James Willison, Founder, Unified Security Ltd, was delighted and privileged to work closely with Professor Martin Gill on this survey (https://perpetuityresearch.com/2559/sri-2016-tackling-cyber-crime-the-role-of-private-security/). Martin has, as ever, ensured that the topic has been researched extensively and it is the result of discussions which took place over a year of detailed debate amongst security professionals from leading companies and associations across the physical and cyber security industry. We need to do something soon as 88% think their organisation is poor at preventing cyber crime. Martin writes, “We are especially fortunate in being able to draw upon the advice and support of other experts. James Willison was interested in the study from the start and his expertise in all matters relating to convergence and Enterprise Security Risk Management was invaluable. We are extremely grateful to him. So too all his colleagues on the ASIS European Convergence/ESRM committee for their interest and support especially the Chair Volker Wagner”.

The background research indicated that “There is considerable (and often unrecognised) overlap between good cyber security and good overall security” (p7). This is an important foundation which the report builds on indicating that there are important interactions between cyber and physical security. These are not always recognised or understood as the increasing connectivity of devices to networks, for example, means it can be very difficult to ensure the cyber security of physical systems such as IP video and access control. But what is crucial is that we think more strategically about how to manage these overlaps to produce good security. 

So the positive highlights for Physical Security? 65% do want to be involved in cyber security although only 44% of their colleagues in Cyber want their involvement (p 8). As Symantec has recently demonstrated there are some forward thinking companies who actively encourage all staff to develop their cyber security skills and hire from their manned security teams. (https://www.cio.com.au/article/605860/we-just-call-it-security-symantec-global-cso-merging-cyber-physical-employee-security/)

Whilst the figure of 44% is less than half it does mean there is hope! Why do I say that? Well the key finding comes next. 56% believe that a single security team led by a CSO, CISO or other function is the best security strategy with only 38% now thinking the physical and Information/cyber security teams should be separate. This has to be seen as a major shift in thinking and when the question is put to people in this way, “What is the best strategy?” it is really positive even though only 27% currently operate a single team (p44). The report indicates that there are factors behind this new attitude. The World Economic Forum, NIST, ASIS/ISACA/ISC(2) (p 46) have identified that risk management is often conducted in silos but they all recommend a holistic collaborative approach because cyber security now impacts all areas of risk and unless there is real cyber physical management the “trustworthiness” (NIST CPS PWG) of systems will not be realised and there will inevitably be a disaster especially in the realm of the Internet of Things whether that be in a SMART City or the Critical National Infrastructure. 

The last point in the Executive Summary on convergence is really very important and we are extremely grateful to Martin for highlighting this point. Perpetuity recognise that “More research is needed to translate theory into practice and understand the different models/approaches of convergence and the associated pros and cons of each” (p 9). This is indeed the case and whilst ASIS International continues to develop its global ESRM strategy this year (https://www.asisonline.org/About-ASIS/Who-We-Are/Whats-New/Pages/ESRM-An-Enduring-Security-Risk-Model.aspx)  and several of us have been involved in developing models/approaches we would really appreciate it if you get in contact, if this is something your organisation would be interested in. 

In the introduction Martin outlines the seriousness of cyber crime, its impact and consequences for the business and some typical responses. Enterprise Security Risk Management (ESRM) and the role of convergence are discussed as strategies and he states, 

 “Given the relatively high ‘insider’ risk noted above, whether intentional, or inadvertent, there is clear merit in the different security elements, and most often the whole workforce unifying to tackle the threat, albeit that this is commonly not the practice” (p 20). 

In essence it is this unity which is at the heart of convergence and ESRM although as the survey later indicates it seems only 27% currently operate in a single team. ESRM of course develops a collaborative and holistic process across departments which enables the identification of blended cyber physical threats and is arguably more widespread. But the ‘insider risk’ clearly does present an opportunity for a unified strategy in prevention, identification and response whether that is through staff or technology. Hence we encourage you to think through how this might be achieved.