Bridging Physical and Cyber Security: The Importance of Holistic Security in Corporate Resilience

0:00

Manish:

Rachel Briggs is CEO of The Clarity Factory, which produces thought leadership and consultancy on corporate security and cybersecurity. She’s advised dozens of multinational corporations, provides benchmarking services, and regularly briefs security leadership teams. She’s the author of The Business Value of Corporate Security and co-authored The Business of Resilience, and most recently authored Holistic Security, How Physical and Cybersecurity Teams Can Join Forces to Strengthen Operational Resilience. She’s an associate fellow at Chatham House and a board member of the Risk and Security Management Forum, RSMF, and the Global Center of Cooperative Security. She was the founding executive director of Hostage US and the first director of Hostage International. Rachel, delighted to have you back on the Connected Intelligence Podcast. How have you been?

Rachel:

Thank you. I’m very well, thank you. And thank you for having me back. I always love speaking to you guys at Ontic. Always a great conversation.

Manish:

Well, we’re excited. You’re a third timer. You’re going to be in our Hall of Fame pretty soon. So we’re excited about that. We’re excited about that. Well, tell the audience and much of our audience knows you well, but tell the audience a little bit about your background and then ultimately how you arrived at the holistic security report, right? Maybe bridge the connection for us.

Rachel:

Yeah, absolutely. So I’m, I’m essentially a bit of a data nerd at heart. I started my career 25 plus years ago, working in various different think tanks where I got a real ring to understand the importance quality data to change whether that’s government policymaking, private sector policymaking, and how it can kind of both improve the decisions that are made and also bring insights to busy professionals who wouldn’t otherwise see key trends. So throughout my career, I’ve very key to use data in a very actionable way with practitioners. And so I do that now with the Clarity Factory because what I see in the corporate security community, which is one that I’ve worked with throughout my career, is an increasing desire for a data-driven approach from leadership. You know, they want to understand how they can use data to understand the problems that they face better, the processes, the mitigation measures that they have in place, and also report back up the food chain to the C-suite and executive leader within their own organization. So that’s why the work I do now with the Clarity Factory tries to bring together those two sides of the same coin, data insights and better decision making. And The Holistic Security Report, it’s a report which was about 12 months in the making. It was a very detailed and in-depth piece of research which ultimately has resulted in something which is very practical and which practitioners can kind of use immediately to sort of try and improve what they do. It’s a report that was sponsored by leading companies, BP, Barclays, Johnson Mathay and Centre Group, for example. I interviewed, I surveyed hundreds of, more than 100 CSOs, interviewed dozens of CSOs and business to get their perspective on it. And Really, in a nutshell, if I were to say what the quote-unquote essay question is, the exam question in the Holistic Security Project was, if criminals, terrorists and nation-states don’t respect the neat silos that we create within our organizations, if in fact they not only don’t respect them but they look for ways to exploit them, And if we know that this interface between physical and digital security is getting ever more important, how do we close the gap within organizations between physical security and cyber security such that our businesses will be safer and ultimately be more resilient? And so that’s the how, that’s the why. And I’m looking forward to telling you a bit about what we found in that process.

4:43

Manish:

Terrific. Well, begs the question, why now? I mean, if you think about starting this report a little over a year ago, you’ve been thinking about this for a while, and you also make the case that physical cyber slash digital should have converged some time ago. What’s changed? Why now?

Rachel:

