According to Ontic’s recently released 2022 State of Protective Intelligence Report, the convergence of physical and cybersecurity operations is an area of investment in 2022 for nearly half (48%) surveyed and 37% are investing in the buildout/fusion of a cyber-physical Security Operation Center (SOC). Most agree (96%) including 59% who strongly agree, that cybersecurity and physical security must be integrated or else both physical and cybersecurity threats will be missed. So what will it take?
“All systems are gathering information and understanding what is and isn’t a threat,” said Danielle Van Zandt, Frost & Sullivan Security Analyst, who participated in the recent Ontic Summit breakout session examining cybersecurity and physical security convergence. “But it’s like if everyone is touching different parts of an elephant and is asked ‘what does the elephant feel like?’”
“I have a military background and we have a common operating language,” said Chuck Randolph, Executive Director of Strategic Intelligence at Ontic. “Many in the room are responsible for cybersecurity. Is it data? Is it intel? Who cares what we call it if we can get common information regarding a threat?”
Panelist Sam Queeno, Director, Digital Identity & Physical Security at American Electric Power, pointed out that reporting structures and territoriality have often impeded organizations’ collaboration when integrating cyber and physical security. “Don’t just think of a system,” Queeno said. “Just sharing information and talking to each other is the beginning of convergence. You will find out physical is working on the same person of interest as cyber because HR has contacted both. For there to be change, both have to come together.”
Debunking Fusion Centers as Mythical Beings
“Are fusion centers mythical beings? “What steps can security teams take now to put together an integrated threat detection program?,” moderator Tara Conway, Senior Manager, Training Operations, Ontic, posed to the panel.
“It starts with a conversation,” said Randolph. “Peanut butter chocolate – what does that look like? Who are you? How do you think about risk management?” Conversations regarding thresholds for security risk across organizations are important.
“In doing my research in physical and cybersecurity – I look at people, process and the product,” Van Zandt said. “The easiest ones to get started with are the people in the process – you need to be talking to each other, even if it is an email touchpoint. You can miss something if you’re not talking to each other. Then create SOPs for identifying and dealing with it.”
Queeno added: “You’ll find that both departments and areas are doing the same type of work. It’s different work, but you can start small. Meet for 15 minutes to review what you’re each working on. If the leaders meet and start the work, the units will follow. When you get the tools together, it assists with flows but not if you don’t have a clear vision or mission.”
Cross-Training Can Deter Separation of Physical and Cybersecurity Functions
“When our organizations converged one of the things we tried to do is meld them so we can’t get ripped apart,” Queeno noted. “The cyber side is being cross-trained with the physical. I have joint calls with both teams and there is a common thread. We try to use one term – security. That’s a culture shift. We use the same reporting tool – anyone reports it to one converged security hotline. If someone reports their laptop has been stolen, both departments touch that. But they have different things they have to do for that particular case. It branches out from a single place.”
“What are we doing to train for ‘what if’?” Randolph asked. “If we say we’re doing a cyber incident this week, ask the physical security team how this affects them? It helps show that the team is doing more than just standing at the door.” He shared an executive protection example of encouraging the physical security team to bring a cyber expert along when assessing the need for cameras at the back of a CEO’s home, instead of keeping the domains as separate.
Building on this cyber-physical convergence strategy, Queeno recommended working with Legal and HR regarding internal audits. “When those come up we say you have to do it on security. Many years ago some substation locations had to be redesigned from a cyber perspective and the risk was going to take years to mitigate. So I asked if they wanted me to put access controls on the doors. We mitigated the risk because someone has to break in and in literally months we had something set up with cyber’s help.”
“From an industry perspective it is better to come from IT director to C-suite,” Van Zandt said. “Right now they’re giving IT more budget than physical security. By collaborating you can have a combined effort to convince the C-suite.”
Insider Threats Contributing to the Cause
“A lot of times with insider threats, the industry focuses on cyber threats – a malicious insider who is going to steal my data,” said Van Zandt. “When you think about it, a workplace violence issue of termination of an employee with a history can be a physical security type of insider threat.” She notes it’s important for both cyber and physical security functions to monitor to see if there’s a threat to the organization.
Sharing how physical security versus cybersecurity functions have played out at his organization, Queeno explained: “In the last several years, physical security has been involved in any employee termination in the company. HR has to go through a process and get permission from legal, and they will share the information on the person getting terminated,” he said. Queeno’s team will check if the employee has any past criminality, then inform HR whether there are any issues of concern or not. “Now it also goes to cyber and the insider team – what kind of access do they have, have they downloaded? If cyber finds something that concerns them, we get together with HR and legal and have a conversation. Is it okay if that person has downloaded files?”
Learn the 3 secrets to success when building an insider threat program.
The Convergence of Physical Security and Cybersecurity Tools and Technologies
“We do not try to place a square peg in a round hole,” Queeno said. “We’re not buying the latest thing and saying ‘you need to use this.” His organization focuses on the core mission of cyber-physical security, what each area does and the best product for the organization.
“We’re starting to see more bridging the gap,” Van Zandt said, referring to technologies, also noting that GSOCs are working much better from a convergence standpoint than they previously have been. “In our own research on the market, we felt comfortable writing about digital intelligence solutions. A few years ago, we were not able to accurately portray that market. Now it’s about those end customers finding the solutions.”