Operations
8/4/2014
12:00 PM
Fredrik Nilsson
Fredrik Nilsson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Is IT The New Boss Of Video Surveillance?

IT's participation in the security of corporate video surveillance is growing, much to the chagrin of the physical security team. Here's why corporate infosec needs to pay attention.

A recent study by Enterprise Strategy Group (disclaimer: sponsored by my company) found that 91 percent of video surveillance deployments today involve IT departments. That’s up from 52 percent in 2011. What’s more, 47 percent of IT pros claim that they make the final video surveillance purchase decisions.

When ESG presented its findings to our management team, we were honestly quite surprised. As the market continues to shift from analog CCTV to IP video, we’ve certainly seen IT’s participation grow -- but these figures were much higher than we anticipated. In our world (physical security), video surveillance has traditionally been a task handled by facilities, physical security, and/or loss prevention groups.

However, as the migration to IP-based technologies continues to transform every aspect of the enterprise, IT plays an increasingly active role in deciding what IP video devices live on the network. While IT controls the network, they must work closely with their physical security counterparts. Together, they are both responsible for protecting the business, its people, and its property -- digital or physical -- so it’s important that they work together to meet these common goals.

Blurred lines
The move to IP-based video surveillance cameras means that IT must understand their impact on network performance, storage, and video quality. Additionally, these types of cameras now enable organizations to layer powerful applications (analytics or remote management) on top of the camera’s capabilities. Physical security must now understand the broad responsibilities IT has to serve the business across, not only security, but marketing, sales, and HR (to name a few). This often requires them to do more with less, since each department that they serve has its own priorities.

Why does IT need to pay attention to physical security? Simply put, safety and security are threatened from an increasing number of vectors. It’s not just hackers from afar; corporate espionage, insider threats, and safety concerns must be addressed on a continuous basis. Unauthorized access to a server room is just as problematic whether in-person or on the network. Theft of customer data, intellectual property, and/or corporate strategy plans are all costly in many ways. The importance of locking down the organization -- and having a clear trail of access for forensics -- is becoming more of a priority for IT.

Collaboration is the name of the game now -- and it is the path to creating more secure environments.

IT: influence and support vs. command and control
The reality is that IT already supports physical security and has strong influence on its infrastructure and technology environment. In larger IT departments where IT specialists exist, such as a storage specialist, they are already supporting network video and should care about which cameras and applications are pushing content to their storage. This means that IT needs to understand storage requirements and limits, as well as process orchestration, in syncing storage systems. Understanding details of camera technologies and applications helps IT influence good decisions based on bandwidth, storage, and management capabilities of cameras.

Additionally, IT often controls what gets on the network as well as budgets and approvals. IT also needs to pay attention to physical security and its technologies because the corporate network is the vehicle through which high-quality video data gets in the hands of security personnel and executives who need to know what’s happening when a situation unfolds.

The reason IT won’t become the full boss of surveillance is a matter of expertise. When IT absorbed and took over voice-over-IP technologies from telcos, there was a small learning curve for a new technology on the IT network. With physical security, it is much more involved. IT isn’t going to carry badges and arrest people, and they will not acquire state security licenses that are required by some states to install cameras -- both of which can be extensive processes. IT won’t create and maintain emergency response planning protocols or purchase and manage guard shacks, barriers, and other physical assets.

Over time, IT will exert greater influence over physical security tech implementations, while physical security will continue to own its piece of the corporate organization. In some instances, where facilities personnel own the physical security practice (instead of trained security professionals), IT will have greater oversight over physical security. In other circumstances where professional security, safety, or law enforcement departments exist (like on campuses), those organizations will take an “IT infrastructure-as-a-service” approach, giving physical security the IT capabilities they need to be successful.

The changing landscape of physical security, with its increasing reliance on the corporate network, will continue to strengthen the working relationship between IT and physical security, as well as IT’s involvement in the initiative.

Fredrik Nilsson has been responsible for Axis Communications North American operations since 2003. In this role,  he has been instrumental in leading the industry shift from analog closed circuit television to network video. Mr. Nilsson serves on the Security Industry ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.