With the cost of cybercrime to businesses in the US alone expected to top USD 6.5 trillion by 2025, isn’t it time for the convergence of security systems governance?
Cyber and physical security have united at a technical level, but they have yet to do so at an organisational level. The worrying thing is, while organisations continue to treat the domains as separate, the possibility of securing either cyber or physical security is virtually non-existent.
Calls for business leaders to proactively respond to, and account for, the risks of converged security is not new. Indeed, the earliest references to converged security governance may have appeared in the Journal of Applied Security research in 2006.
As we all know, many organisations are slow to change. The adoption of measures to mitigate intangible risks against visible and immediate corporate requirements are limited. Significant gaps are ever-present in the assessment, management and operations surrounding risks arising from converged security.
Asset-intensive industries, especially those within a critical infrastructure setting such as power, water or transport are especially at risk with the proliferation of industrial IoT and significant legacy systems interfaced to their IT networks. Subsequently, the recently created Australian Critical Infrastructure Security Act 2018 has placed new obligations on organisations and reinforces the case for integrated security governance.
To assist organisations in closing risk management gaps, businesses must work with skilled professionals who can deliver a framework for integrated security governance. These professionals need to include IS managers, governance, risk and compliance specialists, physical security system and network architects. The end result needs to be a holistic “whole of enterprise” framework to delivering security governance.
Setting the convergence scene
In the context of organisational security, convergence is a term that is used to describe the increasing integration of historically siloed security systems and functions.
Physical security and Protection Systems (PPS) includes CCTV, electronic access controls, physical barriers and locks, human patrols and surveillance used to protect the organisation’s physical facilities.
Cybersecurity covers the network or IT security systems comprising ID and authentication systems, firewalls and processes used to protect the IT network and assets.
Modern-day physical security systems utilise IT technologies such as ethernet networks, micro-computers and TCP/IP protocols to operate and deliver security information. These IT networks are therefore extremely vulnerable to physical and electronic intrusion and need increased protection.
The convergence of the physical and cyber systems have not been met with a suitably wedded security management approach. Significant gaps have begun to appear in enterprise risk management processes exposing substantial vulnerabilities that can be exploited by various adversaries.
With more personal information, IP and financial data being held and transferred electronically, there is an increased criminal interest and risk of a cyber-attack.
Security governance convergence must therefore be motivated by an organisation’s desire to protect its assets and a recognition that its corporate assets are increasingly digital and information-based. To combat this widening risk management gap, organisations can rely on an integrated security governance framework that enables security risks to be managed holistically and effectively.
As the value in cybercrime continues to grow, so too must an organisation’s desire to build robust and collaborative protection systems.
Figure 1. Managing blended security risks
Your next move
Regardless of how threats manifest, the convergence of cyber and physical security risks must be front of mind for any organisation's C-suite.
Organisations will no doubt reap advantages from cohesively managing their currently separate systems. The important thing is to not make a distinction between security systems. Many innovative efforts in security already blur the line between cyber and physical measures.
And while it may seem overwhelming, the best place to start is by asking the question: have we converged our cyber and physical systems? If you are unsure of the answer, now is the time to seek out expert guidance from specialists who can help you to navigate the minefield safely, efficiently and confidently.
About the Author
Meet Nick
Nick is a telecommunications engineer with over 30 years of experience gained across the military, aviation and oil and gas Industries. He has provided niche technology systems integration and consultancy to projects in the UK, Europe, North America, South America, Africa and the wider Asia-Pacific region. Within GHD Digital's and Cybersecurity and Risk Management Team, Nick leads multiple project deliveries utilising our proprietary framework for integrated security governance. A highly experienced project director, Nick’s primary focus is co-creating working solutions with clients to deliver real-world working solutions.
For more information please visit www.ghd.com/digital or contact Nick at Nick.Goodwin@ghd.com