Security Convergence: Addressing Evolving Cyber and Physical Security Threats
(Originally published in Teneo's Vision Book 2019)
CEOs and those specifically charged with protecting an organization’s digital and physical security possess varying degrees of understanding for the interdependence of their roles.
In the past, this lack of understanding reflected each domain’s modest impact on the enterprise’s overall risk structure. However, today’s dynamically-evolving threats have transcended both physical and digital realms. Simultaneously, interconnectivity of technology, the pervasive 24/7 news cycle and social media amplify an attack’s impact on business operations, reputation, shareholder value and bottom line. Thus, the organization’s fate hinges on coordination and integration of cyber security and physical security functions. It necessitates an increasingly interdisciplinary and collaborative role for the CEO. It also requires an enterprise-wide Chief Security Officer (CSO) to assimilate the functions of physical security and information technology security.
Not so long ago, the remits of physical security and information technology security were relatively narrow and had distinct focuses. Physical security was charged with protecting a company’s locations, drawing upon access control and screening measures, uniformed guard services and video surveillance. Protecting information technology shared a similar level of specificity, securing localized networks with a limited number of interconnected devices. Individuals with law enforcement backgrounds manned corporate security departments. In contrast, a company's information and data assets remained protected by information technology departments.
Today, however, both roles must cope with intersecting risks across global enterprise platforms. Hostile actors will exploit weaknesses in either the physical or technological security structures to achieve their goals. Innovative technology also enhances their ability to target enterprises and mobilize support. The proliferation of internet protocol connected devices, as well as increasing sophistication in social engineering and malware attacks are occurring within a climate of mounting international cyber-tensions. Bad actors are finding multiple means and opportunities to access sensitive, proprietary information. The rising likelihood and magnitude of physical incidents increases the need for interdependence of physical security, IT and the C-suite functions.
CEOs need to fully understand the threat landscape before introducing new remedial strategies and synergies that can exist between physical security and technology. Each discipline can adopt one another’s mitigation tools to develop more comprehensive prevention, identification and response capabilities, commensurate with the emerging global landscape’s growing complexity.
Technology and Physical Interplay
Specifically, physical security practitioners increasingly depend on technology to detect and respond to dynamic crisis events. Due to the interconnectivity of IP security-based systems such as sensors, cameras, and electronic locking systems, physical security can now leverage big data analytics such as artificial intelligence and machine learning to identify and respond to dynamic crises. For instance, gunshot detection technology and automatic connectivity to first responders via panic buttons can reduce the response time to hostile intruder or active shooter incidents, drastically mitigating damage, casualties and business impact.
Similarly, video surveillance analytics, combined with millimeter-wave imaging sensors, can identify a hostile actor with a weapon within a building. Autonomous systems can close and lock interior doors, make notifications, initiate emergency action plans and contain incidents until first responders arrive, all with limited or no human intervention or oversight. Thus, technology has already begun to enhance organizations’ ability to quickly and accurately identify and contain the early stages of an attack, maximizing the effectiveness of physical security protocols and overall incident management.
Similarly, information technology security depends on strong enterprise security protocols. Data centers and servers require physical access controls and active surveillance to protect sensitive information, hardware and software from intrusion or harm. In this way, cybersecurity programs require more than just a secure network infrastructure. In addition to network hardening, server patching, and implementation of authentication protocols, continuous deployment and refinement of operational security protocols – including access control provisions for employees, visitors and vendors – represent a pragmatic approach to “brick-and-mortar” cybersecurity.
The New Model
The concept of security convergence offers a new model for understanding and mitigating the threat environment. Traditionally, siloed security operations have failed to recognize the patterns of emerging threats and the totality of the threat environment, resulting in organizational blind spots and breaches. However, treating physical security and cybersecurity as unified and interconnected – and appointing a centralized chief security officer (CSO) to oversee these disciplines – builds a culture of security awareness and accountability, which treats security as an organization’s shared fate.
