In an age of mobility, agility and cloud-centricity, our industry is currently grappling with a generational shift in attitudes towards the relevancy of physical security. Yet, failure to do enough in this area still poses disastrous consequences to the enterprise. In this article, we will provide some insight into this challenge and some practical principles to address it.
It goes without saying that heading up the job of securing an enterprise in the world of today is a pretty tough gig. In many ways, the CISO has enormous expectations placed on their shoulders to be a multi-faceted wizard who has to out-think, out-strategise and out-do every person that has it in for the organisation. To paraphrase the defender’s dilemma, “the attacker only has to be right once; the defender has to be right 100% of the time.”
Now, whether you might actually believe this fatalistic point of view misses the point – the real point is that this is a perception commonly held by those holding the purse strings. Reality might placate our sense of dignity, but perception pays the bills.
The current challenge is that history is working against us. From the ground-shaking booms in personal computing, off site data centres and the emergence of the internet, through the turbulent waters of BYOD/T, de-parameterization, cloud, IOT and beyond, it is easy for the lay user inhabiting their ergonomic hot-desk collaboration space fully immersed in their omni-channel customer experience to be under the impression that we’ve transcended from anything as mundane as the physical. It might also be easy for beleaguered security professionals to look around and question whether indeed we have ceded the battlegrounds of physical security, thus we should retreat from the ramparts and heads towards the safety of the keep where we have the fires of Zero Trust architecture to keep us warm at night.
"The attacker only has to be right once; the defender has to be right 100% of the time"
And yet, physical security is hardly something a CISO can ill-afford to be trivialised.
Whether it’s about limiting the ability to plug a tiny rogue device in the corporate network, protecting sensitive physical records or stopping someone from stealing disk drives to crack your enterprise passwords, physical security addresses a myriad of risks, whose consequences range from those that can seriously undermine the rest of the enterprise security program, to those that can directly harm the mission of the enterprise itself, or even threaten the safety and well-being of its people. The methods and techniques to exploit these holes are only getting more accessible, easier to use and cheaper to acquire.
There are also a myriad of complexities to navigate. In some organisations, physical security may be deemed entirely in the remit of other teams (or entire companies) outside of the Information Security team; in these organisations, any member of the Information Security team (or anyone wearing this hat) might be politely told that these issues are none of their concern. In other organisations, there may not even be the barest notion of a person keeping an eye on the front desk to the office building (if you even have a front desk); in such organisations, the problems of unauthenticated couriers, service and trades personnel or even members of the general public passing through completely unchecked might be met with a casual and apathetic shrug of the shoulders.
The reality is that the CISO must exude visibility over – if not have a direct hand in the management of– physical security. That’s why physical security considerations formulate a key component of auditable frameworks and standards like ISO27001/2, SOC2 and PCI DSS. It is also a great area to use in the apologia articulating the difference between Information Security and IT Security.
So physical security matters. What then do we do about it?
Well, like many things, there isn’t a one-size-fits-all to this. What to do about it won’t be as useful so much as how, and for that, it helps to bear in mind 3 key principles to help you determine the best outcome you can achieve for your organisation.
1. Get the mandate or get them to live with it
It doesn’t matter how smart you get with this, if you haven’t got the mandate from the highest levels, then you either need to get it from them or pin them with the ownership of that risk – it’s as simple as that. To do that, try following my 2-step rule with risk management:
1) Is the person in front of you the right person to make the decision? If not, go one step higher.
2) Do they understand the risk? If not, go one step higher. If it is the right person and they do understand it, job done – go home and sleep at night.
2. Define “normal”
Any good incident handler will tell you that the critical element to detecting a breach is to know what normal looks like. Your aim is similar to the SWAT team mantra – “bring order to chaos”. The point of your controls is not to prevent everything but to define buckets of normal everywhere and make sure people are operating within that so that you can clearly see (detect) the unusual, starting with the outliers. It’s not about prevention, it’s about minimisation, and this is one way to achieve that.
3. Assume the worst and get on with it
This principle is useful when meeting resistance over a given proposed control. It resonates with the well-espoused industry catch cries “you’re already hacked” and (particularly in law enforcement circles) “if someone wants to get in, they’ll get in”. It’s not an absolution to give up, but rather it’s the realisation that no control unto itself will do the job. Only a totality of controls will win the day, so get on with this one.
Remember: you may be the last line of defence – if you aren’t losing sleep about an uncontrolled risk, then no one else is, and this holds especially true of physical security.
Check this out: Top Managed Security Service Companies in APAC