In the first of a series of columns set to be hosted exclusively on IFSEC Global, Sarb Sembhi, CISM, CTO & CISO, Virtually Informed outlines why physical security professionals should be investing in their cyber security skillset.
Most physical and cyber security professionals have worked completely separately since cyber security became a field in its own right. This continues to be the case, despite the efforts to promote a joint approach with converged security risk management, of my good friend and colleague James Willison and I.
Whether enterprises see the benefits of the two areas of security risk working together or not, there is one thing that must change – physical security professionals must learn cyber security skills. Here’s why…
Physical security has been around for centuries, and over the last 20 plus years it has benefited from technological advancements in CCTV, access controls systems, centralised alarm control systems, sensored perimeters, and many others. And, over the last few years the technology has advanced even further to facilitate many more benefits. However, these are only achievable through these systems not only operating on an IP network, but also sharing other technologies, such as protocols, services and applications. The sharing goes beyond the basics, as it involves connecting with many more systems, which are totally different from each other, especially when we are talking about systems in smart buildings.
I call this last change the ‘IoT-isation of technology’, which has pushed what were once physical security systems open to cyber security vulnerabilities.
This means that regardless of what physical security professionals think – be they installers, maintenance or facilities staff – they will have to learn enough cyber security practices to ensure that they are not making the rest of the network any more vulnerable any more vulnerable than before the devices were installed. Unfortunately, if the current installers are not able to secure such devices, then enterprises will need to replace these suppliers with those who have the skillset to do so.
Many of the devices being installed in a commercial environment are also being replicated in the home. More and more people are implementing surveillance technology into their houses under the guise of security, not understanding that they are probably more vulnerable to attack with some of these products than they were without them. Many of these products are amazingly simple to use, however, in many cases the functionality was never extended to include securing the device or system from hackers.
Since these systems are often purchased based upon their price point, and not the security built into the device or system, the chances of them being replaced due to cyber security issues is remote to non-existent.
Whilst some may be aware that there is a UK and EU coordinated law that is coming into operation in relation to consumer IoT products, it is so low level that it only deals with the top three of the thirteen ETSI standard requirements for device and system security.
Although commercial and domestic products are not exactly the same and being skilled in one doesn’t necessarily make you an expert in the other, they do utilise many similar technologies, which creates a fantastic opportunity for many small installer/integrator businesses.
However, there still needs to be a major shift in the skills required to install, maintain and oversee facilities, with cyber security at the forefront of this requirement.
Another driver is that several professional bodies and industry standards are beginning to include cyber security skills for any smart products that are installed into buildings, be they domestic or commercial. So, physical security professionals may only be left with a limited range of options:
Basically, it seems that if you are or have been in physical security, and want to keep your job security for the longer term, you will have to learn some cyber security skills if you want to keep your job security!
The good news is that there is currently a cyber security skills shortage and the profession is looking to fill the gap from various avenues.
Unfortunately, some of my cyber security colleagues feel that many physical security professionals are not interested in working with cyber security teams to provide a single view of risk. There is a view that installers or facilities teams are too entrenched in their views about any non-physical security that they will resist change for as long as they can, while also holding back those who want see change. This resistance is there and will be there for some time, but with the world moving towards smart technology, those who have at least some cyber security skills won’t be completely left behind.
I do believe that since there is little or no chance that cyber security people will attempt to learn the risk skills physical security professionals have, the only chance we have of keeping good physical risk management skills is to train physical security professionals into cyber security. On this basis, physical security professionals can create a new breed of security professional. Not only that they will be meeting an immediate gap that needs to be filled around the world not just the UK, US and Europe.
In closing…
As a cyber security professional who researched into the vulnerabilities of networked CCTVs, intruder alarms, fire alarms, HVAC systems, and other physical network devices at the time when they were not called IoT devices and they were all under the management of physical security teams, things have changed! Physical security is going to change must faster in the next few years, often in favour of those with cyber security skills.
To respond to this big shift, physical security professionals will have to learn some cyber security skills, whether it is for 5-10% of their jobs, or as much as 20-30% each working week.
I would like to start this discussion and ask what you would like to see to help you make that progression and have the sustainable future you need for yourself and your business. If you have any questions or there are any topics that you would like me to cover, please feel free to post them on this page, and I will try to respond when I get the chance.
Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.
Sign up now!
Dear sir I would be pleased to receive e-mails regarding cybersecurity related to IFSEC. Thanks.
Hi, please feel free to sign up to our weekly newsletters here: https://www.ifsecglobal.com/sign-up-for-the-ifsec-global-newsletter/