The why now question is really critical, because we have been talking about the criticality of this partnership for 20 years, believe it or not, I came across a paper written in 2004, extolling the importance of that partnership, and perhaps the first time that in our community idea of convergence was was raised. And Why now though, if we’ve been having this conversation for 20 years, why was it important for the Clarity Factory to look at this? Well, a couple of things really. Firstly, I think there’s a technology point here, which is that while it’s true to say that companies have been adopting technology quicker over the last 20 years, we’re at a point now, we have been for a number of years where large multinationals are highly dependent on technology systems and digital systems for pretty much every part of every process that they run. So the digital, the vulnerabilities in the digital space are really quite considerable. They also, the rise of technology, this dependency between a company being physically safe and being digitally safe is so much more these days, literally, you can’t get into a building because of the digital system that has been put in play. The two are so dependent on one another. But In the 20 years that we’ve been having this conversation, only 15% of multinational corporations have actually converged. And when I use the term convergence, because it is used sort of differently by different people, I’m talking about it in a very specific way, converging, as in bringing these two departments into one and a single leadership in the same room, so to speak. So for all of our two decades of conversations for how critical this is, 15% of companies have chosen to go that route. And in doing the research, you know, I should point out this isn’t a piece of research that is down on convergence. You know, I spoke to many leaders who run converged functions, and they are brimming with optimism and satisfaction with the model, but only 15% have gotten there. And I think the reason that we’ve had such poor uptake on what could in theory be a great solution here is because bringing together two really big functions in a big multinational corporation is really difficult and really clunky. Secondly, it involves senior business leaders deciding will be winning from this, and another will be losing, both headcount and budget. So there’s losers as well as winners right at the top table of the organisation. Interestingly, the senior business leaders that I spoke to said, really gave me the message, when I see it in practice, I see the benefits, but otherwise I don’t see them. So you have, you’re expecting senior leaders at the top of large multinationals to blindly stumble into something which can be quite expensive and cumbersome. security still isn’t the biggest priority, and never should it be for large multinationals. And ultimately, the leaders who could in theory be the biggest advocates for this, the CSO and the CSO, it’s simply not within their gift. So in many ways, it’s surprising that only 15%. But actually, when you think about the mechanics, the politics of getting this over the line, we perhaps shouldn’t be surprised that only a pretty modest minority of companies have actually gone down this route.

8:46

Manish:

If we widen the definition of convergence beyond an organizational structure and model, and we shift to outcomes, what does the report say? What did you learn in that process? Because I do think many people when they hear convergence immediately snap to org structure where often the CSO has the lead and the CSO is subordinate. But I’m curious what you’ve discovered there. And then talk about convergence as an outcome as opposed to an organizational model.

Rachel:

Well, that’s holistic security in a nutshell. It comes from a place that prizes part. And what we wanted to do, and I worked collaboratively with the CSOs who were on the advisory council for this, what we wanted to do was to create an option for CSOs and CISOs, which was really about achieving an outcome rather than achieving a particular educational model. And because we wanted to do that, we asked ourselves the really simple question, which is, what are the success factors for effective partnership? what does it look like to partner effectively in a way that gives you a good return on investment such that it’s worth it for both sides, where you have better outcomes for both physical and, and cybersecurity, and actually where there’s a bigger win for the organization, and perhaps we’ll talk about that. But that’s really what we’re trying to do here. We’re saying, forget org charts, forget being super prescriptive about where people need to sit and who they need to report to. Let’s really understand what effective partnership looks like in practice. And we put together, you know, after all of these dozens of interviews, and really getting under the skin of the data, it became clear to me and understanding what good change management looks like in practice from from many other different disciplines. And what we identify eight success factors for partnership. And they have very specific manifestations for this particular kind of partnership. But they’re pretty universal, actually. And an effective partnership is underpinned by firstly, the right identity and culture. And it’s really important we start there rather than organizational structures. the right kind of, and quality of leadership, incentives, because we don’t like doing things differently. So we have to be incentivized to do something that’s new, difficult, surprising, not how we’ve always done it. Clarity of roles, the right kind of professional development, the right kind of reporting roles, though, and see, so maybe we’ll dive into that the right kind of operational arrangements, whether that’s working groups, shared resource technology, this is right towards the end of the list. And then finally governance. So we tried to with the model, if you think about how we were thinking about convergence for all of those years, where governance and operation would have come right at the top of the list, we really wanted to invert that pyramid and say, That stuff is essential. It’s got to be a bedrock of it. But if you’ve not got identity and culture, right, if you’ve not got the right incentives in place, and if leadership isn’t for partnership, it doesn’t matter what working groups you have, it doesn’t matter whether you’ve got a governance body that everybody has to turn up to and report to on a monthly basis, you will not have effective partnership. So we try to, we try to make this very much focused on outcomes and say, let’s give organisational design to each individual company to figure out. But unless you’ve got that, that kind of partnership in place, it just, it just, it just won’t work. And, and what I would say about model and we put, this isn’t just a sort of analysis, we also, the report finishes, starts and finishes actually with a very, very practical maturity model. And it was really important in doing that, that firstly, it was a model that was communicated in English, because, my goodness, CSOs and CISOs and their teams speak very, very different languages, use different terminology, an alphabet soup of different acronyms. So we wanted to be in plain language so that both sides could sit down and have a conversation based on this. And nobody felt like they were privileged because we were using their language rather than the other side of the table’s language. we, as I say, it was important that the whole model was informed by really good organizational change knowledge. And that, um, Also, we’re not saying that everybody’s got to get to level four. You know, we wanted something that, you know, convergence, as I say, can work really well, but it’s sort of, it’s one and done. This is what it has to be. And we all have, you’re either converged or you’re not. And what we wanted was a maturity model that gave organizations the flexibility to decide what was right for them, which maturity level was right for them, and some breathing space to grow and mature and develop at the pace and scale that is right for them.

