Breaking down security silos to prepare for 21st century threats
Businesses that continue to treat physical and cyber security as silos are at risk of being left behind, as technology advances rapidly and threats keep evolving.
There are many obstacles to consolidating security oversight, including dissimilar cultures and skill sets, but failure is not an option for organisations preparing to meet the challenges of tomorrow.
No small task
Breaking down the barriers between the IT security function and that of corporate or physical security within an enterprise is not easy, and cannot be achieved by simply merging them on an organisational chart.
It requires integrating the management of information security, physical and personnel security, business continuity and disaster recovery planning, and risk management. At the highest level of decision-making, threats should be categorised not by their source, but by how likely they are to occur and how much of a threat they are to the organisation.
Merging IT and physical security management runs the risk of creating skills gaps, as the expertise required to successfully deliver each capacity is held by people with differing backgrounds and varying perceptions of threat and risk.
The goal is to capture the experience and skills from both roles and merge them into a single manager, but this is no easy task , says Neil Campbell , director of security practice at Telstra.
“The challenge that these two industries have in converging is how each industry grew up,’’ says Campbell. “One started through the internet, and the other one started by rattling locks. You have a very different set of capabilities that you almost never find in the same organisation.’’
The problem is compounded by the speed at which threats are changing. Today’s security manager needs a broad view of risk assessment, and must constantly review the inevitable changes on the threat horizon.
Hardware and software
The blurring of boundaries between cyber and physical security is obvious in the realm of security equipment. From cameras and motion sensors to access control, security hardware is increasingly internet-connected.
Internet-based security systems provide more flexibility and greater scalability than traditional systems. But the proliferation of IP-connected devices also means it is more important than ever to protect equipment and the underlying networks that control it from cyber intrusion threats such as snooping and disabling.
Equally important as preventing intrusion is detecting it early, for example by monitoring systems for unusual behaviour and activities suggestive of malicious intent.
The so-called Devil’s Ivy exploitable vulnerability provided a startling example of how attackers could remotely access security equipment connected by IoT; from security cameras to sensors and access-card readers. A single flaw, in a widely used code library, had potential to expose millions of devices, sold by dozens of vendors, to hacking.
While a patch for the vulnerability was quickly released, the security flaw is likely to persist on scores of unpatched devices in forgotten corners of many networks, providing easy pickings for attackers for years to come.
Experts such as Cliff Wilson, associate partner at IBM Security, have identified a need for an IoT equivalent of the European CE health and safety marking, which would classify if IoT equipment meets agreed minimum security standards.
“Then you would know with some degree of certainty that when you put the device onto the internet and start to make use of it, it is not going to be easy to hack,’’ says Wilson.
Danger from within
Another factor driving security convergence is the possibility for compromised physical security to create cyber vulnerabilities, as access to IT systems is often easier via physical security hardware.
A physical security lapse can be one of the biggest threats to IT security, says Matt Devost, MD of consultancy Accenture.
“Once you’re on the premises, you have access to network jacks and USB ports and all sorts of things that from a cyber-attack perspective become obviously very useful to you,” says Devost .
So-called danger drones can allow cyber intruders to get close enough to premises to access Wi-Fi networks, potentially jamming them to disable devices such as wireless security cameras, or accessing confidential data.
Fran Brown of security firm Bishop Fox equates the threat to “a hacker’s laptop that can fly”.
As much as physical and cyber security are converging, the two roles may never completely merge, say experts such as Steve Hunt, research director at Forrester Research.
“The physical guys need to know how to use these [IT] tools, while the IT guys need to administer them. So, in essence, I see the IT guys supporting the physical security guys,” Hunt says.
However, there is no avoiding the fact that security management must be integrated to meet the challenges of tomorrow, say senior security personnel, such as Troels Oerting, chief security officer of Barclays PLC.
“I don’t make any distinction between physical security or cyber security or information security,” says Oerting.
Meta description: Breaking down the internal silos of physical and cyber security is not easy, but failure is not an option as threats keep evolving.