It’s time for the IT security team and the physical security team to work together on a “cyber-physical” security strategy.
By Nitin Natarajan
Most companies are aware of the critical importance of security. There’s a good chance that your company has a top-notch IT security team that has the firm’s IT resources locked down tight. They’ve implemented a best-in-class security infrastructure.
Yet, what happens when someone walks into the server room and plugs in a USB device that presents itself as a keyboard or storage device? The answer is: they’re in. Looking at security from an IT-only perspective creates a dramatic hole in that best-in-class security infrastructure.
In most companies I work with, the IT security team and the physical security team (if there is one) do not communicate effectively. The IT team implements software and hardware solutions to protect security; the physical team does the same thing, often competing for the same funding. The reality is, these two teams should be working together to present a common risk picture so top management can look strategically at how best to cost-effectively manage risk.
To create a truly secure environment, companies must move toward embracing a cyber-physical nexus — a collaboration where the IT security side and physical security side come together for the overall protection of the company.
It can be difficult to know where to start toward creating this new, cohesive cyber-physical relationship. That said, there are several steps you can take to start the process.
Step one: Start with an opt-out approach
Far too often, the people making the decisions as to who should be involved in the solution are not completely aware of all of the parties who may have responsibilities in the issue. While the omission is usually not intentional, it can easily omit key players from the table. This leaves the opportunity for gaps in early decision making or causing unengaged parties to disrupt the process much further down the line.
It is essential to have the right people at the table from the start. You can accomplish this by initially casting the net widely. Invite people to the conversation and let them decide if they should be involved, essentially allowing them to opt out of the process. The fear in doing this is that too many people may show up, and they may. That said, the numbers will start to dwindle once regular meetings and tasks are put in place; at that point, you’ll have a solid team with the strongest investment in the outcome.
Step two: Review policy and operational issues
A significant factor in successfully embracing the cyber-physical nexus will involve both policy and operational changes. If the two sides are currently proceeding independently, there is likely some operational wall that must be removed. Identify these walls, remove them, and build new policies and operational guidelines that involve both working in concert.
Step three: Involve the C-suite
Embracing the cyber-physical nexus is not a budget issue, it’s a corporate risk-management issue. As the C-suite has a far broader view of the organization than either the cybersecurity or physical security side alone, it is essential to involve — or, at least get buy in — from the highest levels. Engage the people who have visibility, and responsibility, across the company. A successful cyber-physical nexus requires this bigger-picture perspective and partners who can make decisions regarding enterprise risk management across the organization.
Making it work
Once the two sides are working together, there are still tasks to accomplish to ensure the cyber-physical efforts are successful. Far too often I work with companies that assume they’re done once the cyber-physical nexus has been successfully established; in reality, the work has only just begun.
First and foremost, institute employee training; include both the IT and physical side. Create a new security training plan, from scratch, to get the full benefit of the new nexus. There should be one program, not two.
Once the security training plan has been implemented, conduct exercises, which, of course, involve all parties involved in this joint cyber-physical nexus. This is the step that most companies miss; it is also the one that will provide the most information on where the plan will fail and how best to take steps to strengthen the organization.
Remember, the goal of a security exercise is to stress the system, to exercise toward true process improvement. Create and conduct exercises that bring you to the brink of failure. An exercise that goes perfectly had a really bad design.
The goal of embracing a cyber-physical nexus is to enhance your company’s overall security posture — not just IT security and not just physical security — and to mitigate corporate risk across the enterprise. What’s your role in this equation? Don’t wait for someone to knock on your door; take the first step and knock on theirs.
This article was originally published in Information Week by Nitin Natarajan.