What’s preventing physical and cyber security from falling in love? This simple question led to a lively and thought-provoking panel discussion, hosted by David Spark at this year’s GSX. As a co-host of the CISO/Security Vendor Relationship Podcast, Spark encourages open conversations about the tenuous relationship between buyers and sellers of security products. He brought that same disposition to this discussion, which was presented as a “couples counseling” session for those looking to find solutions to the increasingly uncomfortable, yet necessary, intertwined digital relationship between cyber and physical security.
The refreshing discussion brought together experts from across disciplines and industries, including voices from Orvis, the Department of Energy, Panera Bread and Qovo Solutions. Topics ranged from whether wired devices are truly safer than wireless to how aging policies (and policy makers) impede the pace of change. But one thing remained clear throughout: whether we like it or not, physical and cyber security are converging.
Regardless of what’s forcing the change, the session’s panelists seemed to agree that these teams have shared goals. As one of them aptly stated, “I don’t think it has anything to do with wireless or technology. In both physical and cyber security, we’re protecting doorways, we’re protecting access.”
If their stated goals are the same, why are these teams still struggling to work together? The answers seem to lie in a combination of tradition, technology, culture and ownership. Perhaps by first understanding the challenges, we can start to earnestly explore and implement solutions.
Business Structure Separates Physical and Cyber Security
Organizational architecture has historically separated physical and cyber security teams. Physical security was largely managed by facilities, safety or loss prevention. Cyber security was managed by information technology or information security. But, some modern teams fear that legacy organizational structures prevent the type of collaboration that could help create a unified (and less penetrable) approach to enterprise security.
A recent McKinsey study reports that it’s no longer enough to delegate risk to IT, throw resources at the problem or put an undue focus on compliance. Rather, it proposes a provocative approach to organizational structure that brings physical security under the realm of information technology.
However, as James Turgal, managing director of the Deloitte Risk and Financial Advisory Cyber Risk Services practice, reminds us, change is hard. He recently told Security Magazine that, “A misaligned organizational culture can have a tremendous impact on both the business and the security aspects. You could potentially be changing the philosophy that the enterprise has had for years, not just combining networks.”
Many organizations are considering various options to help strengthen the bond between physical and cyber security. But before embarking on large-scale changes, they would be wise to consider what short-term steps can be taken to build trust between these teams.
Physical Security is from Venus. Cyber Security is from Mars.
One of the biggest challenges of uniting cyber security and physical security teams is overcoming the hurdle of history. The teams were built from the ground up to approach problem solving differently. IT teams want first and foremost to know who is doing what, and when. Physical security teams are focused on building gates and keeping the right people and things on either side of those gates.
Information technology teams use identity management as the core building block for their systems. Consider the way technology solutions are evaluated by how well they can integrate with Active Directory and Single Sign-On. Physical security solutions, however, are only now catching up. More vendors in the physical security space are beginning to offer products that integrate with identity management solutions. But there’s a long way to go. They are still burdened by a monumental amount of unstructured data that their existing systems can’t digest and analyze.
As the technologies behind physical security systems modernize and the need to bootstrap systems decreases, perhaps the relationship between cyber and physical security teams will improve consequentially.
Who Owns Physical Security Today? What About Tomorrow?
Information security and technology teams are now responsible for more types of network-connected devices than ever before. With the rise of IoT, cameras, light bulbs, fire alarms and, yes, even fish tanks can now be linked to a network. So, does this mean that IT automatically owns the process of evaluating, purchasing and managing all of these systems? The answer isn’t quite clear.
While IT teams bring expertise on cyber security risks and network integration, facilities teams understand physical vulnerabilities, incident response protocols, and daily systems management and monitoring.
As one member of the GSX panel pointed out, employees are often lost in the process. For example, an IT manager that owns the budget for video surveillance cameras may have trouble understanding the role and responsibilities of an employee on a facilities team (who is tasked with actively managing camera footage and responding to physical security incidents).
Assigning ownership of IoT systems may require a more creative approach than is necessary for traditional technology solutions. This could involve methods such as parsing out sections of the evaluation, purchasing and management process to different teams, or cooperatively owning specific segments of the process.
Three Ways to Bridge the Gap Between Physical and Cyber Security
As the multilateral discussion at the GSX panel clearly emphasized, there’s no immediate and obvious solution that can better connect physical and cyber security. Unifying these teams will take thoughtful organizational engineering, an investment in cultural change, large-scale technology improvements and a focus on greater business goals.
So how do you make progress in the meantime? The panelists had some worthwhile suggestions on how to kick start (or accelerate) the process.
Create customer-centric tiger teams—diversified groups brought together for a single project, need or event. This can help hold each department accountable and help keep up with the pace of change.
Invite both physical and cyber security teams to the discussion when ownership isn’t explicit.
Read a recap of GSX and get a look at how Verkada (winner of this year’s Judge’s Choice Innovative Product Award) is building software-first solutions to help bridge the gap between physical and cyber security.