Published on 19 May, 2014
We don’t usually write about cybersecurity on this site, but it’s obviously part of the bigger picture. Always looking to learn more, last week I logged onto the GovDefenders Cybersecurity Virtual Event, sponsored by DLT Solutions, a technology reseller to the public sector. There were several interesting “sessions” during the day – I managed to “tune in” a couple of times off and on.
Listening to one session in particular reminded me of how much the physical security world has in common with cybersecurity. The session was called “Meeting the Cybersecurity Challenge,” presented by John Slye, a researcher at market analysis company Deltek. In the session, he listed elements cybersecurity professionals should “consider going forward.” I’m reproducing his list here, along with my own thoughts about how the various points also apply to physical security. Mr. Slye lists the following “shifting mindsets and modes of operations:”
From “Secure” to Risk Management. The point here is that security should not be considered as an absolute, and in fact that “absolute security” is unobtainable. That’s certainly as true for physical security as in the cyber world. The corollary, then, is that security is something that is available in degrees and must be provided (managed) as an additional, variable element in any organisation. It reminds me of how every high-profile act of violence brings on calls for more stringent security measures, as if any level of security could be absolute. Managing security includes also considering the impact of extreme security measures on what is being protected (i.e., a free country and/or a facility conducive to doing business.)
From reactive to proactive defences. In the physical world, the sad reality is that security too often is reactive instead of proactive. This is true despite technological advances like video analytics and growing waves of data one would expect might enable a more proactive stance. Something to work toward in the physical world for sure.
From “bolt-on” to embedded security. Mr. Slye’s angle on this was the importance of considering cybersecurity elements when designing software, in effect to make it inherently more secure rather than depending on a separate “security” program to protect the data. In the physical world, too much of our security is “bolted on.” Concepts like Crime Prevention Through Environmental Design (CPTED) have been around for years, but too often security is considered more in the later stages of designing a new facility – if at all. In the existing physical world, every retrofitted solution is “bolted on,” and too often even systems themselves are bolted together over time with little consideration of the resulting whole.
The point here is that security should not be considered as an absolute, and in fact that “absolute security” is unobtainable. That’s certainly as true for physical security as in the cyber world.
From single to multi-layer to “moving target” defences. The ways data can be protected parallel the ways physical assets can be protected – to a point. Single- and multi-layer defences clearly play a role in physical security, and obviously the more layers the better. “Moving target” defences involve keeping assets in motion to protect them, an interesting approach for physical security. Wonder if anyone has tried it.
From periodic to continuous monitoring (with feedback loop). Periodic monitoring is like when a security guard happens to sit in front of a video monitor when something happens. Continuous monitoring is more like video analytics or alarm-based monitoring. I suppose the feedback loop is what happens when there is an alarm.
Both disciplines are always looking for ways to reduce risk, loss, theft, corruption, the resulting “mission disruption,” and lost economic and intellectual property. Both are looking for more efficiencies, greater effectiveness and faster returns on investment (ROIs) using automation and fine-tuning processes. Seems we have a lot more in common with the cybersecurity guys than we may think.