Illustration by iStock; *Security Management*

Breaking Silos Leads to Better Security

By Bud Broomhead

18 December 2023

Does your physical security team exist in isolation (or within a silo) when it comes to making your systems secure from a cyberattack? If that’s the case, you’re likely to be facing significantly higher risk of being breached, a longer time to recover, and having a much more expensive outcome both in damages and business continuity. Here are a few reasons why, and some suggestions for how to significantly improve your outcome.

Physical security teams are primary targets for threat actors in part because they are operating devices with powerful computer, networking, and storage capabilities (ideal for cyber exploits) that often get overlooked when it comes to ongoing cyber hygiene. In addition, many physical security teams believe their devices are safe because they sit on segmented networks, firewalled off from the corporate network. Yet what typically happens is over time that network segmentation starts to develop holes that threat actors can use to get a foothold into your network. And with Internet of Things (IoT) cyber breaches hitting a new record in 2022 (more than 3 billion) and physical security being the most-breached form of IoT, it’s clear that malicious hackers are not going away.

Clearly changes are needed to make physical security systems more cybersecure. Physical security leaders really have three choices; continue “as-is” (and suffer increasing damage from cyberattacks), add new skills and people to your team (expensive and hard to find), or break down the silos internally and become more efficient in maintaining cybersecurity. Based on how many leading organizations are addressing this dilemma, the right answer (and most economical) is the third option of collaborating with both internal and external teams to get the job done.

Forming new alliances sounds hard, but a good starting point is to look across other parts of the organization and find who has similar issues of lack of IT skills combined with network connected devices. Typically those groups will include manufacturing, facilities (smart buildings), transportation/shipping, and so forth. Informal meetings can help to get started and gain an understanding of how others are approaching the problem.

In addition, starting (or expanding) a dialogue with both IT and procurement can help to take things further and see where additional assistance can be given. For example, if you’re planning to replace cameras the procurement team can develop cyber requirements that vendors must abide by (such as requiring the vendor have certifications like SOC2, or being able to provide a software bill of materials to help in finding vulnerabilities).

Finally, formalizing a multi-department team should be done with visibility at the highest levels within the company, especially because many boards of directors now want visibility into cybersecurity programs.

For example, in 2018 a Fortune 500 healthcare organization received credible threat intelligence showing it was being targeted by a malicious hacker group, prompting board-level focus on reorganizing around managing their attack surface management. The director of physical security was given a new role—director of IoT technology and security—leading to best practices in securing physical security technology being deployed broadly across all teams using IoT systems. Not only did this help to promote best practices more quickly, it also resulted in cost savings through using a common set of security solutions across their IoT landscape.

The efficiencies that can be gained by having a coordinated cybersecurity plan across similar teams are substantial and wide-ranging.

The efficiencies that can be gained by having a coordinated cybersecurity plan across similar teams are substantial and wide-ranging, from the selection of tools used in performing cyber hygiene to internal training of employees to having a coordinated response plan already in place.

Take for example the issue of asset discovery and threat assessment; all non-IT teams will need to have this, and for non-IT systems it will have to be an agentless solution. By coordinating the selection and deployment of an asset discovery solution across multiple teams, both time and human resources can be saved. Likewise, think of how much more resilient to attack an organization is if the internal teams are already used to working together, versus having to do that while under attack.

Breaking down silos is not only for your internal departments. Engage with your integrator or service provider specifically on maintenance services for cybersecurity, such as firmware updates, password rotations, and certificate management. Many of these functions can be done as a service (and better yet, remotely without having to roll a truck), and many integrators now offer managed services to relieve the burden of cyber hygiene.

In summary, the combination of clear multi-department cyber policies specific to IoT devices and the flexibility of managed services to perform the work can dramatically shrink your attack surface in a short amount of time. But it starts with reaching across departments and defining strategies that work for multiple teams, and a willingness to change from the current status quo. The saying “Teamwork makes the dream work” is exactly what is needed to win the race against threat actors and cyber chaos.

Bud Broomhead is CEO of Viakoo.