Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
December, 20209 THE ATTACKER ONLY HAS TO BE RIGHT ONCE; THE DEFENDER HAS TO BE RIGHT 100% OF THE TIMEThere are also a myriad of complexities to navigate. In some organisations, physical security may be deemed entirely in the remit of other teams (or entire companies) outside of the Information Security team; in these organisations, any member of the Information Security team (or anyone wearing this hat) might be politely told that these issues are none of their concern. In other organisations, there may not even be the barest notion of a person keeping an eye on the front desk to the office building (if you even have a front desk); in such organisations, the problems of unauthenticated couriers, service and trades personnel or even members of the general public passing through completely unchecked might be met with a casual and apathetic shrug of the shoulders. The reality is that the CISO must exude visibility over ­ if not have a direct hand in the management of­ physical security. That's why physical security considerations formulate a key component of auditable frameworks and standards like ISO27001/2, SOC2 and PCI DSS. It is also a great area to use in the apologia articulating the difference between Information Security and IT Security.So physical security matters. What then do we do about it? Well, like many things, there isn't a one-size-fits-all to this. What to do about it won't be as useful so much as how, and for that, it helps to bear in mind 3 key principles to help you determine the best outcome you can achieve for your organisation.1. Get the mandate or get them to live with itIt doesn't matter how smart you get with this, if you haven't got the mandate from the highest levels, then you either need to get it from them or pin them with the ownership of that risk ­ it's as simple as that. To do that, try following my 2-step rule with risk management: 1) Is the person in front of you the right person to make the decision? If not, go one step higher.2) Do they understand the risk? If not, go one step higher. If it is the right person and they do understand it, job done ­ go home and sleep at night.2. Define "normal"Any good incident handler will tell you that the critical element to detecting a breach is to know what normal looks like. Your aim is similar to the SWAT team mantra ­ "bring order to chaos". The point of your controls is not to prevent everything but to define buckets of normal everywhere and make sure people are operating within that so that you can clearly see (detect) the unusual, starting with the outliers. It's not about prevention, it's about minimisation, and this is one way to achieve that.3. Assume the worst and get on with itThis principle is useful when meeting resistance over a given proposed control. It resonates with the well-espoused industry catch cries "you're already hacked" and (particularly in law enforcement circles) "if someone wants to get in, they'll get in". It's not an absolution to give up, but rather it's the realisation that no control unto itself will do the job. Only a totality of controls will win the day, so get on with this one.Remember: you may be the last line of defence ­ if you aren't losing sleep about an uncontrolled risk, then no one else is, and this holds especially true of physical security. Harley Aw
< Page 8 | Page 10 >