ISC West Session Preview: Governance – The Glass Ceiling of Your Security Program Improvement Initiative

I’ve been complaining about cybersecurity in the physical security industry for over 10 years. I’ve been brushed off, been called out for asking questions and even endured threats of lawsuits and had to seek legal counsel – just for performing the same due diligence that we’re starting to see as commonplace today.

My disappointment and frustration have faded as I welcome the new era where those in the industry who still try to keep it in the shadows find themselves under scrutiny for advocating obscurity. Times are changing. Change is good, but change isn’t a linear process.

While the industry is making great progress, awareness is being put into action without pausing to take careful inventory to ensure that critical elements aren’t being overlooked. The industry is taking an “improvement” approach, based on existing scope of knowledge and practice. For example, a great deal of focus on securing their networks, hardening configurations, or expanding specific features.

Conversations appear to revolve around a narrow scope of bullet points. As an analyst, I speak to many people – from media to manufacturers and their channels. The common theme I hear over and over again is “the industry isn’t sophisticated, and we need to deliver very simple advice in language they can understand”. While communication to target audiences is key, providing watered-down advice will only potentially enable them to execute improvements by the same measures, at best.

I’ll be blunt: you can’t build effective cybersecurity based on a few bullet points. As much as some in the industry desire it to be so, it just isn’t; it has various domains, it’s highly technical and cyber actors are a much more formidable adversary than the prox cloning amateur of the past.

So what’s the remedy? Do end user physical security professionals need to become cybersecurity experts or do they need to hire several cyber domain experts as part of their next generation team? Neither would be appropriate. This session will provide insight into instituting your cybersecurity foundation of the future that the industry isn’t yet highlighting.

On March 17 at ISC West, Jasvir Gill, the CEO and founder of AlertEnterprise, and I will host the SIA Education@ISC session Governance: The Glass Ceiling of Your Security Program Improvement Initiative. Here, the Security Industry Association spoke with us about what to expect with this session.

SIA: We’re hearing some conflicting messages in your opening. Shouldn’t end users make “best practice” improvements in their programs, even if they’re incremental (or simple)?

Terry Gold: Yes, but not without a road map. Every organization is unique in its business, the risks, what actors may target and where they’re vulnerable. While making one generic “best practice” improvement may provide some improvement, longer term, it may not have been executed in the most meaningful way for your organization or will remain as such over time, which can result in either becoming a liability or having to be done all over again later.

SIA: Can you explain further?

TG: Sure, take a bullet point, any bullet point that is commonly stated as an improvement. “Make sure to rotate passwords regularly.” Sounds good. But what lacks in this statement is the actual prescription – HOW you will define and execute it. I could write several chapters in just one afternoon around requirement considerations that may be an improvement tomorrow but become a liability without an upgrade path longer term. The same goes for networks, especially encryption, and so on. Not to mention many more critical areas are never even mentioned in the bullets of advisory.

SIA: So what approach should end users take?

Jasvir Gill: It’s not a mystery. We don’t need to look any further than what the information security industry has discovered along its decades-old journey to cybersecurity. They recognized early on that they need to take a programmatic approach on how they define their risks, levels of acceptance and guidelines for addressing different domains and then work toward prescriptive measures. This is security program governance.

TG: I’ll point out that before doing any of these generic best practices, it’s likely that your infosec counterparts already have policies and guidelines in place for the same topic (just different systems). It makes sense to try and adopt what they have decided after much consideration. Rather than being at odds, you’ll have an ally and an internal advisor and perhaps even air-cover for what you eventually do. Now, a lot of physical systems are designed differently, and this is where expert considerations, process re-engineering and specific tools come into play.

SIA: Should every organization start a governance program before they start making cyber improvements?

TG: Well, that’s a judgment call as to how far you go before instituting a governance program. At some point, everyone will end up going too far if they don’t. More mature, high security goal-oriented and risk-averse organizations will generally want to know before they go down that road. Making obvious improvements isn’t the debate, but spending time and money on the “how” is where it can go off the rails quickly.

JG: It’s using the wrong yardstick for measurement. An improvement from a place where there was inadequate security doesn’t mean that the improved state is adequate; it’s just better than it was. It should be measured against where it needs to be. This only occurs by carefully considering a range of factors. This is precisely where anecdotal advice gets end users into tough situations.

SIA: We haven’t heard much about “governance” in physical security. Ultimately, how important is it?

TG: Here’s what all top chief information security officers know – your cybersecurity effectiveness can never be better than your ability to govern it. How do we define, execute and ensure it’s being executed? We must know this. Hope is not an effective strategy – at least not in this domain. You must play deliberate chess.

JG: The nature of cyber evolving as a latent demand has left many throttling to move forward – but overlooking governance because they aren’t tightly partnered with infosec where this is a foundational part of how they operate. Since they haven’t been operating either within their group, most aren’t exposed to these lower levels of the foundational planning.

SIA: It sounds like the industry has some catching up to do. How do you think the Industry will reconcile the inclusion of governance while cyber doesn’t seem like its slowing down to wait for it?

JG: Well, anyone serious about building an enterprise-class security program must do it. If they don’t it, I will eventually show up later. We see it all the time. As organizations recognize this and physical security continues to not work within their own silo, I’m confident it will become more evident.

TG: I see a point in the industry where many factors demand that professionals take inventory of all these “bullets” and “du jour topics of the day” (privacy, big data, geolocation, etc.) and take a time out to realize that they need to interpret how to build a framework to address all of these concerns. One that is operational, repeatable, scalable and with results that are effective. You can’t do that with a handful of bullets. D6 is seeing many data points to indicate that it’s coming really soon. I predict that governance will be the “big topic” at next year’s ISC West. But being early is the nature of good security.

SIA: OK, so how does an organization start this journey?

TG: Well that is what this session is all about. We’ll go through what governance is, different elements, how to get started. We’ll also talk about what can be borrowed from infosec and what can’t. Ultimately, governance is really about building a security program than a few improvements in isolation.

JG: Yes, since physical systems have been designed a bit differently, under different assumptions as to what type so controls should be in them, they may not be capable. So we will talk about these areas, not just limited to technology, but process, people, etc., and as Terry said, how to operationalize this at scale. In the end, organizations will not only be more secure but more deliberate and efficient.

SIA: What will people learn if they attend? Who should attend?

TG: We’ve designed this for the enterprise end user, or any end users that have similar security goals that an enterprise would; however, it’s open and valuable to anyone. Vendors and integrators should understand how their more forward-looking customers are evolving – ultimately, they’ll need to know how to participate in this model.

JG: In addition, we will cover several domains holistically. Therefore, while technology is an obvious topic, there are many other areas within a governance program that can serve as the Achilles heel of cybersecurity that are overlooked quite often. We’ve designed this as a nine-step domain, with real-world examples, advise and discuss. So, we hope to leave attendees with good context and a path to begin the journey when they get back to the office.

View the full session description here. And learn more about ISC West and register to attend here.

Terry Gold is the principal analyst at D6 Research.

The views and opinions expressed in guest posts and/or profiles are those of the authors or sources and do not necessarily reflect the official policy or position of the Security Industry Association (SIA).