THE WAY WE WERE
Some may not be old enough to remember this haunting ballad by Barbra Streisand but it set me thinking about the way we view security today. Security and tech journals, my Twitter feed, a lot of main stream media and even colleagues who have spent a lifetime in the industry are talking about cyber security and about physical security. The majority of dialogue is about these two topics. If you were new to the topic, a student or a journalist working under pressure to get an article out quickly, then you might think that’s all there is to it: Cyber security and Physical security… simples!
Am I bothered? Well to start with, 5 possibly 10 years ago, I probably wasn’t. I’d been trained to what now equates to degree level in security, and had over 20 years experience. I’m not claiming to be an expert, but when I started, dealing with the security of a women’s refuge or the nuclear deterrent, broadly required people who had a similar understanding of the threat and of the principles of security. If you are one of those people, then please look away now, otherwise you may quickly become bored.
What does concern me is where a narrative starts to develop and goes unchallenged, then perception and processes change, we assume for the better.
The meme above is how I see that perception today.
Change is necessary. The business of security is dynamic: threats change, business operations change, the geo-political and economic situation changes. These changes all have some effect on security in the public and private sector. In many places it seems that we, as security professionals, are changing the way we think, and I’m not sure its all for the better. In this over-simplification, have we thrown the baby out with the bathwater?
Over at the US Naval War College, counter-intelligence professional John Schindler (@20committee) has been talking for some years about “Twitter experts”. Tom Nicholls (@RadioFreeTom) has even published a book: The Death Of Expertise.
The chart below is an approximation of what security thinking used to look like when protective security was on everyone’s agenda. Two items appear in green, they are facets of security called security intelligence, which sit apart from protective security, but are key to the protective security function. Whilst they are shown here as a cycle, it could probably be shown as a series of concentric rings providing defence in depth.
BCM – ASSET DISCOVERY
Before you can start to deploy security you need to understand what it really is that you are protecting. From business continuity management a business impact analysis should look at what it is that you really need, to keep your operation running. The business impact analysis should also help you to place your assets in order of priority and perhaps help you to determine your minimum acceptable interruption time.
Asset discovery is part of this. You may not know exactly what you have on your real estate and where it fits in to your operation. Asset discovery also includes your remote and external dependencies: your supply chain; contract labour and your telecoms and energy connectivity. At this stage you would start to evaluate your existing security: is there enough; is there too much?
If you work in critical national infrastructure or government, then you will probably have a threat assessment from a national agency. However, you should also be taking the threats you are dealing with locally, in to account. In the UK, local authorities are also obliged to produce a risk register of natural and man-made hazards. These will also add an important local dimension to your threat assessment. You will be looking at threats to the confidentiality, integrity and availability of your assets. At the end of this stage, you may already have a view of where the risks lay in relation to your most valuable assets.
COMPLIANCE AND PROCEDURES
Compliance involves your legal and contractual obligations, including how you flow these down to your supply chain. In the UK, company law also expects businesses to be identifying and working to best practice. The application of risk management principles has been part of UK government security policy for over 20 years, this is now covered by ISO31010, the international standard for risk management. It involves boardroom level risk management and placing risk ownership at the top of the organisation. Procedures might include instructions for guards and receptionists, acceptable use policy for the IT system and destruction of confidential waste. The more complicated, or out of date, procedures and instructions become, the less likely they are to be read or implemented.
There are two elements to personnel security: First: the recruitment process and secondly, during employment. If there are as many as 9 pillars to protective security, then personnel security is certainly one of them. Your HR department is a key part of the security team. Apart from compliance, they have an important part to play in countering the insider threat. For the principles of a baseline personnel security standard, the UK government website might be a good place to start.
Checking on-line resources including social media, are increasingly recognised as a best practice measure for helping to counter the insider threat at the recruitment stage. Individual’s employment contract is another vehicle for communicating security requirements and responsibilities to new employees.
During employment, security might also be included in the annual objectives for members of staff. In some circumstances, good security behaviours might even attract some form of reward or recognition.
As discussed further below, your people themselves are a business asset. In some cases they may also be your last line of security defence. Good line management is also regarded as one of the best forms or personnel security. Ensuring that staff feel engaged, valued and recognised for their work, is an important part of maintaining team cohesion and loyalty. In some sectors, where staff turnover might be high or skills in short supply, good line management may also help to prevent or reduce staff churn. Reduced staff turnover has other benefits in terms of reduced business impact and reduced recruiting costs.
Locks, doors, guards, dogs, patrols, access control, identity, alarms and CCTV are what people generally regard as physical security measures. They are generally deployed in depth to provide increasing levels of protection. But are they protecting the right things, are they configured to counter current threats, or have they remained frozen in time from the year dot?
