The biggest challenges in dealing with the convergence of physical and cybersecurity are culture, language, perception and budget, according to Mark Weatherford, global information security strategist at Booking Holdings, who delivered the keynote speech at today’s Cyber: Secured Forum in Dallas.
Weatherford shared an anecdote of a story from a few months ago when he came to realize that “sometimes we get so wrapped up in technology and thinking about how we can solve the world’s problems that we don’t realize the issue is really about money.”
Admittedly hyperbolic, Weatherford said he sees some truth in a quote from Allan Schiffman, who said, “Amateurs study cryptography; professionals study economics.”
The adversary’s goals are about money, which is why the providence of the supply chain is critically important. “Cybersecurity can now interrupt that supply chain in a variety of different ways,” Weatherford said.
Because organizations depend on a vast and complex supply chain ecosystem, the industry is facing a perfect storm in which the internet of things (IoT) is innovating faster than the speed of security. “Laws and law enforcement are limited, inconsistent and unenforced,” Weatherford said.
Despite the rapid pace of innovation, cybersecurity has no national boundaries and no international norms of behavior and is complicated further by the reality that everyone can have anonymous access to vast resources and information. Some companies still rely on 30- to 40-year-old protocols with little to no security.
“The security community hasn’t down ourselves any favors,” said Weatherford. “When a naïve user can take down an entire company by clicking on a bad link, face it, our security stinks.”
Still, businesses are integrating technologies faster than they can keep up with it. “There are three basic components that we always talk about: people, processes and technology. But it is harder to hire people and develop processes, so they buy technology,” said Weatherford.
The good news is, according to Weatherford, that the industry is starting to see a trend where companies that are spending money are having a positive effect on the security of their organizations. Still, insider threats remain the number-one vector into companies today.
“Security convergence refers to the convergence of two historically distinct security functions – physical security and information security – within enterprises. Both are integral parts of any coherent risk management program,” Weatherford said.
The value proposition in convergence is that it helps eliminate silos, provides situational awareness and more unified and strategic security governance, eliminates duplicate processes, allows for more distributed resources and guides strategic planning, Weatherford said.