Integrating Physical and Cyber Security: Strategies that Work

What is the average age of a Chief Security Officer today? Would 50 years be a good guess? A CSO in this age range will have been working at some aspect of protection services, then since the 1980s, and at least since 1990 leading up to this current career pinnacle. Consider then the environment today’s CSO has worked through over the past 25 to 30 years. 

Considering that between 1985 and 1995 computers were more commonly associated with games, academia and entertainment, and considering security professionals were just beginning to see the emergence of computer technology into their work space, a CSO today has only begun to operate with an IT security focus since about 2004 or later. Y2K woke up many individuals to the realization that computers play a larger part in our lives than we had previously contemplated and ushered in more than world-wide terrorism for security professionals. Certainly, within critical infrastructure protection circles, information technology allowed for new security tools to be deployed and added some physical security concerns such as server room protection, but IT security has not been forefront. 

IT security in the same environment has been limited to a handful of specialists who have grown the IT security discipline within industry and taken up challenges related to critical cyber asset protection in a way that traditional security professionals could not. But IT security has typically not crossed the line into traditional protection planning in many instances. IT security professionals have often been relegated to server rooms and backrooms out of sight and not part of the traditional security team.

 In 2012, the world view is such that IT security (or cyber-security) has exploded to become the primary focus within security debates, news stories, government legislation and critical infrastructure protection initiatives. IT security has taken center stage in critical infrastructure protection. Security professionals in CSO roles now see cyber-security as central in initiatives related to regulation and standards. The traditional security professional may feel somewhat out of step as IT security professionals such as Chief Information Security Officers (CISOs) suddenly take senior posts within organizations. Even within organizations whose primary business is focused on physical assets like pipelines, dams, water systems, nuclear plants, museums, transportation systems and so on, an IT security shift is apparent. All of this creates a new paradigm. 

At a time when international espionage, nation state attacks and terrorism adopt cyber weapons, priorities for security professionals must change. In a climate where employees still use their birth dates as passwords and key vendors are still building backdoors into critical applications and defaulting factory passwords to something as mundane as, “password”, what does an organization do to protect its cyber infrastructure and also shift security culture without reducing protection across its extensive physical asset base? Does IT make business happen or simply support it? Is that question even relevant?

Today, security professionals are challenged to protect critical cyber assets as well as the infrastructure the IT serves. Not only do physical assets and their related Operational Technology (OT), like Programmable Logic Controllers need priority protection from a number of threats, access to these assets has been given network access. Assigning protection to server rooms and facilities is now only a relatively small part of the protection formula. Along with insider threats, and IT-savvy insiders at that, threat actors can reach our critical assets and their operating systems from around the world. Stealing financial records, intellectual property and personal information through hacking is scary enough. Gaining access to OT controls that assist in the operation of major dams, pipelines, railway systems, nuclear plants and the like is somewhat terrifying. Security leaders are now faced with a fully integrated problem that cannot be solved by independent security teams working in isolation from one another.

Security principles have not changed much in the past 30 years, but the application of those principles is shifting daily. Addressing integrated security disciplines to ensure a cohesive and collaborative security solutions environment in any organization requires a number of coordinated things to happen efficiently. These include information sharing, collaborative planning, new education platforms, shared risk management practices and much more where IT and traditional security experts combine resources to achieve protection goals.

The Utilities Security Council of ASIS International has partnered with security professionals from (ISC)² to draft a white paper on the topic of security integration and the challenges associated with integrating the IT and traditional security disciplines. This paper provides some important solutions for bringing traditional security and IT security into a collaborative and truly integrated partnership and directs the discussion to address security in the new paradigm. The priority concern today is that we recognize the need for an integrated approach and that critical infrastructure and security management be well served through effective security leadership. This paper will be discussed at the 58th Annual ASIS International Seminars & Exhibits, in Philadelphia, PA. 

Join us on Tuesday, September 11th, 2012 at 11:00 a.m. for session #3115 to hear Utilities and IT security professionals discuss, Integrating Traditional & Cyber-security: Strategies that Work.

Featured

  • The Key to Wellbeing in the Office

    A few years ago, all we saw in the news was the ‘great resignation.’ Now we have another ‘great’ to deal with. According to CBRE, 2023 was the start of the ‘great return’ as office workers returned to their normal offices after working from home. The data shows that two-thirds of all U.S office buildings were more than 90% leased as of Q2 2023. Read Now

  • Failed Cybersecurity Controls Costing U.S. Businesses $30 Billion Yearly

    Panaseer recently released ControlWatch and the Continuous Controls Battle: Panaseer 2025 Security Leaders Report examining the cost of cybersecurity control failures and the impact of growing personal liability for security failings on security leaders. The report analyzes the findings of a survey of 400 security decision makers (SDMs) across the US and UK. It shows that security leaders feel under increasing pressure to provide assurances around cybersecurity, exposing them to greater personal risk – yet many lack the data and resources to accurately report and close cybersecurity gaps. Read Now

  • The Business Case for Video Analytics: Understanding the Real ROI

    For security professionals who may be hesitant to invest in video analytics, now's the time to reconsider. In a newly released Omdia report commissioned by BriefCam (now Milestone Systems), the research firm uncovered a compelling story: more than 85% of North American and European organizations that use video analytics achieve a return on investment within just one year. The study, which surveyed 140 end users across multiple industries, demonstrates that security technology is no longer just for security — it's a cross-organizational tool that delivers measurable business value far beyond traditional safety applications. Read Now

  • Survey: 54% of Organizations Cite Technical Debt as Top Hurdle to Identity System Modernization

    Modernizing identity systems is proving difficult for organizations due to two key challenges: decades of accumulated Identity and Access Management (IAM) technical debt and the complexity of managing access across multiple identity providers (IDPs). These findings come from the new Strata Identity-commissioned report, State of Multi-Cloud Identity: Insights and Trends for 2025. The report, based on survey data from the Cloud Security Alliance (CSA), highlights trends and challenges in securing cloud environments. The CSA is the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

Featured Cybersecurity

Webinars

New Products

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3