Hi again. Rachel here. For the past few days I’ve been trying to wrap my head around the concept of PSIM – which, as it turns out, is quite the conversation piece. A typical day working for Steve brings several new terms into my vocabulary and, of course, that’s just the beginning. So when he first defined Physical Security Information Management, I tried to understand it the only way I could – directly.
But after sitting in a room with 40 opinionated security professionals, I’ve learned that this trend isn’t always direct. It carries a different meaning and a different set of consequences for each segment of the security market.
The discussion broke PSIM into three major categories: pieces, processes and goals. Pieces, I learned, can be anything one can view from the highest level, for example – credentials, hardware, or people. Processes are then the actions of those pieces – integrating the technology, training the people, and even more fundamental – trusting the people. The goals of combining the right pieces and processes would be to establish a consistent, repeatable solution – something another company could use as a model.
While I realize my understanding remains at a very basic level, I can see a struggle. If some set of standards cannot be agreed on, how will a reliable model ever be made to follow? People must agree on the overall goal of this security challenge. Some say security is the point and others argue that it’s always about the bottom line.
Steve used a pretty simple situation to apply to just about every business decision. He talked about the first ATM machine. It wasn’t installed so that the bank could secure it’s money. It was put in place so they could fire the tellers and make more money. Sure, security was a result, because they had to monitor and control the transactions, but better business was the point.
So does that mean that security is always a result of improving business and not the initial goal? If so, then maybe everyone should agree on that first. Creating standards based on the wrong concept is kind’ve like building a vehicle without knowing the terrain.
[Following is the first of what I hope will be regular posts by our new Creative Associate, Rachel Cusick. Watch for Rachel's Corner on the blog all year. -- sh.]
I started working for Steve at the beginning of this year with a lot to learn about the security industry. I guess I’d call my perspective fresh, with a healthy dose of naiveté. With so much to learn I really enjoy listening to the discussions at our events. They’re usually bold and loud which always makes for an interesting evening! So when we hosted The Future of Data Protection in Silicon Valley last month, I got a crash course in the IT world.
Bill Munroe joined us from Verdasys to engage our guests in a topic that’s easy to discuss but very hard to agree on: The future of data protection. I expected the concept to be overridden with terminology and extremely difficult to grasp. In a way it is, but in a very big way, I get it.
Although the setting was serene and the wine was calming, the conversation was tumultuous. Bouncing from all sides of the room were opinions from IT security architects, principal analysts, VPs, CIOs and COOs, all with an interesting tweak to each other’s opinions.
What to do? Steve let the conversation flow, taking the opportunity to slow things down and point out conclusions when he could. The biggest deduction of all, is how darn hard it is to actually derive one.
First there’s the debate of information versus data, and then comes the real argument of who cares about what it’s called, let’s address the value! Then there’s the challenge of who gets access to what, and no matter how secure the business is, there’s always the internal threat. How do you know who you can trust? What if you hire someone you can trust and they turn into someone else? The one overriding agreement was that security is inconvenient and only appreciated after something bad happens.
Security is not in place for security alone, but to protect the business, the money. And of course the most efficient way to do this is to put the proper devices in place before bad things happen. But any IT professional will tell you, that they’re mostly called upon for reaction, not prevention.
It must be hard to constantly protect and improve protection without much reward.