Balancing Investments in Cybersecurity and Physical Security
This article is the second in a four-part series as a follow up to our sponsored webinar in partnership with ASIS titled “How the Prove the Value of Corporate Security Investments”. Tim McCreight contributed to this article. Read Part 1. Read Part 3. Read Part 4.
As technology improves and additional innovations in AI and the Internet of Things continue to become increasingly advanced, it’s no surprise that organizations have been putting an emphasis on investing in cybersecurity. However, that can make building a case for physical security improvements much more difficult. What many businesses sometimes overlook is that these two types of security are tied very closely together, and any effective security program should be created to address risks of both types.
Finding the overlap between IT security and physical security
The first step is to look at risks in your organization’s security program from a collaborative perspective. Risk assessments should be conducted for IT security and physical security because if you only look at controls from one perspective, there is a lost opportunity to view risks from an enterprise perspective. This allows teams to tie related risks to the same control.
There are instances in which physical security attacks can result in a cybersecurity breach. An example of this type of hybrid attack is if someone breaks into an office and plants an infected USB drive into a computer on your organization’s server. In another example, an attacker can hack into an internet-connected security camera, allowing them to delete security footage of a break-in.
What to do when upper management thinks differently
Sometimes it may seem like when leadership has a background in either IT security or physical security that they are hesitant to accept suggestions that are focused on the other. This isn’t always the case. Most senior management teams are open to ideas regardless of the type of security. Recently, the trend in the security industry is to focus on risk as a whole, rather than trying to distinguish between whether the risk belongs to cybersecurity or physical security.
The key is to have strategic project plans prepared for two situations: when additional funding becomes available, or when a high-profile event is in the news. Usually, these are the types of events that cause leadership to notice that your organization may have a gap in your security program. This sense of urgency may help your team obtain more budget for an investment in corporate security – as long as the event that occurs is relevant to your organization and your team is able to put the right controls in place to protect against the threat.
Justifying investments in new security technology
A simple way to justify new investments is to tie risks to new requirements and regulations. From an IT security perspective, there are always new requirements as set out by the government that organizations need to adhere to, such as new OSFI incident reporting requirements, PIPEDA legislation, and even GDPR.
While meeting legal requirements is a great way to help reduce risk, you also don’t want to make your entire security program an exercise in compliance. The goal is to be a proactive security team, not a reactive one. You should be thinking about compliance in collaboration with other risk assessments and linkages to business objectives.
But what if the budget for the year is already set and your team requires more than what is available? If you look at the enterprise aspect, the work you do to integrate security controls for the organization directly impacts the level of risk facing the enterprise. Frame your business case around how you can help the security department decrease certain risks by putting in new technology. A successful project means the security department should be able to show risk reductions in different areas. An example might be protecting areas by implementing a card access system, which restricts access to the area and reduces potential thefts or harm to employees.
Ensuring you get the budget your team needs
If you’re a security professional who is looking to build a business case for a new investment in corporate security, check out our free guide and accompanying free business case template. We’ll walk you through the necessary steps to help you ask the tough questions and paint a picture for leadership to get executive buy-in you need for additional funding.