CEOs today overwhelmingly prioritize cyber over physical security according to a May 2019 study, “Cyber and Physical Security: Perspectives from the C-Suite” by the Center for Cyber and Homeland Security in partnership with the International Security Management Association. Retail was the fourth largest sector represented in the survey respondent pool, comprising 8.2 percent of the total.
“CEOs and corporate boards of directors are recognizing that a greater amount of dynamic risk attaches to cyber security-related matters than to physical security issues,” the report concluded. “However, survey results do not indicate a diminishing role for physical security. Instead, respondents tended to report a unified security plan.”
One likely explanation for the pursuit of a holistic approach are blended threats, including the insider threat, and the importance of physical security to the integrity of company networks. “The integrated approach, as indicated in the survey results, will require greater coordination and information sharing between Chief Security Officers (physical) and Chief information Security Officers (cyber) offices to ensure their respective agendas complement rather than hinder one another’s operations.”
It’s a tough challenge, according to a study in the latest Journal of Safety and Security Engineering, “Towards a Conceptual Foundation of Physical Security, Case Study of an IT Department” (Vol. 9, No. 2, 2019). “Protecting physical data, networks, and systems has become difficult, increasingly costly, and tougher to manage as technology and environments become more complex and dynamic.”
The study’s primary recommendation for physically securing IT components will be familiar to loss prevention executives. “Like the layers of an onion, different layers of protection are built around the nested components of an information system,” the study concludes. For example:
- The building where equipment and files are located,
- The room where equipment and/or files are located,
- The computer hardware,
- The computers’ operating system, and
- Files and data including paper information.
A Layered Security Model
The security model proposed in the study differs from a traditional architectural blueprint approach to layered security, however. It’s insufficient to simply map the location of IT assets against physical controls, such as access control systems and monitoring, detection, and auditing systems. These elements are important, and necessary to keep unauthorized persons out of protected places and decreasing criminal opportunities, but it is incomplete as a strategic approach, the study suggests.
“Security is a process, not a point project (or product),” notes the study’s citation of previous security research. However, most security programs are not built and managed in a way that reflects this belief, with security processes often going undocumented and performed in an ad hoc manner, the study concludes.
What is necessary, according to the study, is a defense strategy based on the idea that security is a process. Physical security of information assets requires looking beyond the mere existence of security controls, and should instead spark examination of physical, human, and engineered elements and how they flow together to either create or mitigate risk.
Consider the following story related in a report by the Alliance for Enterprise Security Risk Management: A network interruption, initially thought to be a server crash, turned out to be the result of RAM being stolen from servers in the computer room. The culprit couldn’t be identified because the room’s surveillance cameras were malfunctioning—a consequence, building operators claimed, because they hadn’t been budgeted for maintenance of the video system. The victim of the server room theft? A police department.
As the story suggests, it’s important for all organizations to monitor and measure security performance with respect to the physical protection of information systems. For example, security penetration tests are important to see whether it’s possible to gain physical access to areas with valuable network resources such as network server rooms and other locations containing critical network components, including network wiring closets.
Tracking incidents of unauthorized access is critical, according to the Computer Security Division of the National Institute of Standards & Technology (NIST). NIST says that use of performance measures is the surest way for strategic security planners to increase accountability and link the goals of information security with security controls in place.
Incidents of unauthorized access to locations housing network servers demand special investigation, to uncover the root causes for such a critical security failure, but companies should also be taking regular temperature of how well physical security is doing to protect information systems more generally, says NIST. It offers the sample performance measure below as a way for retailers and other organizations to keep tabs on performance and bring together the information and physical security teams around the goal of protecting information assets.
Program Level Performance Measure for Physical Security of Information Systems
Strategic goal: Ensure an environment of comprehensive security and accountability for personnel, facilities, and products.
Information security goal: Integrate physical and information security protection mechanisms to ensure appropriate protection of the organization’s information resources.
Measure: Percentage (%) of physical security incidents allowing unauthorized entry into facilities/areas containing information systems.
Measure type: Effectiveness/Efficiency
Formula: (Number of physical security incidents allowing unauthorized entry into facilities/areas containing information systems/total number of physical security incidents) x 100
Implementation evidence: 1. How many physical security incidents occurred during the specified period? 2. How many physical security incidents allowed unauthorized entry into facilities/areas containing information systems?
Collection frequency: Quarterly (or as defined)
Reporting frequency: Quarterly (or as defined)
Responsible parties: Information owner: physical security officer (or as defined); Information collector: Computer Security Incident Response team (or as defined); Information customer: chief information officer; chief security officer; chief information security officer; other, as defined.
Data source: Physical security incident reports; physical access control logs.
Reporting format: Pie chart comparing the physical security incidents allowing entry into facilities containing information systems versus the total number of physical security incidents.