Converging physical and cybersecurity
An industry expert makes the case for giving federal IT departments responsibility for all aspects of security.
President Barack Obama's Executive Order on Improving Critical Infrastructure Cybersecurity and his Presidential Policy Directive on Critical Infrastructure Security and Resilience are two of the first official acknowledgments of the inextricable link between physical and cybersecurity. Those directives assert that to protect critical infrastructure, federal departments and agency heads must lead the charge to strengthen cybersecurity and increase collaboration and accountability among the infrastructure's public and private stakeholders. Ultimately, federal agencies bear the responsibility of security outcomes.
The directives empower federal organizations to embrace holistic security measures to protect our nation's critical infrastructure, buildings, assets, information and people. In order to achieve a truly holistic approach, federal organizations must close the schism between physical and cybersecurity divisions.
The most effective course of action is to form a homogenized security program under the command and control of federal IT. Here's why:
1. The old dichotomy is outdated and cumbersome. Currently, network and information security falls under the purview of federal IT, and responsibility for physical security resides with facility managers or superintendents. That structure is indicative of an antiquated view of security. As the cybersecurity policy directive so aptly states, "U.S. efforts shall address the security and resilience of critical infrastructure in an integrated, holistic manner to reflect this infrastructure's interconnectedness and interdependency."
Ignoring security silos ignores the nature of modern threats and leaves gaping holes in security strategy that beckon malevolent actors to exploit. Instead, federal organizations must implement systemic mechanisms that enable security personnel to monitor, analyze and respond to threats occurring at any point of entry into the organization, regardless of whether the threat or entry point is physical or virtual in nature.
By combining access, management and reporting functions into a single-pane-of-glass system, attacks on one or more threat vectors would immediately trigger a proactive response across all other areas of vulnerability. Such a unified threat management system for physical security would act like its data security counterpart in form and function and would allow human management, oversight and deterministic response to evolve ahead of the threat.
2. Federal IT professionals already have the technical skills to secure physical assets. In many ways, "physical security" is a misnomer because it ignores the sophisticated surveillance, access control, and visitor management tools and solutions organizations use to keep physical assets safe. From this perspective, federal IT is the logical choice to take control of a unified security program. The tools fall in its wheelhouse. More important, federal IT and cybersecurity professionals already understand the theory, application and nuances of holistic security from their experience with cybersecurity.
If you look at the historical evolution of IT security mechanisms and controls, physical security is five to seven years behind cyber in terms of convergence. A unified physical and cybersecurity system would enable organizations to leapfrog a decade of incremental progress.
3. Federal security leaders could achieve more with less. In an era of budget austerity, consolidating physical and cybersecurity systems under the purview of federal IT offers many benefits. From a technology investment standpoint, the drivers behind the tools are interconnected. As a result, most security management systems, tools and processes can be modernized to interoperate with new and existing systems quickly and cost-effectively.
Although physical security lags behind cyber, the unified system would not introduce inefficiencies. In fact, security personnel could avoid the potential for labor-intensive controls and processes related to monitoring, managing and reporting physical security data by adopting the same computer-based efficiencies established for cybersecurity disciplines.
Furthermore, security consolidation supports several of the objectives set forth in U.S. CIO Steven VanRoekel's report on fiscal 2014 budget priorities for federal IT. Consolidation increases technology's total return on investment, capitalizes on innovative technologies and processes to achieve department and mission objectives, and uses data analytics to make more informed strategy and process decisions. In fact, adding physical security to federal IT's responsibilities would expand its purview and budget power.
4. Critics of convergence forget that change is inevitable. Some security stakeholders might oppose converging security because it could translate into an overhaul of organizational hierarchies, job titles and qualifications, and regulatory oversight. In reality, federal agencies have successfully completed similar transitions in the past. The best example that comes to mind is the FBI's transition in the 1980s, when the advent of computers unleashed an entirely new breed of criminals whose crimes required investigators who were skilled in technical forensics. Some agency veterans resisted the personalities, qualifications and training requirements that came with the new roles. Ultimately, the organizational shift happened -- because it had to happen -- and was carried out gradually.
Similar to the new face of an FBI agent, the federal security manager of the future will have knowledge of both physical and cybersecurity principles and practices, and will apply security solutions that hunt for unified threats. The control systems that he or she uses will report events in real time and apply actions across all applicable control systems in a proactive response, all with clear and manageable human oversight and control.
In the end, the security benefits and ROI of adopting a unified security program far outweigh the initial discomfort and investment in transforming the security organization.