RiskUKAugust2017

More documents

Recommendations

Info

Physical and IT Security Convergence: Are We There Yet? Although historically distinct, physical security and information security have grown closer in recent times as a direct result of the integration of IPenabled devices within traditionally closed and isolated security systems. Where are we now, then, on the road to genuine convergence? Damien Pezza investigates Damien Pezza MSc FIHEDN FINHESJ: Security Consultant at CornerStone GRG Over recent decades, the increasing visibility and resourcefulness of cyber threat actors and the Internet of Things (IoT) have combined to revolutionise the security sector. Gartner recently forecasted that 8.4 billion connected ‘things’ would be in use at the global level in 2017, representing an increase of nearly a third from 2016, and also predicted that the number of devices would reach 20.4 billion by 2020, with a rise in the share of ‘cross-industry business devices’ such as HVAC and physical security systems. For their part, video surveillance, access control, perimeter detection and alarm systems have become increasingly dependent on network electronics. Security systems are therefore exposed to a variety of cyber threats, necessitating that cyber protection is now as relevant to the security industry as it is for lowend and domestic ‘smart’ devices. This has prompted the need for holistic approaches towards security and risk management that emphasise formal co-operation between previously separate security functions. In industry parlance, this is ‘Convergence’. The interdependence of IT, physical and operational technology systems can bring concrete advantages to public and private sector organisations that wish to secure their assets. The same applies for convergence. Theoretically, the latter enables fast and informed responses to all types of threats, while bridging gaps between IT and Security Departments by merging them into a centralised risk management unit or otherwise creating overarching supervisory structures – thus improving organisational efficiency and eliminating both the vulnerabilities and inefficiencies of managing security and risks across silos. In such a converged risk management framework, cyber security plays an essential role in securing an organisation’s infrastructure and operations. In tandem, physical security measures ensure the integrity of its network and information assets. Problematic endeavour However, convergence is far easier and safer to achieve in theory than is the case in practice. Integrating an increasing number of devices into corporate networks presents a significant security risk to organisations. It has enabled external or ‘insider’ threats not only to impair security systems, supervisory control and data acquisition platforms or critical infrastructure through the Internet, but also to infiltrate or attack an organisation’s network by targeting IP-enabled equipment (such as cameras) or devices owned by employees themselves. Calls for greater convergence have naturally met with internal and organisational obstacles, as the setting out of such a massive project entails considerable resources and involves numerous departments. A study on Cyber Security and the Internet of Things published by EY in 2015 indicated that only 6% of all surveyed organisations claimed to have a robust incident response programme in place that includes third parties and that’s integrated with broader threat and vulnerability management functions. Even if successful in appearance, convergence at the structural level doesn’t necessarily solve underlying gaps and tensions within an organisation. A survey conducted by The Ponemon Institute in 2015 highlighted significant rifts in cyber security knowledge between decision-makers and IT security professionals. It revealed that cyber security has only begun to have an impact on the agenda of decision-makers in recent years, and that most IT professionals think their Board of Directors isn’t properly informed about every threat the organisation is facing. Hybrid environment Threat actors operate in a hybrid environment where the boundaries between virtual and physical threats are blurred. It’s now more important than ever for public and private sector organisations to implement holistic security strategies that address additional challenges stemming from convergence itself. As long as the physical and cyber domains are treated as segregated, there’s very little hope of securing either of them. Convergence isn’t only about form, but also about function. Organisations should encourage internal co-operation, co-ordination and training, not only by ‘changing the organisation chart’ and creating overarching risk management structures, but also by bridging gaps between security practitioners, IT 22 www.risk-uk.com
