A recent DEFCON presentation described a package sent by ethical hackers to a non-existent employee at a large corporation. The package was diverted to the mailroom and forgotten. The smartphone contained within the package allowed the hackers to access the corporate LAN until its battery died. Who is responsible for the breach in information security? Is it the CIO or the security manager? An obvious answer is both – the two domains are converging. A better answer may be the CEO. Risk mitigation is a team sport, and the CEO leads the team.

Physical security and cyber security must complement each other. Real world security measures can be defeated by cyber-exploits, and the best cyber defenses can be outflanked in the real world. Investment decisions in each domain should spring from deliberate efforts to mitigate risks to the enterprise, ensuring it accomplishes its mission and recovers from adverse events.

New Capabilities Bring New Threats

There is no doubt that the Internet and associated technology provide unprecedented capabilities and opportunities for business, for government, and for individuals. The ability to remotely access information has revolutionized the way business is conducted and the way individuals live. But the flip side of these benefits is that the capabilities also can be used for malicious aims. New opportunities and the rapid adoption of new communication technologies bring security vulnerabilities, and the vulnerabilities aren’t just inherent in devices and technology; well-intentioned users are often the unwitting means to malicious ends.

As the Internet continues to develop and bring more people online, the volume of threats continues to grow. The scope of threats continues to develop and is limited only by the ingenuity of our Internet neighbors. Cybersecurity businesses offer subscription service because the threat is so dynamic that suites of countermeasures must be continually updated. So, even though critical corporate assets—people, equipment, and information—may be concentrated geographically in the physical world, risk mitigation must address threats that are global, potentially innumerable and constantly evolving.

Ensuring complementary security efforts in the physical world and cyberspace begins with acknowledging how they differ. There is no safe stand-off distance in cyberspace. The other side of the world, and all of its bad neighborhoods, are a mouse click away. Attacks can be launched from anywhere around the globe at any time, and often without alerting the intended victim.

Security staff is therefore challenged to think about risk mitigation in new ways. Before the Information Age, “enforced need-to-know” described both the fundamental principle and practice of information security. Before electronic media and networks, the dissemination of controlled information required a conscious act. Risks were mitigated because dissemination was deliberate and limited. Too often today, access to a network includes access to vast amounts of information for which there is no valid need-to-know. Network administrators are empowered to limit access, but may not appreciate fully the operational implications, and may not be able to keep up with changing requirements of knowledge workers. But once information is accessed by the wrong entity, re-establishing control is impossible—the risk equation has changed.

What’s Critical to the Mission?

Organizations with limited resources must focus their efforts on what truly requires protection. While security’s mandate is to manage the protection measures designed to preserve the organization and assure the success of its operations, the identification of critical assets and determination of appropriate protection levels are activities that require early participation from the business side of the organization. Those responsible for business operations are better equipped to determine what is critical to the organization or the mission, and to articulate acceptable and unacceptable consequences of risk mitigation measures proposed by the security staff. 

Most organizations would benefit from revisiting the framework used to support risk decisions. The framework should bring together stakeholders from the security disciplines and the operational elements. The framework should provide a forum and a repeatable, traceable process to identify critical assets, revisit threats and associated vulnerabilities, and plan and monitor synchronized actions taken to mitigate risk. Its participants should monitor changes to the organization and its mission, and stay abreast of best practices and other developments in the disciplines represented. In such a fashion, integration across security disciplines may be achieved and the organization maintains the capability to think through and manage evolving risks to the enterprise, regardless of origin.