Why it’s time to establish a holistic approach to physical and cyber security
David Clark, Head of Security at The Francis Crick Institute
With digital technology now influencing every aspect of our lives, it’s easy to forget that the accompanying industry of cyber security is barely more than 20 years old. Go back past the last two decades, and the term “security” would have purely meant physical assets such as reinforced doors, CCTV and ID passes.
Until very recently, the disciplines of physical and cyber security are almost always treated separately, and operations are kept in their own siloes, much as we expect from HR and finance. Whereas physical security usually falls under the CSO, cyber issues are managed by the CIO or CISO and previously there was very rarely much communication between the two.
However, while cyber deals with firewalls and passwords, and physical security deals with real barriers and identity passes, the two fields share the same basic objective – to stop bad guys from accessing company assets and harming the business.
The value of a united approach
I believe it’s time that we bring all threats facing the business together under the single banner of resilience, covering everything from physical and cyber threats from criminals to related fields like disaster recovery.
Uniting all of these areas under a single business unit delivers several advantages. Most obviously, it would save on personnel costs and create a more streamlined operation that avoids duplicating work unnecessarily.
More importantly though, taking a holistic view of security would enable the organisation to better see the bigger picture and spot potential gaps and shortcomings in their security strategy. There is little point investing in high-end security solutions to protect the enterprise network if the physical assets are left poorly protected, and likewise no reason to invest in heavy physical security to protect IT assets that aren’t actually valuable.
The need for a linked physical and cyber strategy has been demonstrated by several notable cases of thieves targeting IT hardware over the years, such as the recent incident in Iceland where two thieves raided a datacentre and stole 600 servers being used to mine bitcoin.
Here at the Crick, we hold a lot of very valuable intellectual property such as scientific research, which would fetch a high price on the black market. These assets are under threat from both physical and cyber-attack and, as such, our security strategy needs to address both risks together.
Moving towards a holistic future
The inherent value of a truly joined up approach became even more evident while I was serving as Chair to the UK Security Commonwealth. The organisation brings together a wide variety of security membership organisations across cyber, physical and investigations, and, seeing the synergy between different aspects of security highlights the vast possibilities of converging physical and digital strategies.
The approach of combining different branches of security together under the discipline of resilience is a fairly new one and, as with most new ideas, it is taking a while to filter through organisations. However, I believe it will become a mainstream strategy over the next 10 years as more companies realise the benefits – and I say this as someone with a long background in old-school physical security. If professionals in both fields begin learning from each other and upskilling new disciplines, we can create a security environment that can better protect against all forms of threats.
David Clark, Head of Security at The Francis Crick Institute