A very interesting question came my way recently from a security practitioner who had suddenly been hearing a new term used by a number of people all in the same week. Someone had recommended that he upgrade his security systems to establish a sound security infrastructure.
Q: What is a security infrastructure? Don’t I already have one?
This question caught my attention, because I have seen the term infrastructure being used more and more in differing ways, to the point where I was not sure exactly what it meant any more. I have never had a crystal-clear definition of the term, and I am a fan of clear, concise definitions because they facilitate clear thinking, sound analysis and sound planning. It turns out that many have been asking, “What does infrastructure mean?” Most often this question has been asked in the context of homeland security: “What is critical infrastructure?” A succession of federal government reports, laws and executive orders have refined, and generally expanded the number of infrastructure sectors and the types of assets considered to be “critical” for purposes of homeland security. As uncertainty continued to develop around this term, the Congressional Research Service developed a valuable 19-page report that is easy to read. Its title conveys its purpose: Critical Infrastructure and Key Assets: Definition and Identification (Web-search it).
Since one of the first steps in the risk management process is to identify and put a value on the key assets of an organization, it certainly helps to have a very clear idea of what that means in the particular sector, area or business that you are working in.
For purposes of answering the reader’s question above, I wanted to go further than the Congressional Research Service report, because the term infrastructure is used much more widely than just for national critical infrastructure. Cabling infrastructure and network infrastructure are the two terms I have heard most often, and I know one can be part of the other. In particular, I wanted to achieve a fundamental understanding of the term infrastructure, so that I can differentiate when it is used correctly (such as in security assessments or system design) and when it is being used inappropriately just for the sake of impressing people (such as in a sales pitch or a buzzword-filled presentation).
Specifically, I wanted to know if there really is such a thing as a security infrastructure or security systems infrastructure, and what value the use of the term might provide. One definition of infrastructure that people often apply loosely is “an underlying base or foundation especially for an organization or system.” But is there any value to calling an organization’s security function “infrastructure?” A good security function is not only well-aligned with the business, but is also integrated into its decision and planning processes. To my thinking, calling it “security infrastructure” doesn’t quite seem to make sense. What about the term “security systems infrastructure?”
Wikipedia explains that the word was imported from French, where it means subgrade, the native material underneath a constructed pavement or railway. The word is a combination of the Latin prefix “infra,” meaning “below” and “structure.” That definitely applies to terms like cabling infrastructure. After studying a number of definitions and explanations of infrastructure, I developed a definition that is an accurate security description:
A physical security systems infrastructure is a network of electronic security systems and devices that is configured, operated, maintained and enhanced to provide security functions and services (such as operational and emergency communications and notification, intrusion detection, physical access control, video surveillance, visitor management, officer patrol tour management and security administration) to achieve specific risk mitigation objectives.
A more concise version would be: A managed network of electronic security systems and devices providing security functions and services in accordance with a risk management strategy.
The shorter definition assumes that the reader knows the full meaning of “managed network,” and has a good idea of the kinds of security systems that would be used. And this illustrates one problem with attempting any single-sentence definition: meaning and value of any particular definition depends on what knowledge its reader already has.
With regard to infrastructure definitions, it would take a page or two to fully take into account the other attributes implied by the use of the word infrastructure. From an engineering perspective, the system is intended to be maintained at a specified standard of service by the continuing replacement and upgrade of its components. This, of course, fits the picture that as risks evolve and as technology evolves, so should the deployment of security systems to optimize its risk mitigation. There is also a financial perspective that evaluates infrastructure from an investment perspective, including its present value and expected continuing return on investment compared to future alternatives.
Both the engineering and the financial perspectives imply active responsibilities; thus, it behooves a security manager to obtain a good conceptual understanding of the various attributes that further define an infrastructure. We determine the value of our physical security systems infrastructure not just by how we design it, but by how we define it and manage it as a supportive element within our organization.