Operations
8/4/2014
12:00 PM
Fredrik Nilsson
Fredrik Nilsson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Is IT The New Boss Of Video Surveillance?

IT's participation in the security of corporate video surveillance is growing, much to the chagrin of the physical security team. Here's why corporate infosec needs to pay attention.

A recent study by Enterprise Strategy Group (disclaimer: sponsored by my company) found that 91 percent of video surveillance deployments today involve IT departments. That’s up from 52 percent in 2011. What’s more, 47 percent of IT pros claim that they make the final video surveillance purchase decisions.

When ESG presented its findings to our management team, we were honestly quite surprised. As the market continues to shift from analog CCTV to IP video, we’ve certainly seen IT’s participation grow -- but these figures were much higher than we anticipated. In our world (physical security), video surveillance has traditionally been a task handled by facilities, physical security, and/or loss prevention groups.

However, as the migration to IP-based technologies continues to transform every aspect of the enterprise, IT plays an increasingly active role in deciding what IP video devices live on the network. While IT controls the network, they must work closely with their physical security counterparts. Together, they are both responsible for protecting the business, its people, and its property -- digital or physical -- so it’s important that they work together to meet these common goals.

Blurred lines
The move to IP-based video surveillance cameras means that IT must understand their impact on network performance, storage, and video quality. Additionally, these types of cameras now enable organizations to layer powerful applications (analytics or remote management) on top of the camera’s capabilities. Physical security must now understand the broad responsibilities IT has to serve the business across, not only security, but marketing, sales, and HR (to name a few). This often requires them to do more with less, since each department that they serve has its own priorities.

Why does IT need to pay attention to physical security? Simply put, safety and security are threatened from an increasing number of vectors. It’s not just hackers from afar; corporate espionage, insider threats, and safety concerns must be addressed on a continuous basis. Unauthorized access to a server room is just as problematic whether in-person or on the network. Theft of customer data, intellectual property, and/or corporate strategy plans are all costly in many ways. The importance of locking down the organization -- and having a clear trail of access for forensics -- is becoming more of a priority for IT.

Collaboration is the name of the game now -- and it is the path to creating more secure environments.

IT: influence and support vs. command and control
The reality is that IT already supports physical security and has strong influence on its infrastructure and technology environment. In larger IT departments where IT specialists exist, such as a storage specialist, they are already supporting network video and should care about which cameras and applications are pushing content to their storage. This means that IT needs to understand storage requirements and limits, as well as process orchestration, in syncing storage systems. Understanding details of camera technologies and applications helps IT influence good decisions based on bandwidth, storage, and management capabilities of cameras.

Additionally, IT often controls what gets on the network as well as budgets and approvals. IT also needs to pay attention to physical security and its technologies because the corporate network is the vehicle through which high-quality video data gets in the hands of security personnel and executives who need to know what’s happening when a situation unfolds.

The reason IT won’t become the full boss of surveillance is a matter of expertise. When IT absorbed and took over voice-over-IP technologies from telcos, there was a small learning curve for a new technology on the IT network. With physical security, it is much more involved. IT isn’t going to carry badges and arrest people, and they will not acquire state security licenses that are required by some states to install cameras -- both of which can be extensive processes. IT won’t create and maintain emergency response planning protocols or purchase and manage guard shacks, barriers, and other physical assets.

Over time, IT will exert greater influence over physical security tech implementations, while physical security will continue to own its piece of the corporate organization. In some instances, where facilities personnel own the physical security practice (instead of trained security professionals), IT will have greater oversight over physical security. In other circumstances where professional security, safety, or law enforcement departments exist (like on campuses), those organizations will take an “IT infrastructure-as-a-service” approach, giving physical security the IT capabilities they need to be successful.

The changing landscape of physical security, with its increasing reliance on the corporate network, will continue to strengthen the working relationship between IT and physical security, as well as IT’s involvement in the initiative.

Fredrik Nilsson has been responsible for Axis Communications North American operations since 2003. In this role,  he has been instrumental in leading the industry shift from analog closed circuit television to network video. Mr. Nilsson serves on the Security Industry ... View Full Bio
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6196
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSp...

CVE-2014-7247
Published: 2014-11-25
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?