Adam Bannister

Editor, IFSEC Global

Author Bio ▼

Adam Bannister was Editor of IFSEC Global from 2014 through to November 2019. Adam is also a former Managing Editor at Dynamis Online Media Group.
June 14, 2017

Sign up to free email newsletters


The State of Physical Access Control in EMEA Businesses – 2020 Report

IFSEC presentations

“We need joint cyber-physical teams for cyber-physical alerts”: James Willison on cybersecurity and enterprise security risk management


James Willison BA, MA, MSyI is a respected specialist in security convergence and enterprise risk management.

Also founder of Unified Security Ltd, Willison is speaking at IFSEC 2017 about ‘How vendors can support ESRM and CSM strategies’ and ‘What security managers need to know about cybersecurity’.

We caught up with James to find out a little more about these topics in advance of Europe’s largest annual security show.

IFSEC International takes place between 20-22 June 2017 at London ExCeL. Get your free badge now.

IFSEC Global: Hi, James, please tell us a bit about what you’ll be talking about at IFSEC with Sarb Sembhi…

James Willison: We’re going to be talking about how vendors can support enterprise security risk management. There’s lots happening in the corporate strategy of bringing risk silos together and identifying cyber-physical attacks – which is great.

However, how can vendors help them better achieve this? Can they provide technologies which will actually calculate enterprise security risks? How can they make sure they’re supplying secure software and secure technology?

We’ll also cover the strategic side of security management. So security managers, what do they do on their side? How do they manage technology they’re going to buy, how do they know it’s good rather than bad – so looking at principles really.

It’s high level strategy rather than technical. We won’t be giving details on all the firewall stuff or what sort of software you’re using. It’s more about what sort of thing you should be looking for and relationships between suppliers and installers and what impressions they’re giving the client.

I’m doing that talk with Sarb Sembhi.

What we’re saying to vendors is you’ve got an opportunity to lead the market in identity access management because the information security guys aren’t really doing it on a large scale

IG: And what about your talk, alongside Steven Kenny of Axis Communications, about cybersecurity? 

JW: We’ll be talking about what Axis are doing, which I know quite a lot about because I’m working with them. Steve will cover hardening the cybersecurity of their products and systems and I will look at how these should be managed in an enterprise or smart city.

And I’ll be giving a strategic look at multi-disciplinary security teaming, which is what converged security really is.

But basically I’ll be saying that people have talked about convergence quite a lot in the last few years, all over the world. But what we need is united cyber-physical teams working in tandem on cyber-physical alerts.

Barclays recently merged their physical and cybersecurity teams into one big security team with technology that is cyber-physical and responding in real time. The highest level of achievement in this area would be them, Deutsche Telekom and BT. Some corporations are doing this converged security management but others are doing enterprise security, which is looking at all security risks but their teams are still siloed.

So they’re looking at all security risks but separately. What we’re advocating is that even if you can’t form one big department because of organisational problems, you form a separate team that includes both information and physical security people – not just one or the other.

CISOs [tend not to] think physical security systems providers really have the capability to offer cyber-physical security solutions

IG: At least it makes sure they’re talking to each other…

JW: Yes. I know these teams exist, but they’re quite rare. In our talk we consider how these teams can use converged technologies to respond to attacks on their physical security systems. We look at important actions to take in this area and this will be of particular relevance for security professionals working in the smart cities of the future.

Out of interest, South Korea, a leader in smart cities, had an InfoSec type show recently and they had 15-20,000 information security people there, with 28,000 physical. So that was interesting as they discussed cyber-physical security, convergence, IoT and new technologies. Something to watch…

IG: Why do you think there is so little take up of cyber-physical security offerings from physical security vendors?

JW: I think because the people looking after that would usually be the chief information security officer, and they don’t think physical security systems providers really have the capability to offer cyber-physical security solutions.

These vendors have specialised in physical up until now and to get into that market is quite hard because there are a lot of information security type access systems, obviously for IT, but identity access management is a big part of that.

I think some of that will converge. I’ve been to conferences where they talk about identity access management all day because it’s on the network. Then there are loads of products around that and some will include a physical element.

What we’re saying in our talk is you’ve got an opportunity to lead the market because the information security guys aren’t really doing it on a large scale. It’s a growth area.

And the internet of things obviously will impact all this.

IG: Could you just clarify the kind of security professionals who will benefit from the talk?

JW: We have a three-pronged approach. What you should be doing in your organisation to converge or have multi-disciplinary teams and how you can do that. You can take the initiative by going to HR and saying you want to form one, can you help me, because maybe I’m not getting help from the IT people. So that shows initiative, to see what they say back before they come back and make you do it anyway.

HR might just realise they can form one department to save money. They no longer need two security functions. That’s been an issue in the past. Someone tells them they need only one person to run the whole security department to include every area of security.

There’s this fear that all the chief information security guys are going to take over physical security. A lot of jobs are now advertised in this area, when you dig deep into them they’re looking for chief information security officers.

The IT companies don’t see the point of siloing off. They tend to be more digitalised and, well, you need to know about IT anyway. But if you don’t know about it, what are you doing here?

IG: As ever, it sounds like the technology is evolving faster than the corporate culture can keep up with. Is there anything else you want to mention?

JW: Just that we’re publishing a white paper with Axis on this subject, called “Supporting Enterprise Security Risk Management, How vendors can support ESRM and CSM strategies”.

We are delighted to announce that this will be launched at IFSEC and available as a PDF on the Axis website (click here) or if you contact me at [email protected]. We hope to have some printed copies for those who attend our presentation! So please come and get a copy!

James Willison is speaking twice at IFSEC 2017:

20 June / 14:00-14:40 Supporting Enterprise Security Management – How vendors can support ESRM and CSM strategiesJames Willison and Sarb Sembhi, CTO & CISO, Virtually Informed / Borders & Infrastructure Theatre

21 June / 13:30-13:55 / What security managers need to know about cybersecurity / James Willison and Steven Kenny, Axis Communications / Security Management Theatre

View the full conference agenda here

IFSEC International takes place between 20-22 June 2017 at London ExCeL. Get your free badge now.

Get your summer security fix in this essential free 'State of the Nation' webinar

Explore the state of security in the United Kingdom in this unmissable webinar led by industry titans Professor Dave Sloggett, Surveillance Camera Commissioner Tony Porter, TSI's Rick Mounfield, BSIA's Mike Reddington and Alex Carmichael of the SSAIB.


Related Topics

Notify of
Inline Feedbacks
View all comments