Lessons From When Cyber Security Meets Physical Security

Data security and what qualifies as "reasonable" security is on everyone’s mind these days – at least if you’re involved in IT, or responsible for addressing any aspect of the “GRC” troika of governance, risk management and compliance issues. Sometimes overlooked on the cyber side, however, is the interaction of cyber with real world, physical security and how the two can mutually reinforce and benefit each other and security overall.

This fact was brought home as I attended in New York City this week ASIS International’s Security Conference and Expo, which was colocated with the Computer Forensics Show  and CyBit (Cyber security and IT security) Expo.

The frequently beefy, bull-necked attendees at the NYC ASIS conference, where you couldn’t turn around without running into someone wearing the dress uniform of a federal, state or municipal law enforcement agency, were a far cry from the populace that generally patrols and sits on panels at cyber security events. But we should rub elbows with our colleagues manning the physical security wall more, for a variety of reasons, not the least of which is that many physical “security” solutions will soon or already have embraced the digital and increasingly digital security controls and contracts address – or should be addressing - physical security specifics with more particularly that in days past.

For example the well-received and increasingly influential final of NIST’s Security and Privacy Controls for Federal Information Systems and Organizations, SP 800-54 Rev.4, released last month, makes frequent note that one of the eighteen members of the security control family is squarely that of “Physical and Environmental Protection” (see SP 800-53 Rev.4 Appendix D, Page D-5 and Table D-13: Summary – Physical and Environmental Protection Controls). NIST additionally offers several special publication devoted to aspects of PEP controls, such as NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.

In a closing conversation at CyBit with Matt Gardiner, Sr. Manager, Product Manager, at RSA, we discussed the foundational premise of his presentation on “Security Monitoring and Data Privacy – How to Strike the Right Balance” which is that cyber security has traditionally focused on prevention, detection and then responses.  While each leg of the three-legged cyber security stool is fully formed, the "detection" leg isn’t as sturdy these days as the prevention and response legs, which gives the entire stool a notable wobble (a fact confirmed by the recent 2013 Verizon Data Breach Investigation Report, which we covered here, noting that in 66% of the cases reviewed it took from months to years to detect the security incident).

Granted, the ASIS exhibit floor was chock full of specialized metal detectors, hardened equipment, emergency supplies and vendor after vendor providing digital video and camera surveillance solutions along with booths from the U.S. Secret Service and, yes, cloud software vendors. But I think we on the “cyber” side of the security fence can learn a great deal from how our counterparts on the physical perimeter plan for, detect and address security issues because we should, when possible, apply a more “holistic” security approach to the goals sought, regardless of the “form” of data.

This final conclusion was vividly driven home as I worked recently with a “traditional” records storage client (read truck loads of redwelds and bankers boxes rolling into secure warehouses) that is developing a cloud-based digital records service firmly at the intersection of the physical and digital records arena and implicating every security need.  Contract and security controls set in the physical records world have historically and still reflect an approach to security and liability allocation that is starkly different from a typical “cyber” services agreement. It is high time for the two facets of security to meet and join forces to address overall data “security” as one: neither exclusively physical, nor totally cyber.  Stay tuned for further coverage of this topic, specifically on what contract and SOW provisions to probe deeply regarding the physical security front.