Convergence of Physical and IT Security specialists and senior executives. Knowledge of cyber threats is currently insufficient within company leaderships and, indeed, among non- IT professionals in most organisations. IT and physical security practitioners can potentially hold competing and partial views as to what motivates threat actors and how they operate in a hybrid environment. Physical security managers need to understand the criticality of their business’ information and electronic assets, as well as the nature and potential consequences of a successful cyber attack on the company’s operations. Successful attacks on Data Centres or networks could result in the partial or total disruption of a company’s critical infrastructure. Physical security managers must also understand the criticality of all IP-enabled devices (from cameras, recorders and badge readers to loudspeakers) and move to ensure their proper protection and isolation in cooperation with IT security professionals. At the same time, IT security managers must understand the physical attack vectors to which their equipment and hardware may be exposed. Threat actors are now able to compromise electronic and information assets by infiltrating an organisation’s premises, bugging unprotected IP devices (such as security equipment or HVAC systems) on-site, stealing employees’ badges or electronic devices or setting up fake Wi-Fi networks in the vicinity of a given companies’ premises. Wider risk framework IT professionals need to comprehend to what extent cyber security must be embedded within a wider risk management framework and assist corporate-level and security managers in order to inform decisions that take into account the growing threats posed by the ‘cybersphere’ and the IoT to a company’s assets. Where convergence isn’t a possibility at the structural level, IT and Physical Security Departments should nonetheless be aligned, allowing Chief Information Security Officers (CISOs), Chief Security Officers (CSOs) and Chief Operations Officers to share overlapping goals and targets. Last year, for instance, Barclays merged the functions of CSO and CISO in an attempt to redefine the company’s approach to security and provide overall resilience against all kinds of threats by building group-wide investigations ably supported by joint Operations Centres. Implementing such organisational and structural changes can prove complex. Ensuring that all stakeholders and employees are on the same page entails considerable resources: time, money, people, technology and processes. The use of independent security consultancies and their expertise might well help organisations in optimising their transition towards a fully-converged security apparatus by bridging the gap between convergence at the strategic and operational levels. This allows companies to adopt an holistic view of security in which security equipment, Physical Security Information Management software and organisational dynamics are interdependent. It must be borne in mind that encouraging co-operation at the organisational level alone isn’t sufficient to achieve convergence in the current security context. Incidents have continuously highlighted the now global character of security threats and their mitigation. The multiplication of IP-based security systems at the global level has transformed each single device – ranging from security systems to coffee machines – into a potential attack vector against third parties that are not related in any way to said devices. It’s also essential to think beyond the individual business and seek to encourage a culture of communication and co-ordination not only within organisations, but also between them. As was highlighted in an excellent White Paper published only last November by The Economist: “Every organisation is more secure when all are more secure.” “In such a converged risk management framework, cyber security plays an essential role in securing an organisation’s infrastructure and operations” 23 www.risk-uk.com
Page 1 and 2: August 2017 www.risk-uk.com Securit
Page 3 and 4: August 2017 Contents 44 Meet The Se
Page 5 and 6: Editorial Comment Many applications
Page 7 and 8: News Update “Clarification on reg
Page 9 and 10: News Analysis: Counter-Terrorism Pr
Page 11 and 12: News Special: BSIA Security Personn
Page 14 and 15: ISO 22316: Preparing for Brexit The
Page 16 and 17: All Things Being Equal recommends t
Page 18 and 19: Institute of Risk Management Are yo
Page 20 and 21: BSIA Briefing References 1 https://
Page 24 and 25: State of Mind: Developing ‘Risk C
Page 26 and 27: On The Mark: Safeguarding Your Comp
Page 28 and 29: Touched By A Physical Presence Phys
Page 30 and 31: Net2 Entry Touch Smart, Simple Door
Page 32 and 33: FIRE SAFETY New Qualifications for
Page 34 and 35: FIRE SAFETY False Fire Alarm Manage
Page 36 and 37: FIRE SAFETY Fire Alarms and Detecti
Page 38 and 39: FIRE SAFETY Audible and Visual Prot
Page 40 and 41: FIRE SAFETY Following the Grenfell
Page 42 and 43: FIRE SAFETY Emergency Lighting Stan
Page 44 and 45: Meet The Security Company This is t
Page 46 and 47: Advertisement Feature Reaping the B
Page 48 and 49: The Security Institute’s View rel
Page 50 and 51: Resilience Revisited: Turning Our A
Page 53 and 54: FIA Technical Briefing Fire Prevent
Page 55 and 56: FRONTIER PITTS Protecting Your Worl
Page 57 and 58: Security Services: Best Practice Ca
Page 59 and 60: A New Model for Guarding Cardinal's
Page 61 and 62: Cyber Security: Risk Management for
Page 63 and 64: Training and Career Development equ
Page 65 and 66: Risk in Action St George in the Eas
Page 67 and 68: Technology in Focus Vista unveils V
Page 69 and 70: Appointments Helen Ball Helen Ball
Page 71 and 72: BENCHMARK Smart Solutions BENCHMARK
Page 73 and 74:
CCTV CCTV Rapid Deployment Digital
Page 75:
SECURITY ANTI-CLIMB SOLUTIONS & SEC
show all

RiskUKAugust2017

Create successful ePaper yourself

Delete template?

Save as template?