Insider threat mitigation exemplifies physical and cyber security’s interdependency and complementary capabilities. Malicious insiders or trust betrayers seek to disrupt business operations, exfiltrate sensitive data or otherwise harm organizations, targeting physical and digital assets and vulnerabilities. Thus, insider threat planning requires corporate security managers to identify and understand the entirety of company’s physical and IT footprint; this includes facilities, systems, technology, employee base and third-party relationships, as well as potential vulnerabilities, such as unsecured access points to networks or data centers and system credentialing and authentication specifications. While companies often overlook proprietary software, customer data schematics, and internal manufacturing processes in taking inventory of their critical assets, these all reflect competitive, sensitive information that should be counted among any organization’s “crown jewels.” Once the company has defined its critical assets, security managers must then identify anomalies in either physical or network-based activity and utilize both manual and technological means to prevent, manage and escalate threats for mitigation and formal disposition.
For CEOs and Boards to fully understand and execute upon this new, interdisciplinary model for enterprise security risk management, they must designate a centralized, global CSO and fund and empower the CSO to develop pragmatic, innovative security solutions that confer sustainable competitive advantages. In today’s risk climate, CSOs’ primary responsibilities include development and implementation of strategies and processes for understanding the nature and probability of catastrophic enterprise security risk events and mitigating the organization’s specific vulnerabilities.
To communicate this strategy compellingly to the highest levels of management and the Board of Directors, CSOs must not only demonstrate mitigation planning and methodology, but also create distinct value-drivers and competitive differentiators across the entire enterprise.
In order to drive organizational innovation, an integrated security model must also manage risks spanning multidisciplinary areas beyond cyber and physical security. This approach provides even more pathways and solutions by which security professionals across the enterprise identify and respond to emerging threats and manage a complex risk environment.
Key tactical focus areas within the cyber and information security realm include data protection, vulnerability and patch management, intrusion testing, data breach and recovery, network segmentation, economic espionage, and incident response. Also benefiting is recovery planning, supported by adequate access and perimeter controls and installation of video surveillance and visitor management systems to physically secure hardware and software. Similarly, physical security teams can leverage cyber security technology and expertise to help automate previously “brick-and-mortar” functions.
Beyond these domains, however, building an organization’s capabilities in third party vendor diligence, business and geopolitical intelligence ensures that findings from commercial and counterparty diligence and geopolitical risk assessments inform cyber and physical security measures by identifying threats and vulnerabilities.
Robust governance, risk and compliance oversight and legal and regulatory compliance also support and augment cyber and physical security. Through board risk oversight, audit metrics and reporting, compliance with insurance mandates, industry regulation and legislation, organizations cultivate an infrastructure conducive to more universal situational awareness and “tone-at-the-top” to drive ongoing innovation. For instance, internal and external litigation support and investigation capabilities, liaison with regulators, and pathways for reporting and remediating fraud, corruption and other whistleblower claims help organizations to identify and intermediate potential issues to comply with and leverage industry or regulatory standards. Thus, identifying areas of convergence and harmonization across multiple risk management disciplines ensures holistic protection of an organization’s employees, critical data, shareholder and brand equity.
While integrating physical and cyber security operations under a single steward requires both cultural and technological changes, unified security solutions ultimately offer more comprehensive security protection. Convergence facilitates regulatory compliance and improved coordination and response to emergencies or security threats. Further, IP’s emergence as the standard for corporate networking makes integration more achievable, as IP-capable cameras, card readers and access controllers can connect with company information systems.
The convergence methodology also brings the most comprehensive mitigation techniques to address current and emerging threats organizations face vis-a-vis networked devices, commonly referred to as the Internet of Things (IoT). The rapid rise in machine-to-machine communications built on cloud computing and networks of data-gathering sensors has increased legacy network systems’ risk exposures, with each connection node representing a new potential intrusion point and threat vector. Near-term, the IoT landscape is expected to grow to over 20 billion individual devices, connecting specific business applications into a network of personal devices that cybercriminals can use to access critical data. Further compounding the risk is the lack of standardization around securing these devices’ hardware and software. A single device in the hands of a hostile actor could compromise an entire network.
