One of the best parts about gearing up for the Total Security Summit happening June 25-26 in Plano, Texas has been engaging with event speakers. The breadth and depth of their knowledge has opened the doors to some truly interesting conversations. I recently chatted with Terry Gold, the founder and principal analyst at D6 Research about the current state of physical and cybersecurity practices. He covered a lot of ground, including advances in security technology, rapidly changing threat landscapes, mobile access credentials, and how best to integrate physical security and cybersecurity.
The Impact of New Technology on Security Decisions
The number of new or updated technological solutions that any physical or cyber security officer must parse through is growing year over year. When asked about how this flood of new technology impacts an organization’s security decisions, Gold said that it’s a tricky situation as “it’s less about the technology than the current practices often associated with requirements development.”
His company, D6 Research focuses on global organizations with large asset, facility, and portfolio footprints. Gold says when he is first called in to assist a company, he can “confidently state that almost all of them fail our initial security assessment … regardless of how large or how many resources they have. So purchasing new technology at that state typically results in their not being able to properly secure it [or] fully realize its benefits.” That’s if they can even select the right technology to meet their security needs.
According to Gold, there’s a two-fold reason behind this. First, “physical security has been taught to perform risk assessments based on hard and human asset values, often associated with workspace use – not actual threats and impacts to business operations.” While this may have been fine in the past, “it’s certainly inadequate for current risks that systems, bad actors, and new technology propose.”
“Second,” Gold notes, “almost without exception, requirements by end users tend to follow implementing features and functions based on common industry practices,” rather than those based on any of the threats identified in their security assessment. This holds regardless of “their severity and impact.” Organizations need to have clearly defined the specific control measures they need to account for “and then features are designed to enforce controls and policy that would mitigate threats (down to actual method of attack/exploit.”
To wrap up, Gold suggests that while “new technologies represent an advantage … if their use is not clearly defined by meaningful requirements, and organizations aren’t prepared for the new ways they can be exploited … then it’s really a moot point.” This makes sense, given that many threats facing access control/credential systems mirror those directed at traditional IT infrastructure. Gold points to a focus on purchasing solutions before mapping out an actual threat assessment as “the main challenge for organizations that are looking for measurable security, improvement and maturity.”
Terry Gold will be speaking on modern approaches to physical security and dissecting the truth vs. hype surrounding mobile access credentials at the Total Security Summit in Plano, TX June 25-26.
|Terry Gold is the founder of D6 Research, where he drives the core research pipeline, methodology, and client interaction. For the past decade, he has specialized in Identity Management, Credentialing and Authentication across both information and physical security where he has focused on advising Fortune 500 companies approach complex full lifecycle initiatives. Terry’s experience spans across a variety of industries; Technology, Financial Services, Telco, Entertainment, Energy and Healthcare.|