Whether these strategies are designed to align an organisation’s electronic and cyber security operations, or merge the two into one department, there are many challenging decisions to be made to ensure the two disciplines are operating in concert.
At Telstra’s recent Security Forums hosted in Melbourne and Sydney, Director of Global Security Solutions Neil Campbell sat down with Darren Kane, CSO for nbn and John Fleming, the General Manager of the Australian Security Industry Association Limited (ASIAL) to discuss how organisations are managing the convergence.
The case for convergence
“It’s such a complex world out there,” said Fleming, “I don’t believe you can have physical security on one side and IT security on the other, acting like there’s no common ground between them. Organisations are recognising that their risk profile is too high to operate with a silo mentality”.
“I think all of us who know anything about security will agree that with the enmeshing of technology into traditional security it's almost hopelessly difficult to separate out what is cyber information security traditionally and traditional security,” agreed Kane.
“For me, convergence is quite simply a matter of having a single point of accountability for the word security in an organisation. If people have split accountabilities then the actual security risk is splintered, so from my perspective if you want to give me the authority to actually own an incident, you must give me the control leading up to it so that I can be proactive around the measures in place,” explained Kane.
Physical devices like IP surveillance cameras and smart building IoT devices are producing large amounts of data, so it’s important to consider who will have access to it and how it will be securely stored.
“For example,” said Fleming, we need to have some rules around how facial recognition data from cameras is used, where the data and analytics reside, and who's got access to it.”
The Telstra Security Report 2018 found that 84 per cent of Australian businesses are considering, trialling or have already implemented new systems to manage the convergence of cyber and electronic security.
How to bring people together
As the two fields align, it’s important to consider more than just revisions to your organisational chart – there are often significant cultural differences in electronic and cyber that need to be considered.
“There's the language that the IT guys use and there's the language that the physical security guys use,” explained Kane, “so there needs to be some learning on both sides so they understand what the mission is, the critical mission going forward so they're both capable of doing that”.
“You've got two very different types of people, but it all comes down to being a professional leader and manager. And we can talk technology, technology platforms, and we talk armed guards, but the point is they're all people and it's just like a CEO doesn't necessarily have to be an HR expert or a CFO or a COO, but can be the CEO.”
“A CSO is somebody who now has to manage people from different backgrounds, cultures and capabilities. At the end of the day, it's just a group of people who are very good at security”.