Everyone has a favorite spy movie. I admit to a particular fondness for the Bond franchise, even though most people can probably forecast the storyline without ever actually seeing any specific movie. There is a specific piece of that trope that completely speaks to the relationship between cybersecurity and physical security. In all spy movies, someone knows something that can make, or break “the world as we know it”. The entire movie is usually about the efforts of someone to acquire that secret and get it into their team’s hands; and while they’re at it, a few explosions, some high speed car chases, and people living the flashy high life are standard fare. Somehow, there really isn’t any computer that causes the invading team to even need a coffee break. In fact, the hardest part of the movie is usually how they get physical access to the building.
That particular bit of Hollywood fun mirrors an aspect of real life. If the bad guys can get their hands on your computers; they will (eventually) own everything on them. This means that to some degree, the success of your information security department is dependent on the success of your physical security department.
Some of this is pretty obvious. If you have a ton of loose laptops lying around your office; and you neither prohibit random people from wandering around your facilities, nor your employees from securing those laptops in some sort of physical way; the odds of theft are much higher. The next layer is something like if the laptop has a biometric scanner on it; which is supposed to slow down casual information security theft as well. How much of that theft is for Intellectual Property is something you’ll never know. The same is true for your servers – if you don’t prevent people from wandering in with USB sticks or other portable media and physically interfacing with your data; you probably have cybersecurity issues.
Other elements of the relationship between physical and cyber security are less obvious. A specific example is that physical security / facilities teams are more likely to know local law enforcement, both people and processes. They may have better case tracking than your logical security teams. If you do have some sort of access control to your facility; odds are good that you are using a badge / or swipe card – which ties to the employee ID that is used when they work on the computers in your organization. When you think about my random laptop theft scenario, the case would have required the inputs and support of both departments – you might have video of the person who did the theft entering the building, and accessing the laptop; and a log of what data was accessed either on the laptop or on a server in your organization.
This interrelationship is not a new thing; and over 2011 and the first quarter of 2012 it’s been in the news that companies are evaluating or pursuing organizational shifts to support those teams sharing a common org structure. Depending on the scale of the company; and it’s vertical this can be convergence of fraud departments, physical security departments, information and logical security departments. The specific benefits being identified start with the ability to cross train; across departments that in many cases were previously unable to have backfill capacity. In addition, once the cross training takes effect, there is an increase in effectiveness for investigations; and ultimately it’s a cost savings as well.