Abstract
Converged Security is a new way of viewing all risks that face and organisation, combining risks from the Physical, IT/Cyber, and Personnel disciplines within an Enterprise Security Risk Management (ESRM) model that delivers uniform Governance over an organisation. This approach is in line with the Protective Security Requirements (PSR) deployed by both the Australian and New Zealand governments.
Optic Security Group has embraced Converged Security as the best emerging methodology to deliver a holistic and unified view of all the risks facing an organisation. Using this methodology, we equip our customers to implement a balanced mix of controls aimed at mitigating the specific risks that could potentially impact on their ability to deliver on their goals and organisational mission.
Introduction
Converging Threats = Converging Solutions
There is an increasing realisation that the lines between threats of a physical and a digital nature are blurring, and that all your staff play critical role in the protection of your organisation. As a result, all of your traditional security silos (Physical, Information and Personnel) need to be viewed as part of a bigger strategy aligned with your organisation’s goals and mission.
The term that has emerged to describe this interlinked and increasingly interconnected spectrum of risk and security needs is ‘Converged Security’.
Converged security is where organisations identify the need to have a holistic and consolidated view of the broader spectrum of potential security threats in order to understand what’s needed to mitigate or avoid issues before they occur. This means having a centralised view of the risks and how they interact – not the traditional well-meaning but siloed departments or people focused only on parts of the wider and evolving issues.
Centralising the risk effort is not all about saving money; it’s more about recognising that risks facing an organisation need to be addressed holistically.
There are lots of examples where Physical Security can be undermined by gaps in the Personnel domain, such as the Lloyds bank robbery in which a man in a hi-vis vest claiming he was ‘from IT’ installed a GSM keyboard/mouse switch, which he later used to dial in and transfer millions of pounds. This simple attack by-passed world class physical and IT security by targeting the weakest link – the training of the staff at the branch.
To avoid weak links, we need to look at all attack vectors to ensure appropriate levels of mitigation are deployed to reduce the overall risk. We have to work holistically to eliminate grey areas between controls, as attackers will continue to look for and exploit the weakest link.
A recent ASIS Foundation survey found that while 20% of respondents cited cost saving as a factor that might convince them to converge, only 7% of those who did converge cited it as a primary benefit. The bigger benefits realised were “Better alignment of security strategy with corporate goals” (40%), “Enhanced communication /cooperation” (39%), and “Shared practises/goals across functions” (35%).
Converging Silos
Traditionally, physical security was handled by the property or facilities team on a set operating budget, and IT/Cyber utilised internal/external audits and targeted improvements driven by the severity of findings. Governance was still driven by a traditional risk matrix of consolidated high-level risks, and personnel security was handled by HR from a compliance, rather than security awareness perspective.
As a result, these areas traditionally have different funding models, risk assessment processes and reporting lines, which invariably lead to gaps and grey areas (exposures) and overlaps (wasted investment) in the deployment of mitigations. Uncoordinated roadmaps also ensured that at any one time the organisation is vulnerable to threats that are not being actively mitigated, monitored or controlled.
Converging Technology
Technology is also converging. CCTV is no longer ‘closed-circuit’, it is now IP-based and internet visible – and vulnerable.
The increasing use of Internet connected devices (IoT) and distributed computing (Cloud, as-a-Service offerings) and blurring lines with devices and environments (BYOD, work from home) results inevitably in the growth and complexity of an organisation’s attack surface (the area open to compromise).
Traditional IT has also evolved. As development becomes increasingly more agile, more and more cloud resources are utilised, and mobile application development continues to grow. While datacentres and in-house servers still play a critical role, functionality continues to move into the cloud. This improves resiliency but also increases the number of third parties we now rely on for the secure operation of our critical and supporting systems.
The PSR – a response to a Converged (Holistic) Threat
Government agencies have identified and are addressing security convergence, as evidenced by the deployment of the Protective Security Requirements (PSR).
PSR principles are relevant to all organisations, whether they are a government agency, owner of critical infrastructure, have a duty of care towards the public, or are just being good corporate citizens.
The PSR introduced a converged methodology incorporating Physical Security (PHYSEC), Information Security (INFOSEC), and Personnel Security (PERSEC), all under an umbrella of Governance (GOV) by defining key deliverables mapped to capability maturity measurements.
Physical security (PHYSEC) focuses on the protection of the physical environment (buildings, sites, assets) and people (staff, customers) by deploying defence in depth. The best example of this is the 5-Ds methodology applied to site security (Deter, Detect, Delay, Deny, Defend).
