Published on the 29/11/2022 | Written by Heather Wright
It’s time to plug some critical gaps…
Fragmented and siloed cyber and physical security systems are no longer fit for purpose, with poor IT security hygiene a feature of physical security technology – requiring CIOs and CISOs to increasingly take the helm on convergence of the systems.
Traditionally run as separate fiefdoms, the shift of physical security systems to IP based networks has driven physical security into the domain of the CIO and IT teams, Nick Ingelbrecht, senior director analyst with Gartner’s Technology and Service Provider Research organisation, says.
“Physical security systems have moved from analogue, closed circuit, siloed physical security systems to IP-based networks and IP endpoints, which means all these endpoints need cybersecurity protection.
“It’s plugging a gap that shouldn’t have been there in the first place.”
“That’s been sadly lacking as we have seen in the big data breaches last year and the issues over PRC equipment, Huawei and Hikvision and the hacking attacks on camera networks,” Perth-based Ingelbrecht told iStart.
“Cybersecurity has become the number one priority for enterprises in terms of physical security procurement now, which sounds really weird, but it’s plugging a gap that shouldn’t have been there in the first place,” he says.
Recent years have seen significant growth in cyberattacks against critical infrastructure including gas pipelines, logistics operations and ship navigation.
“Hackers have also realised that rather than just hacking online they are able to breach the physical perimeter by poor physical security practices and policies,” Ingelbrecht notes.
Adding to the issue are gaps or vulnerabilities in the physical security silos themselves because of the proprietary nature of security systems that don’t talk to one another.
“So another pressing requirement here is to join up the functional silos so that you can have a 360-degree live view of what is going on in the organisation. That enables you to respond to events in real-time and threats and disruptions to operations.”
As if that’s not enough, Ingelbrecht says the changing nature of threats and expanding threat canvas are also requiring re-evaluation of risks and new strategies to ensure business continuity.
“The mandates or charter for physical and cybersecurity have expanded and blurred because we are no longer talking about a narrow security remit,” he says.
“We’re talking about business continuity now and then you’re talking about ensuring the organisation continues to function.”
By converging capabilities, Ingelbrecht says companies can gain a competitive advantage, greater operational efficiencies and financial savings.
A recent Gartner Physical Security Emerging Trends survey showed 41 percent of enterprises globally plan to converge parts of their cyber and physical security operations by 2025, up from just 10 percent in 2020.
While Ingelbrecht doesn’t have local figures, he says across A/NZ there are some who are in the early adopter category for convergence, but the vast majority are lagging behind ‘a bit, probably due to geography, distance and pressures – the security environment here isn’t the madhouse you have in some other hotspots’.
For many companies, Ingelbrecht says the crunch comes when physical security infrastructure upgrades are required, with it not unusual for enterprises to be running on 20-year-old platforms.
“These systems are expensive and when it comes to an upgrade it’s a chance to look at what can be done to address security vulnerabilities that have emerged.
Because of the IP underpinning the infrastructure now, IT organisations – who are required to provision the network, manage bandwidth and storage and integrate systems with back-end infrastructure – are increasingly being charged with oversight of physical security procurement, Ingelbrecht says.
“It doesn’t mean they are going to operate it or that the IT department is going to take over the running of the building management systems or the access control systems or cameras. What it means is the CISO, CIO or IT department have to sign off on these big purchases because there is big investment involved.
“So they look at it and say ‘are we going to carry on doing what we have always done before?’
“They’re saying ‘actually we need to think about this more strategically, because there are cost savings, and we need to think about the risks involved here, we need to engage with other stakeholders in the organisation like HR or marketing or sales because you find that if it is very difficult to get into somewhere because of the security protocols it is going to create a bad impression with customers.
“So there are all those stakeholder engagements which IT has been very good at managing in the past – bringing together requirements, looking at and balancing out across the organisation, having a remit across the organisation to take a more strategic approach to a security purchase.”
He notes the IT engagement is increasingly around integration issues and automation.
“The biggest problem for organisations is integrating new equipment with old equipment and working out if they buy this access control system today, what video surveillance system will they be able to use tomorrow?
“So they’re having to start to think 5-10 years ahead now about planning infrastructure purchases.
“You’re going to need to be thinking about cloud, mobile credentials how you are going to manage incidents and bring all this sensor data, security endpoints – cameras, alarms, building management sensors – together so you can understand what is going on and respond to events as they happen.”
Driving analytics into the core of operations is also required to achieve automation and efficiently monitor systems, but requires a data friendly environment for handling all the data collected, impacting on the broader OT, security and IT infrastructure.
Ingelbrecht offers four key tips for A/NZ businesses:
- Think strategically. Think 5-10 years ahead and have a strategy that takes you 5-10 years out.
- Organisationally, make sure you have a clear chain of command or a mandate from the top that sets out clearly who is in charge of what and what the delegated responsibilities are.
- Create a risk framework, evaluating current and future risks you need to mitigate against, identify your most serious risks and prioritise spend there.
- Explore opportunities for convergence. “It is the way of the future and there are lots of opportunities where you can bring systems together – from business continuity management systems to identity access management, workplace management and cyber/physical surveillance including cameras, sensors and analytics, and cyber security such as SIEM.
“Because there are opportunities for efficiency of operations, operational excellence and cost savings.”