The security industry has accumulated vast amounts of knowledge, much of it in the form of experience. This sometimes-sensitive information is the glue that holds our profession together and protects our clients. This information has prevented countless tragedies, defended businesses and schools from disaster, secured our nation and saved innumerable lives.
We need to share this knowledge to propagate the continued evolution of the security industry; however, it would be in our best interests to protect this information the best we can, from getting freely into the hands of those who can use it to harm others. We cannot assume that just because the answer to any question lives online that we do not need to be vigilant and protect the knowledge we have. Breakthroughs and advancements in security emerge every day, and there is no better time than now to start being careful with the security information we share with others.
While recently researching information on access control systems online, specifically card access, I stumbled across multiple videos that instruct people on how to defeat these systems. I watched videos on how to alter current technology to gain door access, how to steal wireless credentials from unaware individuals and even where to purchase devices that are used to activate card readers. People experimenting and trying to crack card access technology uploaded some of these videos, but what blew me away was the number of videos uploaded by security professionals, either who belong to a security organization, or who were invited to a security organizational event and videoed a seminar. I learned a lot from these videos, but who else learned with me? Perhaps the information we release is what we are defending our clients against.
There is no way to keep unwanted eyes away from the security industry, but it should be our duty as professionals, hired to protect life and assets, to not advertise those details that keep our facilities safe. This is one of the great benefits of joining a professional security organization or group. This is the perfect place to exchange that sort of information through meetings, seminars and conferences. The groups that hold these types of conferences should work diligently in ensuring that only credentialed security personnel attend these meetings. Universities also offer a great environment to learn cutting-edge security technology. This is where we learn and share the secrets of our profession.
As a security professional, you would not offer the PIN to the front door or the combination to a lockbox to just anyone who asked. Likewise, when it comes to security, the first thing we should secure is the information we use to protect our assets. A good security professional knows the vulnerabilities in the security systems they maintain and should not share this information with just anyone. That is what we are doing when we publicize the “how to’s” of our security. We are sharing the weaknesses, not only to the systems we are responsible for but for the systems other security professionals are responsible for as well. Not only are we sharing current weaknesses, but we are also inadvertently creating new ones.
I will soon be attending yet another conference and expo. Security vendors will fill the arena, and there will be breakout sessions for specific security topics. Discussions will include security vulnerabilities, the latest and greatest door locking hardware, and many other cool security gadgets. Anyone can sign up and anyone can enter the conference.
A few simple measures can help:
- Practice need-to-know. Only share security-related information with those who need to know.
- Practice compartmentalization. For larger security entities, do not permit everyone to know everything about the operation.
- Employ the use of Non-disclosure Statements. People will realize you are serious about your security information if they have to sign a legally binding agreement.
- Be sure those in your audience are in the security profession. If you are going to speak at a security event about detailed information regarding security vulnerabilities and mitigation, be sure those in the audience are security professionals.
- Know the difference between general security information the public should know and information that is specific to your technology and your processes.
- Ensure there are effective security policies in place to protect important security information.