud supplier will be responsible for firewall, patching, virus updates, access security and so on. There will be relatively few security teams to manage as the people who work on firewalls, audit logs, forensics and so on will no longer be required.

Although it is difficult to predict the new skill set required by the new CSO role, some aspects will include greater business communication skills and an understanding of ergonomics and physical security design.

Business Communication Skills
The business communication skills required by the CSO of the future will not just be the ‘translating security widgets into company benefits’ to senior executives skill. In deed this skill may no longer be required due to much of the security being outsourced as part of the Cloud supplier offering. However CSOs will need to be able to effectively assess relevant Cloud suppliers and make recommendations on customisation in order for their organisation to do business with the chosen Cloud supplier. They will also need to have the savvy business skills in handling negotiations with Cloud suppliers and resolving compliance and auditing in issues.

From a technical standpoint, the CSO role will also need a deep understanding of the Cloud model and the compliance and security risks and issues involved with the variety of Cloud offerings.

Ergonomics and Physical Security Design
Traditionally physical and technological skills have been kept separate, however with the convergence of physical security into the technical arena such as IP based CCTV, more and more CISOs are now involved with physical security issues. Eg imagine the shoulder surfing opportunity a hacker would have if they were able to penetrate an IP based CCTV system.

An example of one aspect of physical security that CSOs will have to understand is the ergonomics and issues involved in physical security design. Examples include the location of card readers for disabled access, optimum locations for web-cameras (placement for maximum coverage, adequate lighting, design into the aesthetics of the building and so on).

Summary
Although the full skill set of the new CSO role is as yet unknown, CISOs, CSOs and security managers should be examining the whatif scenarios of the convergence of physical and information technology security, and the scenario of the majority of technological security being outsourced to a Cloud supplier.

More on Convergence and Social Engineering from the Security Vibes site can be found here.