We see a lot of discussions about the differences between physical and cyber security. Our most recent blog was about this and an attack that was started in the cyber environment caused physical damage. Another dilemma could occur when a social engineer or insider threat physically walks through the door of your business and penetrates your network. They proceed to download reams of information and walk back out the door. Is this a cyber threat because they were able to access and download, or a physical security threat because they weren’t spotted? Does this mean that a company needs to employ both physical security specialists or cyber security specialists? Where is the dilleniation of duties? And who is responsible? Do these two security elements talk to each other and who’s in charge?
Is it time to start thinking about security in the 21st Century as one big element? Should we all be more interested in General Security Experts running your security programs at large and having cyber and physical security chiefs or analysts running the respective divisions or teams? Should we be more interested in intelligence fusion? A lot of questions for sure, but don’t attackers exploit one element to advance the other?
For example, if I am a good threat, I am going to identify your vulnerabilities first and exploit those. I would conduct a series of probing actions physically and electronically to see where I can enter and go from there. If I know company X has the latest security measures in place within their network because I did a lot of prep work and foot-printing, wouldn’t I switch my attack surface to the wetware? Wouldn’t I seek to exploit your physical security vulnerabilities to become a trusted user and then get what I want. Or maybe I convert one of your employees into an Insider Threat either wittingly or unwittingly and attack you that way?
So when we talk about cyber security alone, are we limiting ourselves? Or are our physical security experts handcuffed because they don’t have access to the data produced by the network security folks? Perhaps it’s time to articulate the need for a Security Fusion Cell with a Director of Security that is an expert at all types of security. Perhaps a full spectrum approach to security incorporate personal security, physical security and information security.
In the military, intelligence officers are trained as general intelligence officers when they enter the service and then are given specialized skills at the 3-4 year mark. They may specialize after that but the premise is that everyone is a general service intelligence officer capable of speaking to all of the disciplines. They will then rely on more specialized analysts who can assist in the details as necessary.
This is meant to be thought-provoking. Maybe you are already doing it. If you are a small business, your money is already tight so you probably aren’t able to afford both. But you could afford one. But we are seeing more and more security insulation and not as much collaboration. This is where that critical self assessment comes into play.