November is Critical Infrastructure Security and Resilience Month. During this month CISA is asking critical infrastructure companies to “resolve to be resilient” by preparing for resilience today in case of an incident tomorrow.
CISA is highlighting three practices critical infrastructures can implement to rapidly recover in the event of a significant disruption, including:
- Assess your risk. Organizations should identify their most critical functions and assets, define dependencies that enable the continuity of these functions, and consider the full range of threats that could undermine functional continuity.
- Make a plan and exercise it. Organizations should perform dedicated resilience planning, determine the maximum downtime acceptable for customers, develop recovery plans to regain functional capabilities within the maximum downtime and test those plans under real-life conditions to ensure the ability to operate through disruption.
- Continuously improve and adapt. Organizations should be prepared to regularly adapt to changing conditions and threats. This starts with fostering a culture of continuous improvement, based on lessons learned from exercises and real-world incidents and evolving cross-sector risks.
While these tips are aimed at one particular sector, they are good reminders to all, for both physical and cyber incident planning.
But there are other types of resilience worth building up as well. For example, the resilience to adapt to rapidly changing technology. This was one of the main themes of the recent Securing New Ground conference held October 17-18 in New York City. Billing itself as the “TED Talk of the Security Industry,” the annual event brings together end users, security integrators, manufacturers and tech partners to discuss the latest trends, challenges and predictions for the coming year.
This year, much of the conference focused on artificial intelligence, or AI — its benefits, use cases and threats. In one session, “What AI Means for Your Business,” a variety of industry providers spoke on what they are seeing from their end customers.
Jumbi Edulbehram, global business development, smart cities and spaces, NVIDIA, said, “We have a partner that took all the information from the cameras, and is doing analysis at the city-level based on AI to manage traffic patterns. They have reduced congestion by 54 percent.”
Matt Powell, managing director of Intelligent Security Systems Inc. (ISS), actually credited a major disruption with bringing AI to the forefront. “COVID pulled us 10 years in the future,” he said. “Before COVID people didn’t use Teams. Now AI is bringing us 100 years into the future. The adoption at the market level, everything is AI. Everybody is asking for it. Everyone wants to solve a business problem; they are just trying to figure out how.”
Powell stressed the need for the purchasing decision being an educated one from the top. “You have to bring this technology in house. There are risks associated with not doing so. But you also have to understand the technology. Do you need augmented intelligence? Generative AI? The risk is you will make a decision based off a product and not a solution so you are stuck with an investment that doesn’t meet your needs.”
Also on the risk side, there is the privacy concern.
Hamish Dobson, corporate vice president, enterprise physical security, video security and access control at Motorola Solutions, said, “AI is based on data. Start with getting control of your enterprise data and understand where it exists; but there are privacy concerns associated with that. It [should be] an intelligence augmentation not decision making in and of itself.”
Edulbehram said this is one area where public agencies can provide an example for private entities. “They have detailed guidelines for not just applying AI but creating the data that is used. Most companies haven’t thought through their AI policies in general.”
Another interesting conversation at SNG was with Pierre Racz, CEO of Genetec, who spoke of security departments needing to think of themselves ad more than just “cost centers.”
“That is wrong thinking,” Racz said.
Racz gave the example of Target, which the company determined a number of years ago, should be the “safest part of any city.” In addition to making sure there were cameras and all the typical security efforts, “Target engaged the merchandisers for high margin items so they were compensated if they minimized shrinkage,” Racz explained. “This enabled Target to grow and create a great reputation. The security department saved the company $1.4 billion dollars. So anyone who says security is a cost center, I say you should rethink it. Security should help businesses make decisions.
“My vision is that security has to reframe their thinking. Their job is to measure the flow of people, things and information, and the safety of people is almost a derivative of that. If they behave that way, they become an important, strategic value creator in an organization.”
This approach was echoed by “surprise guest” Raj Bahita, deputy CSO for Bank of America and a first-time attendee at SNG, who touched on both the resilience and value aspects.
“I have been in this role for about four years,” he said. “I came from a government role. I joined in 2019 when the world was very different. Business was rocking and rolling, and we were spending money like crazy. About eight months later the pandemic hit. For the next two years we were mostly thinking about vaccinations and PPP and how to keep things safe.
“I moved from a corporate security role to corporate safety and security. How do I run a GSOC when no one is in the office? I had to think very differently and creatively. Technology was critical. Then there was the return to office and people didn’t want to come back.
“Now not was I only responsible for people in the workplace but at home. There are also global risks. We don’t know what the next thing is going to be but it is out there. I [now] think of myself as a risk executive. When I talk to executives I do not use the word security. … We are a cost center but I don’t think we should be treated that way. We are a value-added component to our corporation. Our businesses cannot function without security and safety for our employees and customers.”