Considering All Facets of Security
By Alon S. Moritz

As organizations attempt to better manage risk, it is becoming increasingly difficult for management to identify the methods they should use to protect their organization’s key assets. Protecting key assets is a critical charge for any organization, yet identifying them tends to be an arduous process. The larger the organization and the greater the number of geo locations, the more individuals are involved in the identification process, making consensus a difficult task. To gain a better understanding of risk management considerations, we are required to look at the corporate structure and the priority given to security in today’s hostile security environment.

Organizations are struggling to keep up with the new “multi thread / multi threat” world. Access control issues of the modern-day company cross two domains of security -- cyber and physical security. To address an organization’s vulnerabilities in light of this new environment, cyber and physical security domains must converge. As such, Chief Security Officers (CSO) have become critical positions in organizations, yet most large companies have not designated someone for the role. Further, many companies have not made the transition to synthesize cyber and physical security, a mistake that may result in far reaching system infiltration and serious losses.

With so much at stake, it is imperative that these risks are analyzed and kept track of. To connect these risks to potential security threats is equally important. Most large organizations have already faced cyber, physical and business related irregularities. Today, these threats are more likely to appear in combinations more and more frequently and create a multifaceted risk area encompassing all three factors.

Identifying Risk Areas
Efficiency is what we all strive for in business, yet this premise alone can create greater threat areas by exposing closed protected areas. A good example of this is providing customers with interactive web services for customer support -- an element once provided by a human in a live interaction through a call center or a physical meeting through an office or store. Trimming customer care costs has resulted in legacy systems (that were once situated out of the public domain) to become the backbone that provides service to the general public.

Considering the critical need for cost-effective decision making, assembling a multi-task team (which include security experts with strong business skills) is a primary step in mitigating an organization’s cyber, physical and business vulnerabilities and risks. Security experts that have a firm grip on the business model are key figures in driving protection and identifying the risks accommodating the process.

As an additional catalyst, litigation and regulatory factors have emerged as predominant forces behind risk management processes. Sarbane Oxley, Graham Leach Bliley Act and HIPPA are regulations that ensure proper use of organizational assets – including data. Data ownership and management conduct within the organization have become focal points of the monitoring process. These regulations have resulted from criminal events in recent years (such as Enron and WorldCom) in which system loopholes were clearly exploited. From these cases, it is apparent that protecting an organization by ensuring that checklists are in place is important, but it is not the full solution.

Many prominent and profitable privately held businesses have opted not to become public, mainly due to cost and the difficulties involved in regulation. A proactive approach and a consistent methodology may be the solution to minimize risk in daily decision making. A mature and well-rounded system analyzes, initiates and manages current and future projects, as well as irregular projects such as changing procedures and policies to meet a large client’s procurement flow. The key elements of risk, both on a business and operational level, must be considered and dealt with in advance.

Using the Organization’s Strengths To Defend Its Weaknesses
The identification and benchmarking process should begin at the development stage and continue through the execution phase. Recognizing risk factors does not always mean taking action. However, being aware of a weakness allows for vigilance and future planning. For example, an organization on a limited budget aiming to create an e-commerce system that allows the legacy system to be available to the entire sales chain (clients, employees and suppliers), may start the process using a non-real time system that requires less security measures. This does not mean that there are no risks involved, however solid planning allows the organization to attain its goals of lowering costs while creating a robust and secure system that can easily be upgraded into a real time system. Certainly a solution of this nature requires a short and long-term plan to mitigate risk.

In planning ahead for the coming years, it is imperative that the management team create sound structures to provide a solid base for future endeavors. As in physical construction, foundations must be strong and solid. These decisions should be derived from one particular school of thought that will allow seamless modular growth. For example, it is a common misconception that using one particular vendor is a sound decision. Management must consider the organization’s needs in all its geo locations and only then consider a direction.

What this boils down to is being vendor agnostic. A good example of this concept might be running Windows for access control of the computer system with a Microsoft SQL server, while running a Linux based solution with a MySQL data base for physical access. Cross-referencing these different systems using connecters would be costly and unnecessary. A more cost-effective solution might be to choose a common platform that could quickly perform cross-referencing as a common query to correlate events. This is a common mistake which usually takes place when cyber and physical security decisions are made individually.

These issues may create security vulnerabilities that are costly to address after they have been implemented. Taking these issues into account when planning the system would be more cost-effective.

Security is not an autonomous solution, nor is it a mechanism that can be implemented after the fact. Security is an integral part of the organization’s foundation and need to evolve with the organization’s needs and business plans.

To effectively protect an organization in today’s environment, management must consider all facets of security (cyber, physical and human engineering) simultaneously. Ignoring any of these security domains may lead to costly and irreparable losses.

About the Author
Alon Moritz is the founder and CEO of Moozatech, Inc. The company’s model combines the technical needs with physical security all in the name of protecting core assets.

<< Previous Page