Bridging the gap between cyber security and physical security

Cyber security should be your utmost priority. That’s what ongoing trends tell us. We keep hearing of major cyber events, the financial loss resulting from such events and long recovery times. And the obvious response is to increase cyber security spending and focus on remediation and prevention activities. But there’s more to it. What if you are overlooking a key part of your overall security posture – physical security? By not making physical security a priority, many organisations end up increasing their risk profile. A connected security approach can help comprehensively account for physical and cyber security.

Let’s rewind a bit. As organisations prioritised cyber security initiatives and mitigation, it received attention at board level. This led to the creation of the chief information security officer (CISO) role to own cyber security strategy, investment and mitigation. Whilst this role does cover different aspects such as training and awareness, privacy and identity and access management, it often does not include broader security concerns.

It is common to see physical security being owned by departments with limited to no clear reporting lines to the board. As a result, when it comes to setting priorities for maintenance activities, new security initiatives and physical security strategy for implementing future controls, these aspects will often be allocated a smaller budget or have their existing budgets cut to save cost. This can lead to physical security infrastructure such as access control, CCTV and perimeter fencing becoming inadequate as a form of mitigation.

There’s good reason for organisations to make physical security a priority. We have seen several instances where failed physical security controls in organisations have led to theft, information leaks or in extreme cases, serious injuries and death. Security incidents usually generate headlines if the media hear about them. It does not usually matter what type of incident caused it; stakeholders will be more concerned around why controls were not put in place to protect assets, people and information.

Physical security has always been a consideration to a certain extent. So why should it be a priority for investment now? It has to do with making sure the controls in place for years are still effective. Management of physical security is often outsourced or overshadowed by other risks. It’ll be fair to say that most organisations have not optimised their current security controls and, in some cases, have neglected them as a function that can be ‘installed and left to work’. However, like cyber security, physical security requires maintenance, optimisation and reviews to ensure it is achieving its maximum potential as a control for your organisation.

Those familiar with ISO standards 22301 and 27001 will be aware of the sections that mention physical and environmental security and its importance to achieving compliance. These standards set expectations around areas such as cable management, asset management, infrastructure security and more.

Organisations though, have long focused on achieving these standards without really understanding how they help add to their overall resilience posture. These standards provide the baseline for good practise and should not be seen as a tick box exercise. Organisations can review their controls against these standards and scrutinise how they can be improved.

Whilst these standards have existed for several years, there have been two significant recent developments from the UK Government which emphasise building resilience with a connected security approach.

Firstly, in December 2022, the UK Government released details on what has been referred to as ‘Martyn’s Law’. This new legislation focuses on increased protection against terrorism in public places. The law was brought into place after the Manchester arena attack in 2017; the controls that were in place to protect concert goers from an incident were viewed as inadequate. It can be argued that this reflection of physical security controls is accurate across a broader range of public facing organisations.

The second development has been the creation of the National Protective Security Authority (formally known as the CPNI). This new authority will partner with National Cyber Security Centre and UK National Authority for Counter Eavesdropping to deliver a connected security approach. Alongside this, the new mission statement speaks on building resilience as part of a stronger security capability.

The priority for leaders should be reviewing and closing the mitigation gaps that can stem from known security risks as well as threat actors. And as you think of bridging the gap between physical security and cyber security, answering a couple of questions can help you determine the direction.

• How does your organisation approach security and resilience?
• Are physical security and cyber security functions split and are they placed in different areas of the organisation?
• Do your physical security and cyber security functions share information, industry good practise and collaborate on security and resilience initiatives?

Once these have been determined, it is important to put steps in place to create collaboration between these two areas. Physical security and cyber security naturally overlap in areas such as asset management, infrastructure security, identity and access management and insider risk mitigation. Use these converging topics as drivers for collaboration between both areas.

It is also important to look at how security assets could be further optimised to close mitigation gaps. For instance, review your organisation’s joiners, movers, and leavers process as a value chain. Where do you need to put in cyber security and physical security controls to ensure your assets, people and organisation are secure? And where do these controls overlap?

Finally, security in all forms deserves board level attention, investment, and ownership. It is important that physical security and cyber security are equally prioritised at board level to ensure that the mitigation gaps between these two areas can no longer be exploited. Look to create an operating model which incorporates clear reporting lines from operational levels of cyber and physical security into strategic, board level ownership. This could be incorporated as part of the role of CISO or into the role of chief security officer (CSO).

A comprehensive approach with collaboration can help your overall security posture, making your organisation more resilient against threats.

1. Converge strategies for physical security and cyber security as both deserve equal board level investment, ownership, and attention – converting awareness into positive behavioural and culture change.
2. Encourage collaboration between security disciplines and look to explore how this combined approach improves the resilience of your organisation’s value chain.
3. Use the renewed drive from regulations and legislations as the internal engagement opportunity for security improvements.
4. A connected security approach should encourage optimisation of cyber and physical security and use data to drive security decisions and investments.
5. Look to develop a resilience and security playbook. These components can be described as preventative and proactive enablers for mitigating risks and threats within your organisation.