RiskUKAugust2017
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Physical and IT Security<br />
Convergence: Are We There Yet?<br />
Although historically<br />
distinct, physical<br />
security and<br />
information security<br />
have grown closer in<br />
recent times as a<br />
direct result of the<br />
integration of IPenabled<br />
devices<br />
within traditionally<br />
closed and isolated<br />
security systems.<br />
Where are we now,<br />
then, on the road to<br />
genuine convergence?<br />
Damien Pezza<br />
investigates<br />
Damien Pezza MSc FIHEDN<br />
FINHESJ: Security Consultant<br />
at CornerStone GRG<br />
Over recent decades, the increasing<br />
visibility and resourcefulness of cyber<br />
threat actors and the Internet of Things<br />
(IoT) have combined to revolutionise the<br />
security sector. Gartner recently forecasted that<br />
8.4 billion connected ‘things’ would be in use at<br />
the global level in 2017, representing an<br />
increase of nearly a third from 2016, and also<br />
predicted that the number of devices would<br />
reach 20.4 billion by 2020, with a rise in the<br />
share of ‘cross-industry business devices’ such<br />
as HVAC and physical security systems.<br />
For their part, video surveillance, access<br />
control, perimeter detection and alarm systems<br />
have become increasingly dependent on<br />
network electronics. Security systems are<br />
therefore exposed to a variety of cyber threats,<br />
necessitating that cyber protection is now as<br />
relevant to the security industry as it is for lowend<br />
and domestic ‘smart’ devices. This has<br />
prompted the need for holistic approaches<br />
towards security and risk management that<br />
emphasise formal co-operation between<br />
previously separate security functions. In<br />
industry parlance, this is ‘Convergence’.<br />
The interdependence of IT, physical and<br />
operational technology systems can bring<br />
concrete advantages to public and private<br />
sector organisations that wish to secure their<br />
assets. The same applies for convergence.<br />
Theoretically, the latter enables fast and<br />
informed responses to all types of threats,<br />
while bridging gaps between IT and Security<br />
Departments by merging them into a<br />
centralised risk management unit or otherwise<br />
creating overarching supervisory structures –<br />
thus improving organisational efficiency and<br />
eliminating both the vulnerabilities and<br />
inefficiencies of managing security and risks<br />
across silos.<br />
In such a converged risk management<br />
framework, cyber security plays an essential<br />
role in securing an organisation’s infrastructure<br />
and operations. In tandem, physical security<br />
measures ensure the integrity of its network<br />
and information assets.<br />
Problematic endeavour<br />
However, convergence is far easier and safer to<br />
achieve in theory than is the case in practice.<br />
Integrating an increasing number of devices<br />
into corporate networks presents a significant<br />
security risk to organisations. It has enabled<br />
external or ‘insider’ threats not only to impair<br />
security systems, supervisory control and data<br />
acquisition platforms or critical infrastructure<br />
through the Internet, but also to infiltrate or<br />
attack an organisation’s network by targeting<br />
IP-enabled equipment (such as cameras) or<br />
devices owned by employees themselves.<br />
Calls for greater convergence have naturally<br />
met with internal and organisational obstacles,<br />
as the setting out of such a massive project<br />
entails considerable resources and involves<br />
numerous departments. A study on Cyber<br />
Security and the Internet of Things published<br />
by EY in 2015 indicated that only 6% of all<br />
surveyed organisations claimed to have a<br />
robust incident response programme in place<br />
that includes third parties and that’s integrated<br />
with broader threat and vulnerability<br />
management functions.<br />
Even if successful in appearance,<br />
convergence at the structural level doesn’t<br />
necessarily solve underlying gaps and tensions<br />
within an organisation. A survey conducted by<br />
The Ponemon Institute in 2015 highlighted<br />
significant rifts in cyber security knowledge<br />
between decision-makers and IT security<br />
professionals. It revealed that cyber security<br />
has only begun to have an impact on the<br />
agenda of decision-makers in recent years, and<br />
that most IT professionals think their Board of<br />
Directors isn’t properly informed about every<br />
threat the organisation is facing.<br />
Hybrid environment<br />
Threat actors operate in a hybrid environment<br />
where the boundaries between virtual and<br />
physical threats are blurred. It’s now more<br />
important than ever for public and private<br />
sector organisations to implement holistic<br />
security strategies that address additional<br />
challenges stemming from convergence itself.<br />
As long as the physical and cyber domains are<br />
treated as segregated, there’s very little hope of<br />
securing either of them.<br />
Convergence isn’t only about form, but also<br />
about function. Organisations should<br />
encourage internal co-operation, co-ordination<br />
and training, not only by ‘changing the<br />
organisation chart’ and creating overarching<br />
risk management structures, but also by<br />
bridging gaps between security practitioners, IT<br />
22<br />
www.risk-uk.com