Today’s security manager faces an increasingly complex risk scenario. In the last decade, threats have multiplied in both the physical and IT area.
It used to be sufficient to focus on fencing, video surveillance, and access control, but now, the cyber risk posed by IP-based systems is forcing a more unified security strategy.
James Willison is speaking at IFSEC International 2013
When: Mon 13th May 16:30
Where: IFSEC Centre Stage
What: Measuring the Business Impact of Physical and Information Security Convergence
Register to hear James speak for free
Traditionally, IT security has been managed by the IT department, but the vulnerabilities in physical security systems provide opportunities for both hackers and the insider to gain access to company information. This can no longer be protected without an enterprise-wide strategy to consider security risks in multi-disciplinary and cross-functional teams.
In the digital age, the security manager needs to ensure these risks are managed effectively, and work very closely with other business support functions including IT Security, HR, and Legal. The panel should discuss examples of blended threats, the context of cyber security, and the principles of Convergence and Enterprise Security Risk Management.
In August 2010, we were invited to be part of a convergence team composed of 15 global physical and information security leaders. We agreed to write sections on convergence and enterprise security risk management for the ASIS Physical Asset Protection Standard.
These sections focussed on the management of blended threats to physical security systems and data. Following a two-year consultation process and public review, ANSI and ASIS International published the standard in April 2012.
The result is a comprehensive approach to security risk management, designed and written with a focus on the needs of the business.
There are many valuable perspectives and insights with practical recommendations for developing relations with all areas of the organisation. The introduction sets the scene perfectly and the following quote from ANSI ASIS PAP Physical Security Standard, page xiv, reproduced with permission, is indicative of its quality:
In order to effectively protect its assets, an organization needs to recognize the interdependencies of various business functions and processes to develop a holistic approach to PAP. Physical asset protection is intertwined with other security-related disciplines, such as information technology systems and continuity management. In order to understand the shared risk environment, the organization should consider:
a) A common basis for risk ownership and accountability;
b) An integrated risk assessment and harmonized treatment strategy;
c) Common lines of communications and reporting for assessing and managing risk in a cross-disciplinary and cross-functional fashion; and
d) Establishing cross-disciplinary and cross-functional teams to achieve a coordinated pre-emptive and response structure.When implementing this Standard, organizations should adopt a comprehensive and integrated strategy that encompasses all areas of security risk. This should be reflected in all elements of the Standard. The organization will be better able to achieve its objectives by understanding and incorporating the convergence of PAP, information technology systems, and risk management in all of the elements of its management system, the organization will be better able to achieve its objectives.
It’s worth considering how the ANSI ASIS PAP standard can be used to develop a comprehensive management approach to protect an organisation from blended attacks, and help it adopt a holistic approach to security risk management.
There is also a wide variety of issues that advanced cyber threats now pose for businesses, and physical security in particular needs to develop strategies that ensure a working relationship with all areas of security and other business support functions including HR, Legal, and IT Security.
– James Willison is speaking at IFSEC International 2013. Register here to hear James speak for free.
James, thanks for this. I think this part of the guidance is particularly impoortant:
Common lines of communications and reporting for assessing and managing risk
This is all just about making information sharing easier, which we all know is a great positive. But much easier in theory than practice, of course.
Rob Absolutely. Thank you for highlighting this point. It is one of the key values of converged security/ESRM. Sadly few organisations really practise this. One leading CSO in the States recently stated that it is crucial for the board to see where the major risks are and the value of a heat map to prioritise all of these across multiple sites and locations. If all the Info/Cyber and physical security risks can be entered into the same reporting process and the data monitored efficiently then a security leader can establish where the important issues are. There are great tools out… Read more »
Everywhere I’ve ever been IT has been elbows deep in the physical security systems. Usually because there are IT related items on the back end of door security systems, fire control, etc. I can’t say that this is always the best scenario since the building managers will defer to the IT department not because they are the best resource but because they know the system limitations.
…limitations being an optimum word there, I suspect.
Well the story we saw recently of a huge hack on a casino in Australia is a case in point (though it may have been an insider job)
Of course, everyone wants to have security systems like they see in movies, it’s up to me to describe the difference between a card reader and a super computer attached to a CIA database that can look up the ID of anyone using a badge to enter a building.
Hi James. Thank You for another great comment piece on the burgeoning convergence agenda.
How do you see the role of the traditional security manager changing as a result of that convergence movement?
Hi Brian Thank you very much for your appreciation. You raise a most interesting and important question which is not easy to answer. But I will seek to share some thoughts which maybe of help. First, the business will value the issue of security more as it understands that unless all areas work closely in teams as much as they can on a daily basis they will suffer harm. With HR and Legal becoming more involved partly because of the increasing cyber/converged risks then the traditional security manager will have an opportunity to bring his or her views into… Read more »
I’m not James but I’ll throw my 2 cents in. I think one way that a security manager’s role is going to change is that either they need to learn a bit of the IT methodology or start making friends in the IT department. In the past you had many stand alone systems that could operate in seclusion now to take advantage of the most feature rich products you need IP connectivity at the very least. Then when you look at things like IP camera systems that are tied to systems that control door access and alarm systems it’s handy… Read more »
James/safeNsane… In your opinion, does all of this mean we need to start nurturing a new breed of security manager?