14:45

Manish:

I think our listeners would nod their heads on the components who described the maturity model itself. But I imagine, and the data likely bears this out, that there were challenges and things that quote-unquote get in the way. What did the data say around those? If you think about our listeners, you will touch on best practices in just a few minutes that you’ve encountered or learned, but maybe help illuminate some of these challenges and obstacles that our listeners would identify with and maybe what you learned along the way.

Rachel:

Yeah, so I mean, I have to say, by a country mile, the biggest and most consistent challenge was around culture. And there’s this data in the report that shows that a third of CSOs said that this was the biggest challenge to partnership. And, you know, on a really practical level, as I said, these are two professional groups that have different backgrounds, they have different competencies, they speak different languages, they have different acronyms, they have different ways. They even have different timescales of working, you know, the cyber to sort of sort of generalised, those in the cyber security world are really kind of thinking about immediately what next, immediate problem solving, whereas within the corporate security world, you know, many folks within that department are making a sort of a more of a medium term view. So it kept coming back to this same piece of feedback. When I asked both CSOs and CISOs about when has it worked? When has it not worked? What have, what have been the components of success for you? When have you really managed to do this effectively? So much of it came down to understanding these are different professional groups who struggle to work together. And effective partnership relies on being able to cut through some of really be able to cut through some of those differences to bring people together. And I guess allied to that is about leadership. And I mean leadership in a very, very specific way. Leaders that see themselves at the top of those two functions, that see themselves as risk leaders, not physical security leaders, and not cyber security leaders. Because as Ontix work shows very clearly, as the Clarity Factories work shows very clearly, Business leaders want their risk leaders, whether it’s the CSO, the CRO, the CSO, the folks across the business who have an element of the risk portfolio, the C-suite is increasingly saying to them, work together, knit it together, connect together. Do some of that sorting out before you bring your problems and solutions to the C-suite, because we need to see the problems in that kind of complex and interconnected way. And what I was really struck by was leaders that are pushing themselves to self-identify as risk leaders, as opposed to being stuck within their function, were the ones that found it easier to reach across. And so it’s a very particular kind of risk, particular kind of leadership we’re looking for. The kind of counterbalance to that I would just add is that when a lot of people talk about leadership within the context of holistic security, they talk about it on quite an interpersonal level. Oh, well, the CSO and I get on quite well. The CSO and I, you know, we come from the same background. that interpersonal relationships should not be underestimated, but they do not holistic security make. You need a leader at the top of the function who can see beyond their own remit, can see the connectivity between what they do, what they’re being paid to do and what somebody in the next sort of segment along is being paid. That’s when you start to much naturally, look for the connectivity, look to be driven by joint objectives and joint goals as opposed to constantly looking down within the function.

19:00

Manish:

I think our listeners can absolutely relate to where holistic security can apply. There are a number of use cases that you highlight, but then you make a commentary and a pretty bold statement on operational resilience as being an area that holistic security can really elevate to. Maybe talk a little bit more about that.