Well managed security staff, be it physical security or logical security, will feel valued and part of the enterprise.
Contemporary risk management practice will look to protect all its essential assets. These could be IT systems, other information, manufacturing or processing plant, senior executives, vulnerable staff or those with vital and unique skills. From a security perspective we have grouped these together under asset protection.
Information systems security does not sit alone in a silo, the insider is a well-recognised form of threat and personnel security has as much a part to play here as technical security. The other strands of protective security need to be able to mesh with the INFOSEC strands.
Some might think that communications security is swept up under information security. I believe that there are often gaps here, and it needs to be covered as a separate field. What people communicate on social media, or in a first-life social environment, or even on the phone, can often disclose information of use to an adversary. Those concerned about industrial espionage are also starting to take a serious look at mobile phone vulnerabilities.
This is about keeping your people safe. People at differing levels in an organisation all require security. Senior executives may require their own protection detail, lone workers will have other protection needs. Staff working in weak or fractured communities will have other collective security requirements. Employees in conventional factories and offices will also need to be catered for in the event of real or perceived criminal or terrorist acts. For people security, it is clearly the availability of our people that we are worried about. The security of your people is referenced in international standards for information security and business continuity.
Effective business continuity management is vital to maintaining the integrity and availability of your products and services. Business continuity thinking accepts that you could take some kind of degradation on your operations by natural or man-made hazards. Business continuity planning helps you to predict these possible issues and work out how to bounce back in the event of a failure. It also considers your supply chain and communicates your resilience needs to them. Your commercial and sub-contract staff have a key role to play here, in communicating those needs.
EDUCATION, TRAINING AND EXERCISES
- Education: In this case, security education, is regarded as providing the broader user community with information they need to understand the nature of the threat, and the basic security and resilience procedures within the organisation. By helping staff to understand the real risks they and the enterprise face, they will be better informed and better inclined to understand the needs for security best-practice.
- Training: This is regarded as more about providing skill and competence to perform a particular security role. Often this will be role-related. Examples include: CCTV operation for security personnel; training on validating identity documentation and references in the HR department; data back-up and restoration for system administrators, and strategic incident response for the C Suite.
- Exercises: Exercises can server a number of functions. i) developing “muscle memory” within a team, so that the group become familiar with performing tasks related to emergency response. This builds confidence within the team. ii) Collective exercises involving multiple teams from different disciplines working together on a specific scenario. This gives confidence to individuals, teams and the organisation. iii). Assurance exercises. These can be run on a local, enterprise, national or international level, to evaluate or test contingency plans. This provides the C Suite with assurance that plans are fit for purpose. Assurance exercises have a part to play in both internal and external audit activity, giving confidence to both internal and external stakeholders.
AUDIT AND ASSURANCE
Most security and quality-related ISO standards recommend the implementation of internal and external audit programmes. This will provide management and external stakeholders with assurance that the organisation has the right security culture, values and standards in place. Business and Government customers, increasingly demand security standards compliance as part of due diligence and contracting processes. Security assurance can take many forms in addition to standards compliance audits. Such methods could include:
- Security advisory visits.
- Security surveys and inspections.
- Physical and Logical penetration tests.
INCIDENT RESPONSE / INVESTIGATION
Security investigations are essentially defensive in nature and have three specific functions:
- To determine the extent of the breach and support damage limitation and counter-compromise activity.
- To ensure policy and process is changed or applied correctly to prevent re-occurrence of the breach.
- To confirm or deny the involvement of specific adversary threat groups.
For this reason it also forms a component of security intelligence / counter intelligence activity and is shaded green. Sanitised versions of security investigations can later be used to provide case histories for security education and training.
A top-level re-appraisal of all security assessments and policies should be conducted on an annual basis; before any significant changes to business operations; and after a major security breach. The outcomes of investigation and assurance activity helps to inform the need for policy changes or threat assessments.
And so we come back to the beginning of the protective security cycle. You could show these entities as concentric rings providing defence in depth. We are not going to fall out over that. I don’t take credit for this, it comes from a time where the threat was: Espionage, Sabotage, Subversion, Crime …. oh and we have this new thing called Terrorism.
Since then we seem to have locked ourselves deeper in to security silos just talking about Physical and Cyber. Well its time to remember that protective security is far more than this. As professionals we need to be out there dealing with the rest of the enterprise: operations, supply chain and sub-contract, HR, Legal, IT, Learning and Development / Training, even Audit.
Physical security professionals have a huge role to play so please, let’s stop this binary narrative, let’s get out there and integrate!
About Mark Chapple MSyI
Mark has worked in a huge variety of sensitive security roles (hence no pic…) over the last 40 years, from H.M. Government, to international aerospace companies.
Among other things, he is currently a Managing Consultant at SRSRM Ltd