It’s very evident that security managers operating in today’s world have to be seen to be business enablers. That being the case, could we be embarking upon a somewhat revamped role wherein the need for business process skills are first and foremost?
If so, where’s the cohort from which we can source such individuals?
Is the traditional career progression route of forces/police service and then on to private sector security going to recede?
Hi Brian First to reassure those who are concerned that there maybe an ushering in of security managers who do not understand physical security issues. This is not what convergence argues for. It emphasises that those who have experience and qualifications in security management lead the function. There are of course some exceptions to this – perhaps more at the higher levels such as CSO where other business function leaders take the helm. There is a need for more security managers to gain qualifications in Security Management from Certificate to MSc level and these need to continue to become… Read more »
I trust with changes in new technology and new device integration… we need new breed of security managers… or at least once a year security manager need to attend training to get updated with new technology… same as IT field… in my humble opinion…
rules of nature to survive you must adapt… same rule apply to any bzz. env. Including Security Managers… one way or the other they would have to embrace IT side of the security..
I wouldn’t say that the pool needs to change, companies still need to look for the same base skills and experience what I think will change is that they will also look for someone who can at least talk the tech side of things. They don’t have to have an IT background or be able to run a data center but they do need to know what is out there and how it can be used. The industry has been moving toward IP based solutions for a long time, many security managers begrudgingly accept this but leave the management of… Read more »
Personally, I think absolutely. Forces training doesn’t necessarily equip you to be able to run a large integrated system. It doesn’t preclude it, but neither does it help.
An interesting extension to this would be the security media ourselves, as well. I wonder, when I look at other websites and publications, if they’re engaging with the right people with regards to security equipment, that can be used for so much more now.
I’ve been thinking about initiating a ‘Security Mythbusters’ series actually. You might be able to help on that. The idea is picking various films with silly security systems and explaining why they would or more likely wouldn’t work in reality.
I think sooner or later, it would just come to this. So better to act on it right now so you can secure your facility the best way possible. As Batye and others have mentioned, some additional skill sets might be required, which can be obtained by attending seminars, workshops, or extra classes, where possible.
As part of the security media, information dissemination is most useful in equipping people with the information they need to make wise choices when it comes to security and picking out equipment. Knowledge is power; was, is, and always will be.
Hah! Now that would be a series that I’d definitely watch out for. Sounds like a crash-course type of manual to tell people about the do’s and don’ts when it comes to security. I like the idea.
Rob, interesting idea… hope something could come out of it… as in many movies I see… from my humble point of view… most of the security ideas/technology… just fake…. or wrong… – as example – Bourne SupremacyCheck out this movie. In one scene they use a PDA to run a fingerprint scan after pulling prints off some evidence. Either that or they sent the fingerprint to headquarterbut this pda have only ability to scan fingerprint via small window… not to scan fingerprint via screen… 🙂 lol
@Alexander Stephens, well said… and don’t get me started about medical shows. Innacuracies! This has been too long in coming… With the advent of portable media, for example, five minutes in a server room by an unknown person could lead to every bit of corporate intellectual property running out the door. It can lead to the quick and uknown introduction of malware into the corporate network. It could lead to old fashioned sabotage with a bottle of water or a fire. The list is really endless. Another critical piece of the puzzle is solid end user training that is targeted,… Read more »
Yes I think there will be a fair amount of OTJ training for getting caught up on the changing technology but I think we’ll also start seeing more technical people stepping into physical security roles, the world as a whole is becoming more technical and it’s going to be a fairly natural growth pattern.
@Robert Brown, you mean like almost every movie involving a security system? I remember having a talk with a friend about something similar. I was talking about the most effective security system I’ve ever seen on film. The man trap in Resident Evil that more or less dices anyone inside with lasers would be great if lasers worked that way but as I told my friend I’d hate to be the guy who had to do maintenance checks on that system.
Agreed there are some great films out there which have captured the imagination of the public. It was really interesting to hear Eugene Kaspersky indicate last year that 50% of Die Hard 4 was now possible whereas when it was first made it was not seen to be. Perhaps this year 65% of it is achievable. I also like Enigma as it shows just how important code breaking is in protecting people’s lives. It is also a fascinating insight into relationships between technical and physical security leaders and some of these attitudes still exist today.
thank you, with USB drives it human nature to be curious… but curiosity kill the cat….
I agreed with you. Since there is no one strategy that fit all. The question is how do we have strategies and tactics to prevent these pysical and cyber attacks from happening in the future since these attacks are getting more Sophisticated
@James Pike, good point. The security systems we saw on films 20 years ago are finally possible but it still drives me crazy when I hear something like “I’m going to hack into the building security system” then they attach two alligator clips to the lead for a door striker.
