CISM, CTO & CISO, Virtually Informed

March 17, 2020

Sign up to free email newsletters

Download

Whitepaper: Normal service resumed? How video technology supports our new reality

Cyber security

Why should physical security professionals learn cyber security skills?

In the first of a series of columns set to be hosted exclusively on IFSEC Global, Sarb Sembhi, CISM, CTO & CISO, Virtually Informed outlines why physical security professionals should be investing in their cyber security skillset. 

Most physical and cyber security professionals have worked completely separately since cyber security became a field in its own right. This continues to be the case, despite the efforts to promote a joint approach with converged security risk management, of my good friend and colleague James Willison and I.

Whether enterprises see the benefits of the two areas of security risk working together or not, there is one thing that must change – physical security professionals must learn cyber security skills. Here’s why…

The Coronavirus is not the only cause of change in the world!

Physical security has been around for centuries, and over the last 20 plus years it has benefited from technological advancements in CCTV, access controls systems, centralised alarm control systems, sensored perimeters, and many others. And, over the last few years the technology has advanced even further to facilitate many more benefits. However, these are only achievable through these systems not only operating on an IP network, but also sharing other technologies, such as protocols, services and applications. The sharing goes beyond the basics, as it involves connecting with many more systems, which are totally different from each other, especially when we are talking about systems in smart buildings.

Sarb-CyberphysicalSecurity-20

I call this last change the ‘IoT-isation of technology’, which has pushed what were once physical security systems open to cyber security vulnerabilities.

This means that regardless of what physical security professionals think – be they installers, maintenance or facilities staff – they will have to learn enough cyber security practices to ensure that they are not making the rest of the network any more vulnerable any more vulnerable than before the devices were installed. Unfortunately, if the current installers are not able to secure such devices, then enterprises will need to replace these suppliers with those who have the skillset to do so.

Change in skills requirements

Many of the devices being installed in a commercial environment are also being replicated in the home. More and more people are implementing surveillance technology into their houses under the guise of security, not understanding that they are probably more vulnerable to attack with some of these products than they were without them. Many of these products are amazingly simple to use, however, in many cases the functionality was never extended to include securing the device or system from hackers.

Since these systems are often purchased based upon their price point, and not the security built into the device or system, the chances of them being replaced due to cyber security issues is remote to non-existent.

Whilst some may be aware that there is a UK and EU coordinated law that is coming into operation in relation to consumer IoT products, it is so low level that it only deals with the top three of the thirteen ETSI standard requirements for device and system security.

Although commercial and domestic products are not exactly the same and being skilled in one doesn’t necessarily make you an expert in the other, they do utilise many similar technologies, which creates a fantastic opportunity for many small installer/integrator businesses.

However, there still needs to be a major shift in the skills required to install, maintain and oversee facilities, with cyber security at the forefront of this requirement.

Job security

Another driver is that several professional bodies and industry standards are beginning to include cyber security skills for any smart products that are installed into buildings, be they domestic or commercial. So, physical security professionals may only be left with a limited range of options:

  • ignore cyber security and lose business to those who are willing to adapt to the market needs, or;
  • leave the profession or industry because cyber security isn’t for them, or;
  • learn enough cyber security to adapt and add value to customers and the industry, or;
  • go the whole hog and explore a career in cyber security, where you are able to provide the additional physical security and safety skills that most current cyber security professionals don’t have.

Basically, it seems that if you are or have been in physical security, and want to keep your job security for the longer term, you will have to learn some cyber security skills if you want to keep your job security!

Add value to your business offering

The good news is that there is currently a cyber security skills shortage and the profession is looking to fill the gap from various avenues.

Unfortunately, some of my cyber security colleagues feel that many physical security professionals are not interested in working with cyber security teams to provide a single view of risk. There is a view that installers or facilities teams are too entrenched in their views about any non-physical security that they will resist change for as long as they can, while also holding back those who want see change. This resistance is there and will be there for some time, but with the world moving towards smart technology, those who have at least some cyber security skills won’t be completely left behind.

I do believe that since there is little or no chance that cyber security people will attempt to learn the risk skills physical security professionals have, the only chance we have of keeping good physical risk management skills is to train physical security professionals into cyber security. On this basis, physical security professionals can create a new breed of security professional. Not only that they will be meeting an immediate gap that needs to be filled around the world not just the UK, US and Europe.

In closing…

As a cyber security professional who researched into the vulnerabilities of networked CCTVs, intruder alarms, fire alarms, HVAC systems, and other physical network devices at the time when they were not called IoT devices and they were all under the management of physical security teams, things have changed! Physical security is going to change must faster in the next few years, often in favour of those with cyber security skills.

To respond to this big shift, physical security professionals will have to learn some cyber security skills, whether it is for 5-10% of their jobs, or as much as 20-30% each working week.

I would like to start this discussion and ask what you would like to see to help you make that progression and have the sustainable future you need for yourself and your business. If you have any questions or there are any topics that you would like me to cover, please feel free to post them on this page, and I will try to respond when I get the chance.

Learn about protecting critical national infrastructure in this exclusive webinar

Catch-up with IFSEC International's unmissable Digital Week webinars to discover how the security industry is protecting CNI during COVID-19, featuring BRE's Richard Flint, Iain Moran from ATG Access, Technocover's John Barty and Russell Ridgway of Barkers Fencing.

Sign up for free to watch the webinar and complete your lockdown learning!

DigitalWeek-Image-20

Related Topics

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments