To truly get to a place of total security, the importance of integrating your organization’s physical security and cybersecurity efforts is becoming increasingly apparent. For example, a motivated cybercriminal might start their research of your business online, but then choose to exploit a physical weakness they uncovered during the process. Are you confident that your IT and operational security teams are in tune enough to deal with such a situation, or are they operating in their own silos?
In a chat with Terry Gold of D6 Research, I asked him about the changing threat landscape that security teams are facing and what a successful integration of physical and cybersecurity might look like.
Q: What near-future changes to the threat landscape concern you the most?
A: My main concern is that physical security practices are so far outdated—even the certification training. The fact that this question asks about “threats” and that much of the current practices and training aren’t based on threats but rather common practices, implementation procedures, and functions is ironic. Focusing on threats means building a threat model, implementing controls, and having detailed audits based on governance definitions that stem from the threat model to be prescriptive—get away from building use tiering. It’s meaningless and often terribly wrong in what the assumed risk is for certain tiers. It’s a little more expensive to do up front, but after that, equipment and installations are far cheaper because the approach to implementation is much more effective dollar for dollar. For large organizations, we’re talking on the scale of tens of millions in savings, with significant security improvements and executive stakeholder satisfaction.
Having said this, let’s look at all the new devices that either are connected or have encryption keys to claim increased security. I find that organizations (end users, integrators, and vendors) don’t know how to properly secure them. Vendors aren’t generally producing secure code or have specific engineering focus to this, so even if the functions are correct, the code can be exploited. Encryption keys make devices stronger, but too often, the lack of expertise by vendors means they have weak management implementations, and somewhere between design flaws and end-user implementation, they are vulnerable from day 1—a ticking time bomb for an attacker to exploit it. It might take weeks, months, or years, but it’s there. Then there are connected devices that don’t even have keys protecting them at all.…
Q: Do you have an example of a business or organization that you feel has properly integrated its physical and cybersecurity? What did it do right?
A: This is where D6 Research is focused as a business: “The intersect of physical and cybersecurity” is our tagline. It’s not new; I’ve personally been focused on this for over a decade and a background in cybersecurity going far back before then. It’s really only in the past year that the industry has been receptive to speaking seriously about it. In the past, I’ve gotten calls when information security found a vulnerability on the physical side that affects access to their data center. The CISO would feel as if the physical side couldn’t speak to what happened, why it went on for so long, and what needs to be done about it. The lack of trust led them to our firm, where we can walk them through this stepwise and then onward to implement improved best practices and visibility that the industry and channel typically can’t (yet).
It’s always the same process if an organization wants to have REAL security and integration. If not, it’s just money spent on point solutions that can easily be navigated around by attackers and result in limited operational and organizational value. I won’t detail the whole process, but here are the core tenants:
- Physical security needs to adopt information security principles and best practice. Let go of industry practices.
- Perform a top-to-bottom asset and risk assessment based on actors, threats, and methods. Organize findings by severity and impact.
- Partner with information security, audit, and executives to prioritize remediation of items by impact and likelihood.
- Place ALL electronic physical access systems (except mechanical) under IT operations (or security operations)—no longer managed by operational security or an external partner/integrator. Have IT operations apply their principles, practices, and procedure using the same standard tools they already use. This will make physical security become operational, compliant, competent, and visible.
- Work with existing vendors to comply or road map out products that cannot work inside of IT operations (using their standard tools and practices).
- Agree with management as to visibility and metrics so that they can consume physical security status inside their corporate risk portfolio. We find that the primary cause of physical security being viewed by C-level management is that they don’t have proper visibility and priority alongside other areas of their risk briefings. Not visibly using the same metrics in the same meetings causes the impression that you just cost them money, and your issues don’t rise to the same level of consideration.
|Terry Gold is the founder of D6 Research, where he drives the core research pipeline, methodology, and client interaction. For the past decade, he has specialized in Identity Management, Credentialing and Authentication across both information and physical security where he has focused on advising Fortune 500 companies approach complex full lifecycle initiatives. Terry’s experience spans across a variety of industries; Technology, Financial Services, Telco, Entertainment, Energy and Healthcare.|