Have you considered?
- Do you have a holistic security strategy that covers both cyber and physical defence?
- Do your cyber and physical security teams work to a single plan?
- Do you monitor and understand the human aspects of cyber threats?
Do Physical and Cyber Silos Create Organizational Vulnerability?
Leaving a meeting with a senior IT Security Manager to explore how physical security and intelligence could support and partner with cybersecurity, it struck me how far apart the functions were in terms of outlook, culture, and priorities. Whilst the IT team were sympathetic, the last thing they needed was the support of a team that would likely provide intelligence on criminal activity targeting and breaching their systems; they had enough on their plate fighting ‘the patching war’. Such intelligence might have been perceived as detecting weakness in the system which could be perceived as a failure by senior management with very little understanding of such issues and would almost certainly increase their workload and force them to demand more resources which never goes down well.
As this respectful stand of persisted, it was clear that the cyber and physical threat environments were increasingly merging and that siloed physical and cyber defences were increasingly lagging the threat and therefore the organisation was becoming more vulnerable. This caused tension, the physical security and intelligence team becoming frustrated as good actionable intelligence went unactioned and the IT Security Team perturbed by the potential extra work and complexity. I suspect that similar situations continue today to greater and to varying degrees.
Surely logic would dictate that a merged cyber/physical threat can only be effectively countered by a merged cyber/physical defence.
The forming of working groups and holding endless liaison meetings to align teams are all very well and produce ‘constructive statements and words, but rarely do achieve significant change. The two teams still have separate cultures, organisation, objectives, and budgets. This said, such working groups and meetings do create good internal press extolling the virtues of business partnering and creating ‘emperor’s new clothes’ environment; rarely are effects and claims of progress tested.
It’s time to reconsider corporate security organisations to better meet the threat. Physical Security and Intelligence and Cyber Security teams should be merged into a single team under a single point of ‘command’. The name of the team should reflect the merged purpose – Enterprise Security Defence Team? – rather than anchoring to the past in terms of cyber or physical. The benefits of the new team are clear and include:
- Unity of ‘Command’
- Working to one aim and plan
- One Vision
- Concentration of effort
- Enhanced capability
- Improved focus on threat and intelligence
- Single ways of working
- Improved efficiencies and cost savings
- Cross-pollination in skills
- Single culture
- Improved business partnering as a single point of contact
- Improved performance management
But, Dismantling the Fiefdoms Won’t be Easy
Of course, this is easier said than done and I do not underestimate the challenges of breaking silos, changing ingrained culture and the dismantling of fiefdoms. Who in senior management above Chief Information Security Officer (CISO) and Chief Security Officer (CSO) have the knowledge and vision to lead change? The internal politics will be a major challenge as such a change will cut across different organisations that are probably under different leadership.
The issue of leadership of the team will be high on the agenda, repurposing CISOs and CSOs may not be the answer. CSOs are experts in threat intelligence & management and the tradecraft of security – physical security, technical security, investigations, guarding operations, fraud management, travel risk etc. CISOs are expert in IT operating platforms, data management and processing platforms, system security and system design. So maybe the ‘new team’ needs to be led by a new security leader, a security professional that has enough knowledge and experience in both areas to deliver a balanced capability. Whilst such blended leaders may be rare now; this is a great opportunity to start developing future ‘Enterprise Security Defence’ leaders of the future by cross pollination in training and development of security professionals.
As ever the devil is in the detail and there will be many cultural, organisational and HR hurdles to be crossed, but perhaps the current upheaval will enable companies to ‘wipe the slate clean’ and provide companies with the opportunity to re-calibrate their security defences.