Cybersecurity Tips: Collaborating for the Collective Defense

In this article, learn about the importance of collaboration in defending against cybersecurity threats, the changing cybersecurity landscape, the need for greater transparency in building an effective business case, cyber-physical security convergence, how to foster collaboration for the collective defense and more. These tips were developed with the Security Industry Association’s (SIA’s) Cybersecurity Advisory Board during Cybersecurity Awareness Month 2021 as part of SIA’s efforts to promote responsible connectivity and encourage SIA members to strengthen their cybersecurity postures.

Why is collaboration so important?

Traditionally, physical security has managed its programs separately from the main operations of a business. This occurred due to the unique scope of the physical security and the industrial focus of systems which were designed to perform specific tasks autonomously and reliably, often through proprietary software within custom designed hardware. While this approach met contemporary expectations when managed in isolation, the ability to integrate into business operations as the rest of the organization evolves has been limited.

End user requirements are developing faster than the security industry is currently keeping pace. End users are increasingly demanding that they gain secure access to all operational data from their systems while making it available to nonsecurity stakeholders to realize the benefits of a heightened awareness of potential threats and operational insights.

In order to access siloed physical security data, there needs to be an element of openness within the confines of consistent robust cybersecurity risk assessments and mitigating measures. This cannot be achieved without a different approach to collaboration between physical and IT security, as well as other domains across the organization.

What has changed?

The expectations of organizations are evolving, and business case expectations are higher. Although from industrial origins, physical security infrastructure is evolving to become like IT and therefore needs similar function and maturity to be properly managed.

Physical security departments face increasing challenges for funding capital investments needed for upgrades, and executives who approve them demand they deliver benefits that enable the business in meeting organizational objectives, in addition to security improvements. In order to demonstrate this type of value, vendors need to innovate based on new perspectives, while practitioners need to leverage methodology and lessons learned from IT, which has been down this road for some time. In many cases, rather than duplicating resources and systems, it makes sense to consider ways to integrate, consolidate or collaborate.

While chief information officers (CISOs) have already gone on the journey to learn how to communicate and sell security to executive stakeholders, physical security is just starting on that journey. As a result, stakeholders have come to expect a security conversation and business case to be as effective as with the CISO. Sadly, this is often not the case, leading to deferred budget requests.

Nothing new can take shape without an effective business case that can compete effectively against dozens of others (only a small percentage get approval).

Effective Business Cases Require Greater Transparency

Physical security practitioners face aging systems, while threats continue to evolve. In addition, pressure for greater efficiency (to either meet mandates or “do more with less”) is increasing but requires investment since their existing systems weren’t designed for these objectives.

Building an effective business case to nonsecurity executive decision makers requires significant transparency into how the program operates, containing clear metrics, with visibility into how the current program isn’t up to the task. This is measured against the expectations imposed throughout the rest of the organization (for example, ability to meet cybersecurity policy, alignment with governance and compliance, privacy, efficiencies and mandates).

This invokes the type of exposure that the silo was designed to isolate physical security from in the first place; however, executives are rational, and approvals have decreasing chances getting approved without exhibiting the same expectations/performance as every other department.

Now stakeholders will start to realize that physical security may not comply with many policies and guidelines as they start to get audited (by either internal audit or third parties). Therefore, physical security can no longer function in the same way, as it’s unlikely that the business will look the other way or approve that it can continue as an exception to how the rest of the business operates.

Physical security is becoming like IT

From how applications are designed to APIs, cloud or even how identities are managed, physical security systems are looking more and more like IT. The search for intelligence requires smart devices and applications to drive further architecture alignment. How these systems are governed, managed and serviced will need to change as well.

Physical security professionals will need to become experts in this area or look to collaborate with those who already are experts in their organizations to take on responsibility (a much more realistic and feasible model).

This applies further pressure to physical security manufacturers because in most cases, enterprises IT (IT operations, etc.) are unwilling to take over systems and processes that they can’t manage with their own standard tools, procedures and skill sets that they’ve carefully invested in already. As a result, current physical systems will need to comply or at best get deprecated support and service level agreements.

Proactive versus reactive security

A core tenant of physical security is to prevent incidents and secondarily (when the first isn’t possible) to reduce the impact. The industry has largely implemented a rearview mirror to find out what has occurred after it’s happened (by seeing the event or being reported to them). This is generally the least desirable end of the outcome’s spectrum.

The industry needs to move toward a preventative model, which is predictive in nature inclusive of analyzing real detection versus event logs. Risk needs to be defined to understand what events really mean in context to the business risk.

However, in the current physical security systems model, collecting more data would lead to requiring increased staffing to review and determine what’s important and still wouldn’t be able to keep up. However, artificial intelligence, machine learning (self-learning), robotics and process automation are in many respects better than humans at these tasks – and incredibly more scalable. AI-based analysis is already being leveraged this way across other functions within the enterprise. 

In summary, integrating data increases the value of the data. However, this requires an improved cybersecurity position (than in the past) to ensure integrity of the data the business increasingly relies on, to trust the decisions made from it and actions being because of it. Otherwise, this could have adverse outcomes (accidental or targeted).

Ultimately, all of the improvements mentioned, from transparency and metrics to integrations and how the data will flow to how it will be secured and maintained, requires a mature governance program – which very few physical security programs presently have. 

The solution for this is for physical security to come into the fold of the governance principles that the rest of the organizations already comply with, for the most part. This requires working information security, inviting auditors to interrogate systems and the program and determine nonconformance and appropriate remedy.

Overcoming a lack of budget

Even with improved business cases, the reality is that physical security will never get enough budget (seldom to any departments do); however, they will still need to look forward to achieve objectives which are dependent upon new systems, capabilities and resources. With other initiatives for intelligence, automation and custodial management in other areas of the enterprise already underway, it’s possible to have certain systems integrate and incorporate new functions into physical security with less investment than doing so on their own with separate systems and budget.

Joint requirements planning

Through collaboration, stakeholders should look holistically at blended threats arising from the converged intelligence stream (sharing data). The joint security operations center function becomes the center for a single version of the truth for visibility, investigation and response. This can only happen through the development of controls that require elements from both sides to implement resilience to prioritized organizational risks.

Key takeaways: How to foster collaboration for the collective defense

  1. Understand the evolving needs of the overall business, including organizational risk, the value of security data in the operational process, rather than considering physical security being a disparate activity.
  2. Embark on educational programs to acquire the knowledge and skills needed to hold meaningful dialogue with IT stakeholders.
  3. Create a road map for convergence of the physical security by implementing a formal governance program that incorporates engagement with audit, privacy, IT operations and information security.
  4. Collaborate with the physical security manufacturers and encourage them to be more transparent about their API structures and legacy support commitments.
  5. Create compelling cybersecurity risk-based business cases for the management, modernization, upgrade and integration of physical and IT systems.

Looking for more resources on cybersecurity? Check out the Cybersecurity Advisory Board page and this blog post highlighting SIA’s educational content related to breaches and cybersecurity.