Author: Stewart Hayes
This article provides an overview of how Security Convergence along with Enterprise Risk Management is driving the need for a new breed of security manager. That is, one that is not a specialist in Cyber or Physical or Personnel security but can consider these issues in light of wider business objectives and the changing operational ecosystem. The technology infrastructure is becoming more diverse and the integration of operational (OT and IoT) systems into corporate infrastructure to improve decision making is increasing the ‘attack surface’. Managing security risk now requires security managers that must be multi-disciplined, recognise the multitude of threats facing the organisation and be focussed on managing business impact and identifying business benefit.
Security has different meanings for each organisation depending on their business sector, operational locations and operating model. These may influence their view on what is important – cyber, physical or personnel (insider threat) security and, as a result, how they approach security management. This has tended to influence their choice of staff and skillset required to oversee their security infrastructure. However, nearly all organisations are now faced with a multitude of threats which could impact their ability to operate effectively, meet their business objectives and protect their stakeholders’ interests.
Converged Security is a topic that has been around for a number of years. The Alliance for Enterprise Security Risk Management formed by ASIS, ISACA and ISSA used to issue an award for the best approach to delivering security convergence. Unfortunately, this alliance disbanded after 2007; however their publications and principals remain applicable. In 2012, along with some very experienced colleagues, I published a paper on the advantages of a fully integrated security ecosystem – The Changing Face of Cybersecurity (ISACA Journal) that considers business risk first. Essentially this promoted the provision of a single focus for security issues; IT systems, Physical infrastructure and Personnel.
This should now be extended to cover other related areas including key aspects of Personally Identifiable Information which is typically handled by the Legal Department; OH&S and the working environment – usually the domain of HR or Health and Safety; Payment Cards – Finance; and Political threat if they are operating in hostile regions is usually outsourced to specialist agencies. All represent a potential source of security risk to the organisation and should be managed consistently and effectively. The problem for the Executive however, is deciding where they spend their security dollar. They must consider these security risks alongside investment, market and regulatory risks.
Developing and establishing a framework for the converged security model is difficult. Typically, the various security disciplines have different skill sets, different modus operandi and different threats to address. As a result, the security dollar often gets spent on fixing the last problem that occurred or the ‘issues’ identified by an auditor. These may not address the key business risks.
Technology relevant security threats continue to emerge. Having established approaches to securing a Cloud environment with massive data stores and transient servers and applications, we now have another field approaching the security ecosystem like a steam train. Integrated Operational Technology (OT) and ‘Internet of Things (IoT)’ components within the corporate infrastructure. We have aged Building Management Systems (BMS) with unprotected control systems enabling unfettered access to corporate networks and even sensitive operational networks beyond the corporate environment. Similarly, IoT devices having greater autonomous intelligence than OT systems are being plugged into the operational infrastructure in increasing numbers. These are now gathering large amounts of potentially sensitive information to be stored in data lakes and analysed by artificial intelligence (AI) systems. The current separation of security duties across all these environments is not sustainable and is comparable to a balloon in a box of pins; at some point the security bubble will burst.
The role of the Security Manager must now be to understand the growing number of threats to the organisation’s operational infrastructure and ensure the risks to the business success are managed effectively. Being skilled in one discipline – IT Security, Physical Security or OH&S is no longer viable. The new breed of Security Manager must understand enterprise risk and business enablement. They do not need to be experts in the various disciplines but they must be able to gain the confidence of those that are and be able to promote the concept of a fully integrated security model.
The benefit of a converged approach can be seen in an example from the Telecommunications Sector. The challenge for the authors was to provide an effective solution to manage physical access to facilities, racks and roadside boxes across sites in Australia, in a way which provided accurate audit of access. A manual system would be error prone and involve significant overheads, but by integrating the physical access with the Identity and Access Management system it was possible to for users to have a single identity to manage access to both their IT services and the physical environment down to the physical rack keys. This made the business processes highly efficient, required minimal effort, and delivered a full audit of all system and facility access. This integrated approach saved many millions of dollars in establishing and managing the security ecosystem.
The Health Sector also presents opportunities for converged security to make a significant difference. In a number of hospitals, the author was able to integrate physical access control with the IT systems and, importantly, the patient management system. This enabled end to end tracking of a patient episode through the facility and reduced the risk of mistaking a patient’s identity. Using a wristband-based RFID (Radio Frequency Identity) tag, the patient could check themselves in, be verified before any procedure and, along with the clinician tag, could enforce dual control on records access.
There were also missed opportunities. A large multinational bank used the physical access card to carry a chip that would act as a Visa approved wallet. This has a cost. When the systems that this wallet could be used on were removed, the chip became useless. Had the physical security team worked with the IT Security team, the chip could have been used for password-less authentication and provide a secure store for encryption keys. As it is, the chip, whilst expensive, now serves no purpose and passwords continue to be used.
Similarly, with the increasing use of corporate infrastructure to carry OT and IoT traffic and the increasing risks from connectivity that comes with IoT, traditional siloes of operational activity are increasingly turning to the security manager for help. As a result, the security manager must now not only help deliver integrated systems but must be able to monitor for operational protocols, not just those in the IT spectrum. While the 2016 Dyn denial of service attack from IP-enabled cameras is a well publicised example of these forms of risk, there are many others which have had more severe ramifications. In 2016, the Ukraine power grid was disrupted by a cyber-attack with quarter of a million people left without power for some hours.
There have been numerous reports of rogue IoT and OT devices being used to compromise the corporate infrastructure, many of them successful. These systems should be subject to the same rigour as other IT systems within the organisation’s operational infrastructure to manage the potential risk; that is their vulnerability to compromise and ability to impact sensitive systems.
The approach to qualifying this risk is the same as any other risk assessment process, however it must now be considered on an enterprise scale. Mitigation controls should likewise be addressed on an enterprise basis; that is, can one solution address risks across different operational areas. These issues may also be relevant on a global scale for multinational organisations; however the different operating environments and regional influences may need to be managed differently.
Technology continues to evolve and as we see the continue evolution of IoT plus the next wave of 5G-enabled solutions and artificial intelligence driven systems, the need for a holistic approach to managing security risk will become even more critical. Furthermore, the cost of not addressing risk is also increasing. A breach could affect the organisation’s ability to deliver services, may cause direct financial loss or affect their reputation in the market place. As legislation such as GDPR comes into force, the penalty for allowing a breach to affect customers is becoming increasingly severe.
Cyber security is no longer an isolated domain, it is part of the wider enterprise and risks must be considered alongside the other business issues. Threats may manifest differently in the various disciplines however the business impact is comparable; it could affect the organisation’s ability to deliver services, may cause direct financial loss or affect their reputation in the market place. Whichever area or discipline of the wider security environment, the approach taken to quantifying and assessing the risk is the same. Similarly, the approach to mitigating these risks may be common, at least in part.
In conclusion, security risk management is an enterprise issue and contributes to the success of the business just like with any other form of risk management. The modern-day security manager and their team must now be cognisant that security management is a multi-disciplinary skill and operational security must now observe a convergent approach to enable business benefit. All aspects of the security ecosystem are related and require a common approach rather than the current siloed verticals.
My thanks to many colleagues in Industry and Academia who have reviewed this paper and provided invaluable input.