Rachel:

Yeah, it’s a really important aspect of the model, actually. maybe if I step back and then step, step forward into it again, I mean, we’re operating in a business environment now, where increasingly, it’s not just C-suite that are concerned about operational resilience, that comes from the fact that regulators and investors are concerned about operational resilience, you know, if you think back, Just a few years, you know, investors and regulators were seeing, say, cyber security as being the canary in the coal mine. If that’s healthy, then that tells us something about the broader health of the nation. And I think increasingly these days, operational resilience and metrics around operational resilience are becoming a canary in the coal mine for investors and regulators. If you’ve got that sewn up, then the chances are you’re a, you’re an investable company, you’re a healthy company, and you’re managing your risks effectively. So that’s, I think, the backdrop to this and why it was important for us to understand what were the connections with operational resilience. And I think that the reason that holistic security then is part of achieving operational resilience is because those two functions, the physical and the cyber security functions are responsible for the three really critical processes. to make up operational resilience. Pretty much all chief security officers are directly accountable for overseeing crisis management. About 50% of them are responsible for business continuity with the other 50% involved in it. And while disaster recovery is much more likely to sit within the cyber or the IT function. A really sizable proportion of CSOs are increasingly saying we have a role in that domain as well. So these three really critical processes of operational resilience are owned and knitted together by the CSO, the CISO and their respective teams. And I think increasingly businesses are going to be looking for not just do we have a great crisis management? Do we have good business continuity? Is our disaster recovery up to up to spec? I think, increasingly, they’re going to be looking for is that those three processes are talking to one another, that they’re connected, that they’re cognizant that they understand the dependencies and vulnerabilities across them. And so it’s our sort of assertion that when you achieve mature holistic security, the two functions that are so critical to those three operational resilience processes stand a much better chance. working seamlessly and ensuring that business continuity, crisis management, disaster recovery are no longer separate strands of work, but they actually come together in a way that the whole is worth much more than the sum of its parts.

22:32

Manish:

Sounds like a wonderful outcome. Rachel, it’s time for therapy. So we’re looking for some therapeutic advice for our listeners. Many of them are leaders today in their roles or leaders of tomorrow. And I imagine quite a few of them are stuck in silos. Quite a few of them exhibit some of the challenges that you highlighted earlier. What advice do you have for them? What could they begin doing today and then tomorrow to achieve holistic security?

Rachel:

Well, firstly, take a really deep breath. It’s all gonna be okay. I think that’s how a good therapy session usually starts, right? So I think there’s a few things I would say. The first is, start the conversation with your respective leader. And I really hope that the plain English, very much down to earth maturity model that we’ve put together will really help that. And actually, what I’m hearing in the weeks since we published the CSOs and CSOs reaching out to me and saying, I’ve taken the maturity model, and I’ve sat down with my respective leader for the and had a constructive conversation. Start exploring together. Don’t get into it with a set idea. Start exploring where do you think you are? Where do we think we are on this maturity model? Where do we think the areas to improve are? Just start that conversation with curiosity. to get those channels open. I think in doing this, and this is something which many of the CSOs that I’ve worked with on this kept stressing to me, that the power here is that this model takes convergence off the table. And that’s not to say that convergence can’t work just fine. But the problem with having convergence on the table is that it becomes a bit of a zero sum game. Because it’s inherent within that is the subtext of who’s going to get the headcount? Who’s going to get the budget? Who’s going to be in charge? Are you going to be my boss? Or am I going to be your boss? So there’s in when convergence is on the table, there’s automatically kind of defensiveness and competitiveness baked into that conversation. So Sit down, have an open curious conversation, be very intentional about taking the convergence topic off the table, even if that is where you end up going in the long term. I would then say that, you know, don’t try to boil the ocean. Start by choosing one or maybe two at most low-hanging fruit, high yield, high impact areas where you’ve identified a specific opportunity to collaborate. Now, there’s some really obvious examples there, whether it’s joining together the physical security access control data with the cyber security access control data, suddenly giving you this amazing new visibility into not just who’s coming in and out the building, logging on and off of the company system, but also, well, is the same person trying to enter a building in London and log on to a workstation in New York? Just by bringing those two bits of very simple data together, you can suddenly together, get an insight on everything from unusual working patterns, impossible travel, potential risk, and so on and so forth. So I would say start by choosing something really simple, where you can start to see results immediately in executive. Another, Um, where you’ve both got very clear roles, one around physical security, the other around digital devices, um, digital footprint and so on. You can each sort of get involved in that without sort of stepping on, on one another’s toes. So I would get really, really, um, specific, um, start socializing the concept with your manager. As I said, um, Corporate leaders don’t understand the benefit of this until they start seeing it in practice. So the more that you can start socializing, start going, Hey, we started sharing some information across our access control. And here’s the insight I got isn’t that useful start to give them to call view into why this partnership might be something they start to champion and start to get interested in. And I would, I think finally, I would say, patient, you know, you never ask somebody to marry you on the first date, right? And partnerships the same, you start slowly, you’re feeling one another out, you’re trying to, you know, one of the challenges that these two groups is that often they don’t understand what one another does. So partnership isn’t gonna appear overnight and be at level four overnight, it’s going to take time, you’re going to make mistakes, but try and take a really patient and long-term view of it. And that’s where I would, that’s where I would urge any leader to start. If they do that, I’m hoping that the holistic security maturity model kind of gives them the guardrails and gives them a bit of strength to do that in a way that helps them to sort of pace themselves and start to make progress.

