How to Bridge the Gap
The U.S federal government had identified a vulnerability. It knew it needed to do more to address the potential threat of insiders and their access—both physically and electronically—to classified information.
So, in October 2011, U.S. President Barack Obama issued an executive order to require that all federal agencies that operate or access classified computer networks create insider threat detection and prevention programs. These programs would have to cover all users of classified computer networks, including contractors, to ensure that those networks were secure and protected.
“Our nation’s security requires classified information to be shared immediately with authorized users around the world but also requires sophisticated and vigilant means to ensure it is shared securely,” Obama said in the order. “Computer networks have individual and common vulnerabilities that require coordinated decisions on risk management.”
Agencies and contractors were given several years to implement the executive order. And it would require the two sides of the security house, cyber and physical, to work together.
One company required to comply with the executive order is American Systems where Matthew Hollandsworth, CPP, CISSP, director of corporate security, facilities, and safety, is the head of the insider threat program.
Hollandsworth worked with colleagues to create an insider threat committee with representation from security, IT security, human resources, finance, legal, and client-facing verticals of the business.
“An example would be if security got an adverse information report on somebody that’s going through a bankruptcy,” Hollandsworth explains. “That would get reported to the committee. That makes them more of a risk—they are short on money; that makes them more susceptible to being bribed.”
The committee then created a process to ensure that the threat would be shared with the appropriate stakeholders, such as finance to monitor corporate credit cards and expense reports and human resources for potential job performance complaints.
“It required several meetings of sitting down and developing these communications paths and these processes,” Hollandsworth adds.
One of the key partners in this initiative, however, was IT security, which could be alerted to a potential insider threat and monitor that person’s activity on the corporate network.
“We’ve had an example where IT identified an individual that had downloaded around 100 gigs of data, taken that, and put it on their personal thumb drive,” Hollandsworth says. “There was no reason for that, so IT let me know about it. And it turned out to be something innocent—this guy was just moving data from one computer to another—but that communication path was there. That process was there.”
While the program was created to meet a U.S. federal government requirement, it also shows the benefits organizations can reap in reducing risk when cyber and physical security teams work together to address it.
Traditionally, there has been a gap between cyber and physical security personnel in organizations. Physical security measures were already in place when computers and networks were first invented, eventually spawning the IT and cybersecurity fields.
And the personnel who filled these roles in organizations came from different backgrounds—cyber and IT often from technical backgrounds and college programs; physical security often with backgrounds in law enforcement, military, or government.
When he started working at a helpdesk at the Pentagon in 1998, Hollandsworth says that the IT and physical security teams were separate without much communication between the two.
“I think people saw IT security as kind of the new fad thing at the time; it wasn’t like it is today where one has a better understanding of it and can see the breaches that happen and the importance of it,” he adds. “And there was probably a bit of ego on the physical security side. ‘We’re the security people, you guys are just the computer people.’”
Dave Tyson, CPP, CISSP, CEO of CISO Insights, had a similar experience when he got his start in the profession as a security guard. His knowledge of cybersecurity was almost nonexistent prior to attending a luncheon in the mid-1990s where a speaker gave a presentation on the topic. A topic that for most, including Tyson, was indecipherable.
“We couldn’t imagine what digitization was—the filing cabinets not being relevant anymore,” Tyson says. “So, I said, ‘Hey, that doesn’t make sense to me. I need to know more.’”
Learning more about IT and the concepts behind it exposed Tyson’s frustrations in his own career in physical security at the time.
“I felt like I was doing the same thing over and over—getting a guard, getting a camera, trying to explain why our humans are better than someone else’s humans at reducing risk,” he says. “And it was frustrating because we really were not partnered with the business—the part of the organization that makes money.”
IT was connected to what the business was doing, Tyson explains. Those teams were building databases and interacting with customer information, creating real impact that would affect the company.
But Tyson says he could also see where physical security could play a role in what IT was doing, by posing basic security questions, including “What data is going across this network? Who decides who gets to look at it? Who decides who gets access to what?”
This spurred Tyson’s interest in converging physical and cyber into one conversation to address risk. One hurdle to this convergence, however, was the difference in professional jargon that cyber and physical teams use in the workplace.
“The hard part is, sometimes the message doesn’t get across because of all the terminology,” Tyson says. “The terminology, and how it’s explained, is more critical than what’s being said so people will engage and not tune it out.”
To help bridge this language barrier, Hollandsworth says that his teams have created a common lexicon so each side can understand the other.
“Developing a common lexicon for how they communicate with each other, like teaching the traditional security side what a root kit is, what spear phishing is, is important,” he explains. “And going the other direction with the IT side—what types of cameras work best in what type of lighting and how to process a background investigation for an individual—and getting them to understand the importance of that.”
