Optic Security Group
A publication by the US Cybersecurity & Infrastructure Security Agency(CISA) on Cybersecurity and Physical Security Convergence* not only provides an introduction to the convergence of physical and cyber security threats but also steps the reader through the challenge of converging an organisation’s cyber and physical security functions in response – and provides a framework for doing so!
As mentioned in another article, Optic has been championing the ‘converged security thesis’ for some time – the idea that in contemporary security threats we’re seeing a convergence of physical and digital vectors; and that protection against these hybridised threats requires a hybridised approach.
The silo problem
A 2019 ASIS Foundation study investigated the extent to which organisations have converged their physical security and cybersecurity functions. The study’s survey of more than 1,000 senior security professionals found that just 24 % had converged their physical and cybersecurity functions despite “years of predictions about the inevitability of security convergence.”
It found that the biggest barrier to convergence (36 %) was reported as differences in culture and skillset between physical and cybersecurity. Following at 24 % was “turf and silo operating tradition”, and the “belief that cyber security requires its own operation” (21 %).
These findings aren’t surprising given that cyber defences tend to be managed under IT or by a CISO, and physical security is part of the Facilities Manager’s domain or at best managed by a CSO.
“When security leaders operate in these siloes, they lack a holistic view of security threats targeting their enterprise,” states the CISA publication. “As a result, attacks are more likely to occur and can lead to impacts such as exposure of sensitive or proprietary information, economic damage, loss of life, and disruption of National Critical Functions (NCFs).”
The converged solution
According to CISA, convergence is a formal collaboration between previously disjointed security functions. Organisations with converged cybersecurity and physical security functions are more resilient, it says, and better prepared to identify, prevent, mitigate, and respond to threats. So, how to go about it?
CISA highlights that a culture of inclusivity is vital to successfully converge security functions and that the approach must be tailored to the priorities and capability level of an organisation. A convergence framework should focus on the three interdependent areas of (i) communication, (ii) coordination, and (iii) collaboration:
• Initiate a dialogue: engage with upper management to discuss what convergence might look like in your organisation
• Review leadership roles: discuss whether your existing leadership structure can be realigned.
• Establish a convergence team: identify key players, including CSO, CISO, physical security, IT, cybersecurity and facilities managers.
• Enable information sharing: engage with team members to identify points of convergence.
• Formalise convergence team roles and responsibilities: establish a cadence and structure for team coordination and integration.
• Identify linked assets: assess cyber and physical assets and identify those that are linked. Assess the risk level of each asset based on linkages.
• Conduct a vulnerability assessment: identify gaps in security and determine where they can be closed with convergence.
• Determine the baseline: use initial assessments and gap analyses to determine the baseline for security operations and incident management.
• Run the numbers: determine if convergence on any scale is financially feasible in the short and long term.
• Prioritise improvements: including patches, software updates, virus protection and opportunities for automation.
• Craft risk-driven policies: these should reflect converged security functions and identify best practices.
• Strategic alignment: align strategy to shared practices and goals, focus on improving efficiency and information sharing.
It goes without saying that converging an organisation’s security functions is not a one-size-fits-all endeavour. Size, structure and security maturity will impact which security convergence looks like for one organisation as opposed to another. However, whether large or small, the benefits of convergence are many.
Converging security functions results in an integrated view of security threats, reduced duplication of effort, cross-skilling, strategic alignment, better information sharing and shared purpose. Above all, a converged approach means more circumspect visibility and fewer security gaps and less mess to clean up as a result.
We like to think of security convergence as the ultimate exercise in security risk management. Why perpetuate a siloed status quo that’s not fit-for-purpose for mitigating contemporary security risks when you can converge your security functions and make your organisation more secure in the process?
If you’re interested in discussing a road map to achieving security convergence in your organisation, please reach out to us.
* With thanks to James Willison for sharing the CISA publication via LinkedIn