Stuart Rawling, Vice President of Market Strategy, Pelco argues for greater alignment between IT and physical security.
IT versus physical security. In the modern enterprise, the struggle remains. IT departments tasked with protecting the corporate network can be at odds with physical security departments in charge of protecting people and property. While the common goal of safeguarding critical assets and information is in line with each group, the means by which this actually happens can often create challenges and confusion, spurred by the fact that many devices on the market today lack fundamental cybersecurity features or documentation that can be leveraged to help protect devices and data.
For so long, physical security and IT teams did not have to communicate with each other. The two departments were segmented with separate budgets, network requirements and equipment needs. However, this overly siloed approach often led to conflicts over how best to protect an organisation from threats — both to the network and to a facility’s perimeter. With the growth of IP cameras, data analytics, virtualisation, cloud-based services/solutions and intelligent devices now housed on a company’s network, the IT department has become an integral part of the installation and setup process; however, security manufacturers and their integrator partners generally lack the basic tools needed to communicate effectively with IT leaders.
The question remains: How can manufacturers and their integrator partners ensure that physical security directors can efficiently and effectively work with their IT counterparts?
The IT/security relationship challenge
In a recently published study of 1,000 IT decision makers across Europe, 77% of respondents claim that today’s physical security systems are not optimised for IT functionality. In the same survey, 20% of respondents say that physical security improvement is a priority for this year. Another research survey from the Ponemon Institute showed that 90% of the 3,000 respondents said they were forced to deal with multiple departments within their department to execute security patches, taking an average of 12 days for most IT departments. Another 80% (in the same survey) said they don’t have a common view of applications and assets across security and IT teams.
Read that again: 80% don’t have a common view!
These numbers demonstrate an acute disconnect between the teams that highlights the need for more attention on the collaboration front than previously seen across an organisation. Now with the ever-emerging evolution of digital attacks and the need for cybersecurity protocols, the CSO and CIO are calling the shots. But this isn’t simply a “you do this and I do this” mentality. Security consists of a trio of people, processes and product technology that encompasses both departments in an effort to protect data and assets. In the modern enterprise, infrastructure management and connectivity need to be vetted by the IT department, as traditionally, “security” guys aren’t well-versed in cybersecurity.
Another challenge that has continually created a barrier between these departments has been securing funding for capital expenditures aimed at protecting both data and facility assets. In many instances, the two competed for the resources needed to meet basic goals. Now, however, as the lines become blurred, expenses can be shared that align with priorities of both. For example, remote monitoring tools allow IT teams to respond to emerging incidents, like cyber breaches, remotely, increasing their ability to act quickly and effectively to a potential threat. On the facility security side, the ability to remotely monitor incoming alarms or events provides added insight into how best to respond to a physical incident. Taken together, this increases each department’s situational awareness of the health and wellbeing of the entire organisation, while sharing the expense incurred to secure this technology.
The cybersecurity challenge
Cybersecurity issues involving a full range of security systems — and most notably video and video management — have been at the forefront of the conversations across the industry over the last several years. And this is for good reason. Last year, researchers from the Ponemon Institute found a 17% increase in cyber attacks and nearly 30% increase in attack severity (as reported by IT security leaders). In the news, the public hears of breaches happening almost every day, highlighting that the security of an organisation is only as strong as its weakest link.
For some, that weakest link comes in the form of devices connected to the network that utilise either factory-set passwords or low-tier security protocols. In these instances, IT departments play an integral role in determining where these weak links are and the best methods by which to address this challenge. This includes not only technology-driven safeguards, but a human element, as well. Today’s organisations must have the foresight to highlight basic protocols for employees to follow when placing a device on the network (which can mean anything from a cell phone, laptop or video security camera). Businesses must have a solid security plan in place that brings together both human and cyber elements in an effort to protect against evolving threats.
As a manufacturer, cybersecurity protocols also have to be at the forefront of every conversation as it relates to the design and development of a product, software program or device. At the core of this mission is the demand being set by the customer: a combination of IT and physical security teams working together. This goes back to the three Ps mentioned earlier: people, process and product technology. This three-pronged approach is heavily intertwined: product technology has to be enabled by the processes in place, because even good technology can be “broken” by poor processes. For example, advanced encryption capabilities can easily be undone by a password that is quite literally “password,” which can easily be guessed.
The good news is that manufacturers are producing best-of-breed cameras and video management systems that have capabilities that allow for the easy deployment and maintenance of cyber-related settings, such as security certificates. Bringing the password debate back into this as an example, these security certificates can help virtually eliminate the debate between security and convenience that often plagues these teams (i.e., the need for two-step authentication, etc.).
On the product side, the design process must consider the overall network security long before a device is placed on the actual network. This means engaging in a rigorous qualification process across the supply chain that incorporates source component qualifications in an effort to ensure the pieces of a device are secure from day one. Customers often look for this level of detail when choosing a manufacturer, which means placing a premium on these requirements benefits the relationships made down the line.
Cybersecurity protocols can also be met with these stringent product qualifications through hardening guides, which allow additional goals to be met for cyber initiatives. The challenge lies in finding a manufacturer that puts product components through their paces in an effort to deliver the most secure possible device.
The integrator challenge
One of the most important relationships for IT and physical security leaders is that of the integrator partner. No matter how advanced the technology, there is still a need for people to configure and look after the systems that are in place — and these partners must prioritise the knowledge of cybersecurity protocols into their training plan. Forward-thinking integrators are characterised by the ultimate goal of providing the best possible service to customers and in today’s modern enterprise, this means being well-versed in IT protocols and language while balancing the relationship with physical security.
While more and more manufacturers are building cybersecurity measures and features into their products at a very early stage, there’s still a significant skills gap between the product’s delivery and when it’s installed that must be filled with knowledge from a trusted integrator partner. There are integrators who feel like they might be left out of the conversation around cybersecurity, so it’s critical that manufacturers continue to offer robust training and product updates to ensure the most accurate information is being communicated to end user customers as soon as possible.
The answer: Robust security policies
End user cybersecurity fundamentals awareness is being driven by the relationship that IT now has with the physical/facility security aspects of an organisation. As a result, the most important consideration to make when bringing the two together is to create an exceptional security policy that addresses all aspects, including the human element, device hardening and the role IT leaders play in the overall security — both physical and network — of an organisation.
At the core is listening. To customers. To integrator partners. And to the IT leaders that are tasked with protecting what we can’t always see. Manufacturers who do so will continue to deliver devices that will protect an organisation rather than put them at risk in an ever-changing threat landscape.
This article was published in the March 2020 edition of International Security Journal. Pick up your FREE digital copy on the link here