Why should you combine physical security and cybersecurity?

The virtual world merges with our physical world in thousands of new ways every year. This reality is developing much larger than the popular fantasy games or the billions of social media users that are getting more and more numerous.

From more online shopping to an explosion of virtual meetings during the global pandemic to the reliance on online apps for driving directions, most Americans rely on their smartphones for life daily much more than a decade ago.

In fact, in 2016 it was claimed that digital leaders merge the physical and the virtual. Here are six business reasons why (with details in the reference article):

  • Expansion of the product range
  • Selling an experience
  • Expanding his footprint
  • Enrich customer service
  • Develop the ability to tell their story
  • Access to rare features

Which leads to this question: why do most public and private sector organizations continue to keep separate security organizations for their physical and cybersecurity functions?


The concept of uniting physics and cybersecurity is far from new, and dates back decades. In 2005, Derek Slater introduced me to this excellent concept CSO Magazine article:

“Sanders defines convergence as the integration of logical security, information security, physical and personal security; business continuity; disaster recovery; and security risk management. (Logical security focuses on the tools of a networked computing environment; information security focuses on the flow of information in both the logical and physical environment.) Cost savings are one of the important benefits. of this comprehensive security strategy. Because there is always some duplication in a stove-oriented security organization, for example, in overhead and programs, it is more cost-effective to manage an integrated one. Not only that, duplication can lead to unproductive lawn battles between security groups for resources, he adds …

“Gathering different safety silos in a large happy family and running the combined organization can be much easier when a person is at the top.

“When there is a single point of contact, the CFO or CEO can pick up the phone and quickly dial the CSO instead of having to pull out an organization chart to find out who to call with a security question.”

In 2011, when I went from being the Michigan business CTO to a new role as a business CSO, we merged physical and cyber security into state government with the goal of protecting critical infrastructure. Our goals were:

  • Establish Michigan as a world leader in cyber awareness, training, and citizen security;
  • Provide state agencies and their employees with a single entity responsible for overseeing the security and risk management issues associated with the assets, properties, systems and networks of the state of Michigan;
  • Assist in the development and implementation of a comprehensive security strategy for all resources and infrastructure in the state of Michigan; i
  • Improve efficiency within the Department of Technology, Management and Budget and offer a combined approach to emergency management efforts.

In an interview with Eric Chabrow at the time for BankInfoSecurity.com, I said, “There are a variety of features that our physical security organization provides, from issuing a badge, to using parking. , entrance to the buildings, [and with] of identification, we are increasingly talking about digital identification and how we can lead these discussions around proximity readers. How can we use this thing you have, this identification, this image of you, also as digital identification. Joining this from an identity management perspective is one of the areas where we see some synergy.

“Working together on projects such as cameras, we send digital images to our networks. We have information that runs through our networks that … has historically been open. Just as the telephone system is merging with computer systems and voice-over technology and there is more and more technology, you have more and more different functions that drive our networks through IT. There are a variety of ways to work together.

“Another example would be how the two organizations will provide security to the company and different buildings through a combination of technology and physical security, such as protections and different protection measures that are normally used to secure buildings and places. We believe that working as a team, we can be more cohesive in our mission.I also believe that a holistic look at how we work together in all of our IT functions and all of our physical security functions will be important as we increasingly integrate functions into our department, our technology management and budget function, in Michigan State Government “.


In 2018, Congress formed the Security and Cybersecurity Agency (CISA) within DHS. CISA is the country’s risk advisor, working with partners to defend against current threats and collaborating to build a safer and more resilient infrastructure for the future.

This excellent CSA report for 2019 outlines some of the benefits of cybersecurity and physical security convergence:


“Convergence is a formal collaboration between previously disconnected security functions. Organizations with converged cybersecurity and physical security functions are more resilient and better prepared to identify, prevent, mitigate, and respond to threats. Convergence also encourages information sharing and the development of unified security policies between security divisions.


“An integrated threat management strategy reflects a deep understanding of the cascading impacts on interconnected cyberphysical infrastructure. As rapidly evolving technology increasingly links physical and cyber assets (spanning sectors from energy and transportation to agriculture and health), the benefits of converged security functions outweigh the challenges. of organizational change efforts and allow for a flexible and sustainable strategy anchored in shared security practices and goals. ”

Many private sector organizations also see the value of convergence. This article in buildings.de 2019 deals with “Why it’s time to converge physical security and cybersecurity”:

“Internet of Things (IoT) enabled air conditioning systems are more efficient, reliable and easy to use for your occupants. But because of these cloud-enabled features, they are also a target for hacking.

“Because it is probably less protected, attackers can use any network vulnerability in your air conditioning system to infiltrate your building’s larger network, affecting or altering physical operations. This hypothetical situation demonstrates how physical security and cybersecurity can overlap “.

One more thing: a Dataminr article says “The SOC of the Future Converges”:

When talking to customers about their security operations centers (SOCs), one word inevitably opens up in the conversation: convergence. They want to know if they need to combine their security operations, usually cyber and physical, so that they can live under a single unified security function.

“I always want to have these conversations because the SOC of the future is convergent. Organizations with SOCs of the best category have already followed the path of integration. And now, many security and risk leaders have to respond to the call for convergence, which has intensified due to the risks posed by the COVID-19 pandemic and the adoption of Internet of Things (IoT) devices.

“Although these leaders have made ad-hoc adjustments to recalibrate to the new normal, the underlying problem remains: how to better identify, mitigate, and respond to risks in multiple security operations when the surface of these risks is more large and expands continuously.

“Converging SOCs can absolutely solve these challenges, but to do so successfully requires an integration strategy that takes into account three key areas: people, processes and technology. Next, I explore what this means for those building SOCs of the future, including best practices adopted by safety and risk leaders. ”


Most of the negative responses I hear from state and local government leaders about security convergence come from governance concerns (these roles are found in different agencies or funding groups) and / or staff concerns (we don’t have the capacity nor the knowledge needed to make this work.)

However, there is a growing gap in the ability of governments to equip with cyber equipment. And with the desire to do more with less staff, my argument is that you can reduce risk, offer a better repeatable service, and offer a lower cost by combining the two functions.

One lesson learned from Colonial Pipeline and JBS and other critical infrastructure ransomware attacks should be the relationship between cyberattacks and critical infrastructure protection. So why do we manage these risks in silos?

Source link

Leave a Comment

Your email address will not be published. Required fields are marked *