The Blended Threat of Cyber & Physical Security

Today’s security manager faces an increasingly complex risk scenario. In the last decade, threats have multiplied in both the physical and IT area.

It used to be sufficient to focus on fencing, video surveillance, and access control, but now, the cyber risk posed by IP-based systems is forcing a more unified security strategy.

Traditionally, IT security has been managed by the IT department, but the vulnerabilities in physical security systems provide opportunities for both hackers and the insider to gain access to company information. This can no longer be protected without an enterprise-wide strategy to consider security risks in multi-disciplinary and cross-functional teams.

In the digital age, the security manager needs to ensure these risks are managed effectively, and work very closely with other business support functions including IT Security, HR, and Legal. The panel should discuss examples of blended threats, the context of cyber security, and the principles of Convergence and Enterprise Security Risk Management.

In August 2010, we were invited to be part of a convergence team composed of 15 global physical and information security leaders. We agreed to write sections on convergence and enterprise security risk management for the ASIS Physical Asset Protection Standard.

These sections focussed on the management of blended threats to physical security systems and data. Following a two-year consultation process and public review, ANSI and ASIS International published the standard in April 2012.

The result is a comprehensive approach to security risk management, designed and written with a focus on the needs of the business.

There are many valuable perspectives and insights with practical recommendations for developing relations with all areas of the organisation. The introduction sets the scene perfectly and the following quote from ANSI ASIS PAP Physical Security Standard, page xiv, reproduced with permission, is indicative of its quality:

In order to effectively protect its assets, an organization needs to recognize the interdependencies of various business functions and processes to develop a holistic approach to PAP. Physical asset protection is intertwined with other security-related disciplines, such as information technology systems and continuity management. In order to understand the shared risk environment, the organization should consider:

a) A common basis for risk ownership and accountability;
b) An integrated risk assessment and harmonized treatment strategy;
c) Common lines of communications and reporting for assessing and managing risk in a cross-disciplinary and cross-functional fashion; and
d) Establishing cross-disciplinary and cross-functional teams to achieve a coordinated pre-emptive and response structure.

When implementing this Standard, organizations should adopt a comprehensive and integrated strategy that encompasses all areas of security risk. This should be reflected in all elements of the Standard. The organization will be better able to achieve its objectives by understanding and incorporating the convergence of PAP, information technology systems, and risk management in all of the elements of its management system, the organization will be better able to achieve its objectives.

It’s worth considering how the ANSI ASIS PAP standard can be used to develop a comprehensive management approach to protect an organisation from blended attacks, and help it adopt a holistic approach to security risk management.

There is also a wide variety of issues that advanced cyber threats now pose for businesses, and physical security in particular needs to develop strategies that ensure a working relationship with all areas of security and other business support functions including HR, Legal, and IT Security.

– James Willison is speaking at IFSEC International 2013. Register here to hear James speak for free.