Hah, yes indeed. I suppose, generally, the audience isn’t supposed to question it, but as the audiences get smarter about the possibilities of technology, they’re likely to wise up to it all sooner rather than later.
But then aren’t films full of this stuff. No one locks a car, people never go to the loo etc. etc.
James, that’s absolutely fascinating! As much as 50% of it is possible? I remember watching that film and thinking how absurd it was.
Constantly analysing and re-analysing the nature of the threat is the best way to stay ahead (or keep up) with the blended threat.
Human nature, as you say Hailey, is so often the key to cracking security. It pretty much always has been to. Education needs to constantly pass on the latest tactics of criminals in order for people to understand the risk. (I’m thinking of my 82-year-old father and malware emails in particular here)
RobHow things change! The significance of the cyber threat to the Power Grid and other parts of our National Infrastructure is played out in very dramatic ways in the movie and Eugene has emphasised that this is now the most important issue facing us all because if an attacker can take down the Power Grid then……Hence the importance of a unified security approach to do as much as we can working with our colleagues in IT Security to protect these systems. Richard Clarke in his book on Cyber War ( a must read on this area) comments on Live Free Die Hard, Ocean’s 11,… Read more »
Sounds interesting, I’ll have to have a look for the book. Thanks, James.
@James Pike – Interesting article, managing both the physical risk and the cyber risk is very important for a company to protect its information.
@James Pike – yes as you said only very few companies practice these; it’s always good to look at ways to prevent a security breach than facing the repercussions. I don’t understand why some companies don’t get this?
@Mike Clauss – Security managers and IT risk teams need to work together on identifying and placing controls on backdoors for both the virtual security and the physical security.
Rob I really wonder that what we saw in movies few years back and they actually never existed but few years later we can saw those things in the market. I always thought that movies are based on things under development or people get a lead from them and develop them.
@Robert Brown – these hackers find some way of sneaking to the system and taking over control, I too feel that there is support from someone inside the Casino to show them the backdoor.
@Mike Clauss – as you said technology is readily available, it’s the decision of the business if or not to use a complex high tech system. I am not sure if most of the companies would like to invest on such a system.
@Mike Clauss – I totally agree with you on this, security managers role is not the traditional role now, technology has evolved and it’s time for the security managers to use technology to secure the company.
@Brian Doyle – we might not need a new set of security managers, but training them on IT and technological solutions would definitely help them to make use of it.
Hi Sehan Thank you very much for all your positive comments. It is great to see the support for a unified approach to the increasingly blended threats. In answer to your question there are several reasons. Some think the cost of convergence is high as it seems to require organisational change. Actually there are many things companies can do to gain by convergent practises without forming one department. But there is a clear need for regular formalised meetings at the very least. Others are fearful for their positions and concerned that IT will take responsibility for all areas of security.… Read more »
@Shehan Ahamed, I’d have to say that most medium and large businesses would like to be able to do this. I’ve worked for companies where only a handful of people had keys to the building and we would get called nights and weekends to go open up the offices because someone left something behind or had an emergency deadline. That made people miserable especially given how often it happened. Also the ability to more tightly monitor who is going in and out is a great tool when you have employee related issues.
It’s often the easiest way in! Why waste time hacking a system when you can ask for the key. More on something similar to this very soon, actually!
I am privileged to be looking at the subject of blended threats, cyber security and Convergence at IFSEC on Monday 13 at 1630 with Chris Lawrence and Brian Sims and on Tuesday 14 at 1215 with Azeem Aleem and Alan Jenkins. I hope some of our readers and contributors can join in the discussion. If you are in London on Wednesday evening why not join us at the Security Institute’s Big Debate: Convergence: What does it mean for you? Brian Sims FSyI is chairing this and it promises to be a lively and important event! There are still some places left.… Read more »
Dear colleagues We are very pleased that Eduard Emde, Chairman of ASIS International will be speaking at IFSEC on Monday at 1215 on: The Future of the Security Management Profession and Standards in Security in the Security Management Theatre (SMT). We are also delighted to advise that Eduard will join Chris Lawrence and I at 1630 to discuss the importance of convergence/ESRM for the business (Centre Stage Theatre). So please come along. Some of the issues we have raised in this blog will come up and it would be great to see you. If you miss that then Azeem Aleem,… Read more »
interesting point, Rob and I trust you are 100% right… simple solution is always the best 🙂
interesting to know…. as technology changing towards total or all -in -one security solution in the box…
Rob The issue of vulnerabilities in physical security systems is getting more attention now from those who understand how to hack into them. This is sometimes because they are easier to compromise and have less IT security controls in place. The article here explains some of the issues. Once again it is my conviction that only an Enterprise Security Risk Management approach which means companies have cross functional teams in place to identify the threats will there be any chance for the business to survive this kind of attack. If you are a security manager can you really hope to… Read more »