Information Security (INFOSEC) is a very mature field and the best overview of InfoSec requirements is ISO27000, which outlines the controls required to protect information in use, at rest and in transit. Network security follows a similar defence in depth methodology as PHYSEC, with the deployment of multiple layers of controls from firewalls to encryption. It also recognises the importance of PHYSEC and user awareness and training (PERSEC).
Personnel security (PERSEC) is both the proactive training of your staff and customers, as well as the reactive control of having an educated and aware workforce that can act as an early warning system. In other words, ensuring people know what not to do, what to look out for and who to contact when something doesn’t look right.
The true value of convergence is ensuring the effective use of funding and deployment of controls, guided by the application of risk management (Governance) over the three disciplines (PHYSEC, INFOSEC and PERSEC) to provide coordinated defence in depth in order to create a more secure organisation.
Governance ensures that all risks are treated based on the threat they pose to the organisation (ISO31000), and that the level of mitigation is appropriate and the best use of scare resources.
Enterprise Security Risk Management
ESRM is the management of any security risk using established risk principles. There are five core risk principle elements: Identify your assets; identify risks associated with those assets; mitigate those risks; respond to incidents; and continue learning from incidents by being situationally aware.
Risk is a very broad term, and ESRM deals, quite specifically with ‘security risk’. A security risk in the context of ESRM is anything that threatens harm to the enterprise, its mission, its employees, customers, partners, its operations, or its reputation. This could mean a troubled employee with a gun, an approaching hurricane, a computer hacker, a robber or a thief, an angry customer in a company facility, or an employee with access to sensitive information that is willing to sell it to a competitor.
Security risks take many different forms, and new ones are being introduced all the time. Recognising those risks, making them known to the enterprise, and having a security resource assist business functions to mitigate them is central to the ESRM philosophy.
Converging Solutions
One of the key benefits of a converged security model is the ability to create a single pane of glass view (SOC/NOC/Alarm Centre) to capture all threats in real-time, monitored by a single first responder team 24x7.
For instance, in the ESRM framework this means using mitigations from multiple disciplines to monitor and mitigate risks; including placing guards, installing cameras, monitoring networks, and using digital and physical access controls.
The use of Artificial Intelligence (AI) is creating a new role for the legacy security camera, utilising them to collect valuable information on customers and how they interact with your organisation.
Recently, Coca-Cola commissioned a study of how its customers interacted with its in-store displays. Instead of a survey or small sample they used the camera data at one site to anonymously profile 90,000 customers over a month. The data included recording emotions (before and after purchase), age, gender, purchases, and time spent looking at displays. This enabled the company to understand its customers as individuals and as a whole rather than a mere sample. This is just one example of how AI can help make use of data that is already available and provide a return on investment for surveillance equipment.
SUMMARY
A Converged Security approach will ensure your organisation operates as securely as possible, making the best use of scarce resources to protect your people, customers and assets; enabling you to meet your goals and objectives while protecting your reputation and brand.
Traditionally siloed resources need to work together to increase your visibility and control over the risks you face, with a coordinated strategy that eliminates grey areas and promotes the engagement of your workforce to protect the organisation. Active security awareness training remains one of the key mitigations for the expanding threat landscape, ensuring your workforce recognise and report threats before they develop into costly incidents.
It is important to start taking advantage of innovations that evolve from the convergence of security products, which will lead to more cost effective and adaptive controls. Artificial Intelligence is a key example of this as it uses traditional physical security (cameras) combined with analytics to provide new benefits to your organisation, from facial recognition of staff and VIP customers, active market research opportunities, and enhanced security profiling (confirming that the face matches the access card being presented).
Governments across Australasia are doing their part. The Protective Security Requirements (PSR) lead the way in combining key deliverables matched to a capability maturity model. This provides a comprehensive model for converged security and helps organisations develop prioritised security road maps.
The increasing prominence of the Enterprise Security Risk Management (ESRM) methodology highlights the importance of a coordinated view of your organisation’s security exposure, backed by a traditional risk management (ISO31000) approach, to support your organisation’s goals and objectives and deliver an appropriate security strategy and roadmap.
Everyone knows there is no single solution to security threats, no silver bullet, no magic product to solve all our problems. Instead it requires a combination of elements, working in a consolidated strategy, to provide the best protection.
As threats continue to evolve and adapt, so do the controls available to organisations to mitigate them. Security convergence is the next step in the evolution of security, bringing the best of all existing disciples into a coordinated defence to provide the best future-focused protection for your organisation.
About Optic Security Group
Optic Security Group is the largest independent and most technically advanced provider of converged physical, IT and information security solutions in Australia and New Zealand. Launched in December 2018, the Group combines the capabilities of six leading security and IT services providers and brings together 200 staff across a dozen locations in Australia and New Zealand to provide physical, IT and information security services to 1,000 existing – and a growing list of new – customers.