27:41

Manish:

Rachel, as we get close to ending this episode, give us some hope. Inspire us. There must be examples of companies that have already done this well or well on that journey. Maybe give us a few examples as inspiration.

Rachel:

There are. There are. There are organizations that have been doing this. without the need for the title holistic security for a while. And that we recognize that, you know, and as I interviewed CSOs, I saw lots of pockets of examples. And while the organizations are at level four across every single one of those eight success factors, you know, there was the tech company, huge tech company that I interviewed and the CSO said, you know, the CSO and I have a joint security strategy. Nobody told us to do that. It’s not an official strategy, but we realised that everything we did was at the centre of our Venn diagram. So we just created it. And guess what? It was the foundation for much more partnership work. There was two leaders who just decided to take the initiative and get on with it. And now couldn’t, couldn’t contemplate working any way different to that. There were organizations I came across and there’s some great data in the report actually were already setting their team’s holistic objectives, so that people in the physical security team were not just being measured and rewarded on the basis of how they did their particular job. They were also being measured and rewarded on the basis of the extent to which they were collaborating with peers in the cyber security team. That’s something that’s within the gift of any security leader. They don’t need sign off on that. So there are leaders who are just taking that initiative and doing it. We also saw one of the companies that I interviewed purely by chance, actually had just gone through a reorg. And as a result of that, the CSO and the CSO now report into the same C-suite member. And while I realize that many will not have the opportunity to influence that change within their own organization, the describe it i interviewed them both as being absolutely transformational the extent you’re sitting at that leadership team table together hearing one another’s problems in real time the empathy that flows from that the willingness to then huddle after the meeting and say, hey, I think I’ve got something that could help you. The collaboration that I saw flowing from that was really inspiring. And actually, I think companies that can achieve that sort of shared reporting line upwards, I think will really accelerate their growth. And then another area where I see this kind of happening, and I know this is a real kind of focus for Ontic and your clients, is around insider risk. And insider is one of those areas where you just can’t do it effectively alone. You know, it really does need a connected approach. It all needs to be knitted together. And I really started to see real glimmers of maybe I need to be more effusive about this, not glimmers of hope, sort of rays of sunshine in the insider space where CSOs and CSOs were kind of realizing this is both of our problem and HR and, and, and, but it’s a really practical, impactful collaboration going on in that space, which could be something we then sort of use as a, as an example and replicate that in other areas of the functions business.

31:24

Manish:

As is tradition here, we end with our final question of what does Connected Intelligence mean to you? So just in a few words, we’d love to hear that. And Rachel, again, thank you for joining us today.

Rachel:

Well, intelligence for me, really, I guess, is what I would call the present and the future. And, you know, are the insights that we need to drive an understanding of the threats we need to manage, how we need to mitigate how that relates to business priorities is simply stronger when it is knitted together, when we can both bring many, many, many sources of information together on one screen, that gives us, you know, as I started by saying, when this is what my whole career has been about, by bringing together all of these insights that and these data sets that give leaders a fresh perspective, they allow them to see something that would otherwise be invisible. That’s what Connected Intelligence is to me. And for any security leader thinking about what intelligence today or in the future must look like, I think it’s non-negotiable. It has to be connected.

Manish:

My guest today, Rachel Briggs, CEO of The Clarity Factory. Rachel, thank you once again for joining us today.

Rachel:

My pleasure. Thank you for having me.