Adding cyberskills to your arsenal

By Andrew Snook

There is a convergence taking place within the security industry.

As online threats become more common and complex, physical security professionals need to be familiar with cybersecurity to work more effectively with their counterparts who specialize in that type of security.

That’s not to say they will need the same level of expertise, but every year the lines between cyber and physical security have become increasingly blurred, and successful mitigation strategies are largely dependent on looking at problems holistically, explains Gary Schoenhaar, corporate security manager for Fortis BC.

“Comprehensive solutions today need to be integrated and will typically involve a combination of physical, technical and administrative controls to maximize the probability of success,” he says.

“There’s an old adage in cybersecurity: ‘If you can touch it, you can own it,’ which implies a baseline level of reliance on physical security at its core…. By physically protecting assets, we’re restricting access to confidential information systems; we’re preserving the physical integrity of our assets, which enables their continued availability. We’re in effect working on different angles of the same problem in many cases,” he adds. “Security is security in my eyes and the potential is there for every practitioner to provide some form of value in both arenas.”

Owen Key, director of advisory services, risk consulting, KPMG, says it is possible to achieve success with a holistic approach to security – a combined information security and physical security entity to provide resilience for an entire organization. However, this approach is not one size fits all.

“A lot of organizations will maintain information security within IT, for example, and corporate security or physical security within other locations,” he says.

When companies decide to keep these security operations separate, Key says they should be looking at enhancing collaboration between information security and physical security within those areas.

“Ultimately, I think most security professionals on both sides of the coin should be well versed and schooled in physical security, cybersecurity, governance, risk and compliance. And I would throw in a smattering of some legal skill sets, and maybe some major case management and crisis management,” he says. “To that end, I think there’s a lot of similarities between the disciplines, and very similar methodologies that have happened in both physical and cyber.”

The similarities between the two include asset identifications and prioritization; vulnerability mitigation; security design and implementation; monitoring; initial triage and response; major incident response; regulatory and legal compliance; and threat risk assessments; according to Key.

“Ultimately, can you do both IT security and physical security successfully? Absolutely,” Key says, adding that he and several other security professionals across Canada have already integrated the two quite successfully. “I think there’s a lot of security professionals that can bridge that gap between those areas, and can be highly valuable assets towards those organizations.”

Sherri Ireland, president of Security Exclusive, says companies should work with professionals within both the physical and cybersecurity spaces and not expect one team to handle both types of threats.

“I think the industry is always going to have specialists on both sides,” she says. “The threat landscape on the cybersecurity side is evolving pretty much daily … you have to constantly keep yourself up to date.”

Increased efficiency

One big advantage of physical security professionals increasing their cyber knowledge is that it allows them to work more effectively with their IT security departments.

“This in no way means that you must be a technical expert, or understand all the intricate details of information systems, software, and/or networking to work together effectively; however, I do think it’s valuable to possess a baseline level of knowledge,” Schoenhaar says.

“Typically, technical resources and cyber budgets are comparatively greater within most organizations, so having the wherewithal to champion physical security as a direct contributor to cyber anywhere and everywhere possible should help develop this mentality of cross-pollination and collaboration, which, in turn, reduces the probability of siloed activities and increases the potential for greater effectiveness across both security teams.”

Key adds that having a solid understanding of cybersecurity can improve collaboration within those teams.

“I think it facilitates better communication. Professionals on both sides speak the same language, they understand each other’s concerns and priorities. That collaboration is great for identifying and mitigating security risks across the whole organization,” he says. “And I think physical security professionals with some cyber knowledge are better equipped to assist potential cyber threats that may impact some of the physical security systems.”

Keeping up to date

How frequently should physical security professionals update their IT knowledge? Continually, if you want to be good, says Schoenhaar.

“Twelve, 15 years ago, for example, ‘cybersecurity’ wasn’t a household term. Now, it’s referenced daily in media, boardrooms, and across the majority of industries around the world. Security is a dynamic field by nature. Threats evolve and emerge all the time. There are dozens of associations, institutions, journals, articles, and dedicated resources whose mission it is to provide practitioners and industry with lessons learned, subject matter expertise, discussion of current events, providing platforms for connection and engagement with peers, etc.,” he says.

“Continuing education in this space should be a component of one’s professional performance plan and prioritized. Not doing so adds risk to your organization or clients, and makes you less effective over time.”

Ireland says it is likely the industry will see more and more of the physical security professionals pursue other designations, like the CISSP (Certified Information Systems Security Professional).

“I have my CISSP, but I don’t consider myself a network expert. I wouldn’t go sit at the table and pretend that I can design a system. But what I tend to do now, having that designation, is understand the risks. I understand the language,” she says. “When you have a seat at the table. You’re able to contribute, as opposed to not really understanding what people are talking about.”

Improving prospects

Does having knowledge of IT improve job prospects for physical security professionals? Schoenhaar thinks so.

“It should for the right employer – and to be clear, that doesn’t necessarily mean it’s mandatory to have a related university degree or certification in either physical and/or cybersecurity, but I believe these demonstrate a generally accepted and formal degree of aptitude at a given point in time, and are typically a good way to distinguish yourself in a competitive marketplace,” he says.

“I also think it signifies commitment, humility and leadership towards your craft — all of which can make you more of a tantalizing prospect for employers looking to develop their respective security teams.”

Key says companies need to recognize that they are looking for more well-rounded security professionals that have knowledge of both physical and cyber security.

“Even though they might be trying to hire a specific cybersecurity professional or specific physical [security professional], having that knowledge … that can cross those boundaries is imperative, and so, even if they’re not practicing within the cybersecurity realm, looking for some project management experience or certifications is really important,” he says.

“For example, a physical security person having their PSP, but also having gone out and obtained a CISSP, for example, I think is a valuable cross-collaboration indicator that they can work in that environment.”

When it comes to improving job prospects, Ireland says gaining that additional cybersecurity knowledge is a “game changer.”

“When you’re being interviewed, I think you’re going to have an IT person at the table,” she says. “I think they’re going to be gauging your understanding of network security. They’re not looking for you to be the expert, but expect you to speak knowledgeably.”