One practical example of this was an instance where a company needed a computer system approved for use. The system required a documentation process, a certain type of configuration, and approval by the government before it could be used.
“Part of that documentation process was that we had to document the physical protections of the system,” Hollandsworth says. “So, is it in a secured area? What type of layered security do we have in place? All of that stuff.”
But the IT and physical security staff members working on the project were having trouble communicating with each other. The physical security employee did not understand why he had to provide this information to IT, and the IT staffer did not understand why security was not being cooperative.
“I sat down with the two of them and explained the need for both and tried to put some different language around what the IT security person was asking and what the traditional security person was asking to come up with common understanding and common terms,” Hollandsworth explains.
He told them to think of the computer system like the center of a bullseye with rings of protection around it that needed to be documented for approval of the system. Using this approach, they were able to have a successful dialogue centered around risk to the system—and ultimately the organization—that needed to be addressed.
“Risk is the common language between all sorts of security-esque organizations—whether it’s financial risk, legal risk, physical security, cyber, it really doesn’t matter—all of these things are about managing risk, and you do that effectively through the same process,” Tyson says.
Cyber and physical security are converging because of the changing way that organizations operate and implement technology. Physical protections—like cameras and access control systems—are running over corporate networks that need to be protected from intrusions looking to gain a foothold in the system.
“You have to have a physical security program, a personnel security program, an operations security program, and an information security program all working together to protect data,” says Hollandsworth.
For instance, when Tyson was at eBay, individuals would walk around the neighborhood and drop USB sticks or place fliers on employees’ windshields.
“People would take these things inside the office, and either plug the USB stick into the computer or look at the URL link on the flier that’s encouraging them to go to this website to win an iPhone. They would get infected with malware,” Tyson says. “Here we have a cyber threat against the organization using a physical device.”
To mitigate the threat, Tyson worked to educate his physical security leaders who were responsible for monitoring camera systems and access to the environment to detect who was leaving the malicious materials. He also worked with the cybersecurity team defending the network to ensure it had systems in place to defend against the malware to prevent it from being downloaded.
“All of those folks had to be working in harmony to protect that new risk that we had never seen before,” Tyson says.
Tyson also worked with physical and cybersecurity teams on detecting rogue wireless access points. Employees at the time were unhappy that corporate firewalls were blocking their access to certain websites and services. So, they would go out and buy the supplies to create their own Wi-Fi connection to the network—a violation of company policy.
“They were really easy to buy and really easy to plug in, but not so easy to find when your cybersecurity guy is sitting behind computers five buildings away,” Tyson says. “So, we trained the physical security team—the guards on general assignment—on what a wireless access point looks like, how it was used, and gave them a sniffer that beeped if you walked by and got a wireless signal.”
When they heard a beep, the guards were instructed to document where the device was and report it to the cybersecurity team. The next day, a cybersecurity staff member would go discuss the issue with the employee who had violated the policy and then remove the device.
“We found three of them in the first month,” Tyson says. “The marginal cost of this new security program to deal with this new risk was $80. And here we are detecting rogue wireless access points that are bypassing our firewall. And our guards are really happy because instead of just watching doors, they are actually solving business problems.”
While putting programs and processes in place so cyber and physical security work together to address risk is important, so is building relationships with individuals across team lines.
Tim McCreight, CPP, CISSP, CISA (Certified Information Systems Auditor), manager of corporate security—cyber—for the City of Calgary, says that creating the opportunity for open dialogue between security professionals was critical to his work at the corporate information security office for the government of Alberta.
He was an executive director in the CISO’s office at the time and reached out to others in security roles for the government for a monthly meeting that eventually turned into a weekly coffee meeting to keep everyone in the loop.
“One of the best things I can suggest is to toss your egos out the door,” McCreight says. “You’re there to protect your people, property, and information. You have to appreciate what other people bring to the table…you can’t be the physical security guy operating in a silo protecting your company. You need to collaborate.”
Tyson agrees, saying that regardless of the side of the house a security professional operates in, all security leaders need to remember that they are information workers.
“Other than maybe arresting a few people now and then, for the most part we’re paid to have conversations with people and relationships with people,” Tyson says.
“We interact with so many people every day, sometimes we forget that our work environment is based on a semi-social environment,” he adds. “The first step is get to know the people that you have to work with. Understand the problems that they face—what the biggest risks are to them. And ask what you can do to help them be more successful at reducing those risks.”
Megan Gates is senior editor at Security Management. Contact her at [email protected] or follow her on Twitter @mgngates.