The unique challenges of securing data centres – “Enterprise risk management and partnerships are crucial to our approach”

“There’s a prediction that 30% of the world’s power will be consumed by data centres in two years’ time”

As George Dionisopoulos, Head of Security at Australian data centre provider NEXTDC, explains, there is little doubt that the data centre market is witnessing significant growth, in line with the development of cloud-based services. There is also an awareness that data centres are now an integral part of a country’s critical national infrastructure – whether formally recognised or not – and only high-quality security solutions and risk management strategies will suffice.

IFSEC Global was lucky enough to sit down with George, alongside Barkers Fencing’s Adam Savage, at IFSEC International in May, to find out more about the unique challenges that come with securing such facilities and why partnerships are crucial to an organisational security strategy.

NEXTDC are described as one of Australia’s largest and most reliable data centre providers, with data centres in Brisbane, Canberra, Sydney, Melbourne, Perth, Darwin and Adelaide. Customers include global cloud computing providers, enterprises and governments, and many more. George Dionisopoulos is the Head of Security for NEXTDC.

IFSEC Global (IG): Hi George, so what’s your background in the sector?

George Dionisopoulos (GD): I have over 20 years of progressive leadership experience, specialising in security, compliance & risk management and government relations, having obtained several certifications along the way. My passion for security began in construction, with my professional life then shifting to project management, in particular delivering fibre networks at NDC (Telstra) before building AAPT’s National Backbone Network. It was at AAPT where I was first given the opportunity to lead a security and risk operations function that morphed and took on all levels of security including fraud and law enforcement. This initial grounding helped formulate the concept of converged security in my DNA and the importance of partnerships to help in the delivery of a mature security risk management programme.

George Dionisopoulos, Head of Security, NEXTDC

In my current role at NEXTDC, I am responsible for leading the security risk and compliance initiatives and effective security risk management practices across all of NEXTDC from strategic to operations. This is achieved through close collaboration with key stakeholders, external partners and business units.

I’ve worked to embed a security risk management culture into the design, construction, support and operations at NEXTDC. My responsibilities also include the ability to lead security risk management to enable it to operate according to the applicable policy and procedure, manual(s), and guidelines, ensuring that the physical integrity and safety of all NEXTDC data centre facilities are maintained. Key is being engaged with relevant authorities, government departments and peers, not only in the data centre environment but across all critical infrastructure environments.

IG: How important is it in your opinion for physical and cyber to collaborate and communicate with each other – and how does NEXTDC go about doing this?

GD: My overall responsibility is the broader NEXTDC security portfolio incorporating all facets of security. In saying that, we do however have a dedicated group for cyber with people employed with the right skill sets and mind sets to keep us ahead of the curve that report directly into the CIO and are the experts I lean on in this space.

Because cyber risk has developed so quickly, the broader security portfolio can be undermined a little and take a bit of a ‘backseat’. This is why security is not distinguished at NEXTDC and is treated as a holistic program of converged security, ensuring all pillars of security form a part of the foundation of our Security Risk Management program.

Security risk management is about four pillars – cyber, physical, personnel and supply. Those four pillars should make up your overall organisational risk management programme and should ‘converge’ and work together – it’s much easier to get management buy-in to a security culture this way.

IG: What are the most challenging aspects of securing data centres from physical threats?

GD: All valid and constantly included threat vectors are monitored – though I am sure a lot of people would mention threat environments like terrorists and criminal elements. The insider threat in particular, is something we’re aware of – something our security risk management programme is designed to mitigate the potential threats of.

In Australia, the most difficult aspect is the requirements of our local government and council regulations which play a huge role in our ability to physically secure data centres. Land is at a premium in Australia and data centres are required to be within what’s considered the metropolitan area. They require us to take into account aesthetics and nature, which adds a bit of a complexity but also challenges us in how we do then provide that first layer of deterrence and delay.

“It is about deploying a subtle deterrence, providing our teams the ability to have enough time to detect and respond accordingly” – George Dionisopoulos, NEXTDC

AT NEXTDC, in these situations, we use CPTED methodology and integrate it with the broader physical environment into our electronic security management system. The installation of lighting around facility further acts as an aid in natural surveillance as well as CCTV monitoring.

It is about deploying a subtle deterrence, providing our teams the ability to have enough time to detect and respond accordingly. Even just incorporating stairs into a facility can help minimise the amount of footprint you receive. We also design the building in layers, with the high value assets being located within the central layer, while increasing the level of access restriction at each layer.

Adam Savage (AS): I was actually lucky enough to visit George and three of the data centres he protects recently. What was really impressive was the amount of critical thinking and innovation that goes in to protecting the facilities, and it really was the gold standard of data centre protection from my experience. The sector is witnessing significant growth – you’ve got countries such as Ireland investing heavily in data centres, for instance, so a holistic approach to security is clearly a necessity.

Adam Savage, Marketing & Sales Director, Barkers Fencing

From our side, we’ve supported in introducing standards from the UK, such as LPS 1175, and from Barkers’ expertise in fencing solutions, and how both work together in a deter and delay protection strategy.

IG: How important are independent standards such as LPS 1175 when specifying perimeter protection products?

GD: It is very important to be able to have a standard that you can lean on in the design of your environment. At NEXTDC, we actually do use the LPCB LPS 1175 as a guide to hold our suppliers accountable to. Underpinning all your converged security solutions you must have relevant policy, procedures and guidelines that help your teams provide the right security environment.

We invest heavily into building a sophisticated, multi-layered security posture and processes to ensure our customers critical IT infrastructure is secured and protected to the highest global standards. Just as our data centres are built to support the evolving and dynamic needs of our customers, our security protocols follow suit. This is why we take our certifications and attestations very seriously as we know how important these are in supporting our security posture and culture, but also as important is that our customers demand these as a baseline.

Partnerships are also worth highlighting. It’s about interacting and understanding each other’s environments and expertise – for example, the conversations I’ve had with Adam and the Barkers team in relation to security fencing and LPS has helped me to better understand new standards we can implement.

AS: And we think that’s just as important as George says. Physically visiting George and the facilities he protects gave us a much better understanding of his challenges and the environment that George and his security team is working with. LPS has been integral in our discussions, and we also understand particular solutions that may be most appropriate to the site required.

Different data centres may require HVM (hostile vehicle mitigation) and the most expensive fencing available, while others might require more targeted solutions, where we’d take a different approach.

IG: What role is technological innovation playing in the protection of the data centres you manage?

GD: Technological innovation is a crucial piece of the puzzle in your Security Risk management program. At NEXTDC we do utilise analytics and the smarts of our broader electronic security management system to provide our teams with up-to-date information as to what is going on in our environment. Couple this with our two-factor authentication program, we are always keen to look at innovative ways to manage our security risk portfolio.

AI and machine learning are going to play an integral part in security risk management that will require us to understand how to integrate these into our broader portfolio and more importantly how they can work seamlessly together to not only provide a secure environment but a great customer experience.

Listen to the IFSEC Insider podcast!

Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.

Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.

Listen to the podcast today