It's time for the IT security team and the physical security team to work together on a "cyber-physical" security strategy.

Guest Commentary, Guest Commentary

November 6, 2017

4 Min Read

Most companies are aware of the critical importance of security. There’s a good chance that your company has a top-notch IT security team that has the firm’s IT resources locked down tight. They’ve implemented a best-in-class security infrastructure.

Yet, what happens when someone walks into the server room and plugs in a USB device that presents itself as a keyboard or storage device? The answer is: they’re in. Looking at security from an IT-only perspective creates a dramatic hole in that best-in-class security infrastructure.

In most companies I work with, the IT security team and the physical security team (if there is one) do not communicate effectively. The IT team implements software and hardware solutions to protect security; the physical team does the same thing, often competing for the same funding. The reality is, these two teams should be working together to present a common risk picture so top management can look strategically at how best to cost-effectively manage risk.

To create a truly secure environment, companies must move toward embracing a cyber-physical nexus -- a collaboration where the IT security side and physical security side come together for the overall protection of the company.

It can be difficult to know where to start toward creating this new, cohesive cyber-physical relationship. That said, there are several steps you can take to start the process.

Step one: Start with an opt-out approach

Far too often, the people making the decisions as to who should be involved in the solution are not completely aware of all of the parties who may have responsibilities in the issue. While the omission is usually not intentional, it can easily omit key players from the table. This leaves the opportunity for gaps in early decision making or causing unengaged parties to disrupt the process much further down the line.

It is essential to have the right people at the table from the start. You can accomplish this by initially casting the net widely. Invite people to the conversation and let them decide if they should be involved, essentially allowing them to “opt out” of the process. The fear in doing this is that too many people may show up, and they may. That said, the numbers will start to dwindle once regular meetings and tasks are put in place; at that point, you’ll have a solid team with the strongest investment in the outcome.

Step two: Review policy and operational issues

A significant factor in successfully embracing the cyber-physical nexus will involve both policy and operational changes. If the two sides are currently proceeding independently, there is likely some operational wall that must be removed. Identify these walls, remove them, and build new policies and operational guidelines that involve both working in concert.

Step three: Involve the C-suite

Embracing the cyber-physical nexus is not a budget issue, it’s a corporate risk-management issue. As the C-suite has a far broader view of the organization than either the cybersecurity or physical security side alone, it is essential to involve -- or, at least get buy in -- from the highest levels. Engage the people who have visibility, and responsibility, across the company. A successful cyber-physical nexus requires this bigger-picture perspective and partners who can make decisions regarding enterprise risk management across the organization.

Making it work

Once the two sides are working together, there are still tasks to accomplish to ensure the cyber-physical efforts are successful. Far too often I work with companies that assume they’re “done” once the cyber-physical nexus has been successfully established; in reality, the work has only just begun.

First and foremost, institute employee training; include both the IT and physical side. Create a new security training plan, from scratch, to get the full benefit of the new nexus. There should be one program, not two.

Once the security training plan has been implemented, conduct exercises, which, of course, involve all parties involved in this joint cyber-physical nexus. This is the step that most companies miss; it is also the one that will provide the most information on where the plan will fail and how best to take steps to strengthen the organization.

Remember, the goal of a security exercise is to stress the system, to exercise toward true process improvement. Create and conduct exercises that bring you to the brink of failure. An exercise that “goes perfectly” had a really bad design.

The goal of embracing a cyber-physical nexus is to enhance your company’s overall security posture -- not just IT security and not just physical security -- and to mitigate corporate risk across the enterprise. What’s your role in this equation? Don’t wait for someone to knock on your door; take the first step and knock on theirs.

Nitin Natarajan is a principal at Cadmus, a business management consulting firm in Washington, DC. Natarajan has more than 20 years of experience leading homeland security, emergency response, healthcare and public health and environmental initiatives at the Environmental Protection Agency, the National Security Council, the Department of Health and Human Services, and local government.

About the Author(s)

Guest Commentary

Guest Commentary

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT professionals in a meaningful way. We publish Guest Commentaries from IT practitioners, industry analysts, technology evangelists, and researchers in the field. We are focusing on four main topics: cloud computing; DevOps; data and analytics; and IT leadership and career development. We aim to offer objective, practical advice to our audience on those topics from people who have deep experience in these topics and know the ropes. Guest Commentaries must be vendor neutral. We don't publish articles that promote the writer's company or product.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights