The Key to Fighting today's Security War

Jamie Smith, CIO, University of Phoenix

As the old adage goes, “War never changes.” While that may be true, war does evolve and those who do not evolve with it become extinct.

This is especially true in the war for enterprise security. Organizations of all shapes and sizes, across all industries, are fighting a constant security war–both physically and digitally. This war is not new and the end user has not changed, but the way in which the war is fought has.

Today’s security threat landscape has evolved and criminals’ tactics along with it. Every security asset now falls under both the physical and information security teams. Internet of Things, connected devices, and smartphones are now terms in both teams’ vocabularies. Fleets have become rolling data centers, critical systems on wheels. Protecting these assets is the responsibility of both groups.

More than just tangible assets have changed. Today’s employees are essentially sensors. Security teams understand where they are and what they are doing and can protect them, but now they also must consider the cyber vulnerabilities they present. Through corporate laptops and phones, employees now have microphones, cameras and other things to protect on that endpoint.

Despite working toward the same shared goals and objectives, physical and information security teams often work in separate locations and may not completely understand the other’s world

Physical and information security have become so intertwined that it can be difficult to tell them apart, yet collaboration and collocation remain a key hurdle for organizations. This is where security teams fall behind in fighting today’s war.

For years–even today–many organizations employ separate physical and information security teams. Despite working toward the same shared goals and objectives, physical and information security teams often work in separate locations and may not completely understand the other’s world.

CIOs and CISOs have to understand that users are getting phished every day and that cyber threats are becoming more sophisticated. This includes understanding behavior and the convergence of behavior and being able to tie that all together in one place. Reaching this goal can be accomplished through collocation of teams.

A great metaphor of the need to converge today’s physical and information security teams is the failure of the Maginot Line. After the First World War, France built a massive and intricate series of bunkers to form an impenetrable border. At the onset of the next military conflict, this seemed like a plausible and effective defensive solution, because the last war contained a very slow-moving threat. However, in World War II, the enemy just drove around it or flew over it. Clearly, France was fighting the last war.

Similar to how France’s defensive border fortification became a liability as war tactics evolved, the archaic idea of separate physical and information security teams leaves enterprises vulnerable. Simply put, information security isn’t about defending the perimeter anymore. It’s understanding that the war on security has transitioned from a slow-moving threat to a dynamic, fast-moving environment.

Because of the external threat environment, organizations have no choice but to combine physical and information security team and cross-train them to understand each other’s responsibilities. It’s much more important for employees on both sides to speak the same language and work together.

This whole notion of having separate dashboards and reporting tools and these bespoke physical security systems really does not make sense anymore in today’s world. As much as possible, security leaders must physically collocate the teams and ensure that they are cross-trained. We know there are not enough security professionals today. Therefore, in order to protect enterprises, security teams have to be built by combining the knowledge and skill sets of both groups.

The physical security teams have to be much savvier on what it means to live on a network, know how to cooperate with that and put telemetry in there that doesn’t cause issues. Similarly, InfoSec should learn what it means to do closed support. By doing this, employees can become T-shaped resources that are broader than their one deep area of expertise. This shared knowledge allows for better communication and more effective security solutions.

Culture is also an important factor in successfully collaborating and collocating teams. Teams have to want to collaborate. Culturally, they should understand, with empathy, each other’s worlds and backgrounds. The cultural hurdle can be difficult to overcome, although, once people are located in a shared space and focus at the same thing, they can overcome a lot of the initial obstacles and turbulence.

Whether ready for it or not, security organizations today are charting a path in creating collaborative, collocated teams. It doesn’t really exist, but it is going to exist soon. It is vital that leaders respond and build that well-rounded professional. At the end of the day, being just in one of those two camps is not enough based on where the threat environment is.

We cannot keep physical and information security separate anymore. Companies must make sure they are not fighting the last war.