As the lines between the physical and digital worlds increasingly blur, companies are eager to remove the boundaries between how these realms are managed, experts say.
The growing use of cyber-physical systems, in which a mechanical function is controlled by software, and the advent of the Internet of Things, a catchall term to describe everyday items connected to the internet, will spur more companies to examine a security model that blends traditional corporate security and cybersecurity, said Katell Thielemann, an analyst at technology research company
“We really should have a chief security officer, period, who might have a chief information security officer reporting into him or her, as well as physical security, health, safety and supply chain security,” she said.
Physical damage from cyberattacks is a growing concern. In 2019, malware disabled a ship on approach to the Port of New York and New Jersey, leading to worries such attacks in the future could cause physical or environmental harm. The Stuxnet virus also inflicted damage at Iranian nuclear facilities in 2010 when a computer worm caused centrifuges to overload.
Most companies operate separate physical, business continuity and cybersecurity operations, with only 19% combining all three into a single department, according to research published in January by security trade group Asis International.
At computer maker
Chief Security Officer John Scimone oversees a converged physical and cybersecurity group, which he said was already in place when he arrived at the company in 2017.
Mr. Scimone, a former CISO for
said this merging of functions is necessary for defensive operations to match how attackers operate. Benign attackers, including penetration testers and red teamers hired to test an organization’s defenses, for instance, use a range of tactics to break security. These include hacking as well as physical methods such as social engineering and even breaking and entering.
Malicious hackers do the same, he said.
“If we’re looking at this from a risk management perspective, and the risks themselves are converged, to operate in a manner that isn’t converged is artificially inhibiting,” he said.
A blended approach brings other benefits, Mr. Scimone said. In addition to cross-training physical security staff in cybersecurity matters, and vice versa, it enables companies to incorporate emerging threats that may not have been accounted for in past business continuity measures. For instance, while disaster recovery plans in the past may have purely dealt with the effects of an earthquake or hurricane, security staff also now are trained to deal with other types of disasters, such as a large-scale ransomware attack, he said.
Implementing models such as this isn’t for everyone, and every company is different, says
managing director of the Security Executive Council, a research firm based in Marietta, Ga. Rather than approaching the issue as an organizational problem, however, Mr. Hayes said the ultimate aim should be to implement a system that properly addresses risks to the business.
“What you’re defending against is malicious intent, and that’s why they should work together now. What’s the difference between corporate and IT security? There’s almost no difference, IT security just addresses a delivery method,” he said.
Those risks are only set to increase as technology becomes increasingly key to operations. Even loss of life as a result of hacks could become a real possibility as cities and companies increasingly digitize broad aspects of their operations, said Ms. Thielemann of Gartner.
Hacked drones or autonomous vehicles, for instance, could be used as weapons, she said. Hacking sensors used to monitor traffic patterns also could cause physical damage in connected urban environments.
“Bad actors don’t care that your physical security lead doesn’t talk to your chief information security officer. If anything, for them, that’s a good thing,” she said.
Write to James Rundle at email@example.com