We live in a world of expanding risk with daily reminders that organisations should not overlook physical security while safeguarding themselves from cyber threats.
“Geopolitical uncertainty, meanwhile, has become the second biggest concern, cited by 74% of business leaders.” PwC Global CEO Survey 2016
“More than a fifth of corporate risk managers now list terrorism as their main concern.” Sunday Times, 31 January 2016
Getting investment right in terms of cyber security is vital – but has this come at the expense of an equally necessary focus on physical security? After all, the damage will be just as serious if an attacker reaches your business, building, or people in person. We believe that the question which should be kept under review is one of balance. Those concerned should ask themselves whether there is a gap between a focus on cyber defences compared with other physical security elements such as travel security, access control, CCTV, guarding, arrangements, and building design – less sophisticated concerns perhaps, but no less damaging in the event of failure.
One simple litmus test is to consider the relative positions of information security and physical security. Do both strands have distinct leadership? If so, do they ‘sit’ together? Are the right controls in place to maximise the effectiveness of their respective activities? Do they both have risk-relevant access to sufficient financial resources? Do they report up within the organisation via a single channel which can maintain a balanced view of threats, risks, counter-measures, and respective resourcing? It is not uncommon for information security to be aligned with an organisation’s risk management structure, while physical security is managed at a much lower level – or with considerably less board-level oversight (and interest). This creates gaps in a security programme which could be exploited by a variety of low-tech threats.
Our use of the word ‘programme’ and not ‘programmes’ in the line above is deliberate. We believe that to provide effective mitigation of security risks, it is essential for both information and physical security to be part of a single, integrated, security risk mechanism. The one is neither more, nor less, important than the other. Balance is all.
What is the situation in your organisation? Do you ‘mind the gap’?