However, companies that shift away from a decentralized security strategy to a structured convergence paradigm will be equipped to monitor the threat landscape, secure physical and digital assets accordingly, and launch cross-functional responses to better defend against the known and unknown threats to IoT devices. Thus, physical and cyber security convergence will continue to serve as a solution pathway to complex enterprise security management, especially as the boundaries between physical security and networked systems continue to blur.
To keep pace with future threat landscape, CEOs must realize that integration between physical and cyber security is critical to safeguarding the company’s overall operations and reputation. Skeptics may claim that full integration around physical and logical security will never have a place in the corporate business model, instead predicting that the domains will interface closely on crossover projects. Accepting this view, however, neglects the fact that the convergence of these two security domains has already occurred, and the future threat landscape necessitates integration at an institutional level. The separation and variance between the roles and responsibilities of the physical and digital security stewards have all but eroded.
For an organization to fully accept and adopt the convergence model, CEOs face the challenge of overcoming long standing institutional entitlements. Cyber security managers may make the point that they are best positioned to configure enterprise technology better, and that physical security is only concerned with guards, gates and guns. In turn, physical security managers may cite cyber-based technologists’ lack of foundational knowledge of the physical domain or harbor a fear of losing control of long-held operations. CEOs must look beyond the noise, empowering and focusing both domains to integrate and achieve corporate strategic goals.
Similarly, the company’s Board or governance structure must recognize CSOs’ post-convergence role as an integral stakeholder within the company. CEOs must reinforce the shift in organizational ethos from that of the overlooked, under-resourced, and underutilized CSO to prioritization of understanding and communication how to better leverage this critical resource.
To succeed in this new organizational structure and threat environment, CSOs will require organizational empowerment, autonomy and access to information that helps them identify risks to the safety of personnel or the security of the network data. As the numbers of network-connected systems and, in turn, threat vectors, increase, CSOs will need the authority to engage with individuals at all levels of the organization, as well as the ability to find subject matter expertise outside the organization. By analyzing information and coordinating activities with both internal and external stakeholders, a CSO can better prepare his/her company for the possibility of a security incident.
CSOs also grapple with the need to demonstrate repeatedly the ROI of increased security costs, regardless of the domain. Resource and budgetary constraints can limit a CSO’s ability to effectively hire trained and qualified staff or invest in new tools and technology. Proper governance and oversight of the security risk management function by the Board will ensure that scaling resources in an increasingly complex business environment does not compromise managing security risk.
Armed with organizational buy-in and budget, post-convergence CSOs must build strategy to address near- and over-the-horizon threats. Traditionally, security managers have prioritized current risks and often are ill prepared to manage long-term, developing threats. Such myopia may limit a CSO’s ability to understand future resource requirements, leading to potential failure in executing the organization’s overall security strategy. Thus, strategic CSOs must adopt a longer-term view, anticipating emerging physical and technological threats and anticipating the resources required to implement proactive measures to decrease future security incidents’ likelihood and impact.
The Bottom Line
A pragmatic security strategy in today’s evolving threat environment must include a holistic approach towards integrating physical and cyber security, ultimately giving rise to a more comprehensive corporate security posture. Further, implementing a new governance structure that supports corporate security risk management will also bolster and accelerate deployment of flexible and scaleable mitigation techniques across previously siloed domains. Collectively, these changes in security and governance will prepare an organization to address a multitude of emerging and future threats.
CEOs who empower their CSOs to play a more strategic part in overall enterprise risk management plans and leverage their experience, knowledge, and relationships will fully utilize the convergence framework to create operational efficiencies while reducing organizational risk exposures. Through a more integrated security and governance structure, CEOs will more holistically understand their enterprises’ critical assets, in turn enabling them to more effectively protect the people, processes and technology that comprise those assets. Thus, recognizing vulnerabilities and solutions arising from geographical instability, as well as new physical, cyber and information security threats, under a single point of governance enables organizations to strengthen their enterprise security postures while also maximizing overall business efficiency.