I have to hand it to NPR. They had correspondent Tom Gjelten -- their security and economics correspondent -- tackle the issue of cybersecurity for corporations this week, and he did a great job. If you don't listen to NPR (maybe you like the banter of DJ's in the morning more than the voices of NPR morning edition hosts Renee Montagne, Steve Inskeep and David Greene), you can still get on-demand access to these solid stories on cyber-crime.
Gjelten's three cyber-security stories absolutely worth reading & listening to:
- Cybersecurity Firms Ditch Defense, Learn To 'Hunt'
- Bill Would Have Businesses Foot Cost Of Cyberwar
- Cyber Briefings 'Scare The Bejeezus' Out Of CEOs
Look, I get it -- many of you are selling cameras, managing guard forces, enrolling your employees in the card access system, installing motion detectors. But here's the kicker -- the new breed of security is steadily moving toward cybersecurity. Today's corporate espionage criminals aren't going to break into Boeing in the middle of the night and wander around with flashlights looking for the file cabinets with the plans for the Dreamliner. They are going to sit at the comfort of their home or office and hack away at the servers where that data is stored. They're going to try to infiltrate the employee pool with people who can digitally steal that data while they're inside the doors of the building collecting a salary. Certainly, I'm not arguing that we just give up on our physical security. Not at all -- we need to protect not only those digital assets through cyber security, but we need to equally protect our workers, customers -- the humanity for which those digital assets were created.
I still think it's odd that 10 years after the "convergence" train arrived at the station, we're still walking into the industry's big corporate security show and seeing it dedicated to "gates, guns and guards" and "cameras, cards and controllers." Yes, I know there now is some collocation with an IT security show. We've taken a step in the right direction, but physical security and cyber security for information protection is not walking hand in hand yet. The reality is that our industry took convergence to mean converging the "cameras, cards and controllers" onto the same IP network infrastructure as the corporate email and servers. And that's great, but it's not convergence of risk management -- it's just device convergence (and the security of many of these devices is still pretty suspect according to one cyber security consultant I know).
So, our industry needs to follow where the threats go: Trend Micro forecasted 2012 to see an increase in cyber espionage (generally, it's coming from China which tells me we're at war -- China isn't sending the Red Army planes; they're sending bursts of code). I still rarely see service companies that can do both cybersecurity and physical security. There is the occassional risk assessment firm that has both physical security analysts and cyber security analysts, but even those folks are most likely to be tasked to identify the problem, not actually fix the problem.
Specialization is good; I get that. We don't hire general plumbers to put in geothermal heating sytems. But why are we calling ourselves security firms or security departments if all we do is man guard posts, check cards, install cameras?
We've made this change in our magazine Security Technology Executive steadily over the years. At this point, a high percentage of the readership is now IT directors who are making decisions both about physical security solutions (IP cameras and the like) as well as the organizations' IT risks. Ray Bernard, in promoting his GSO 2015 event (June 12-13 in Sunnyvale, Calif.), quotes a traditional physical security who says he's still in the driver's seat but that he's lost the steering wheel and the gas pedal. Guess what -- that's because solely approaching an organization's physical security isn't enough. The steering wheel and gas pedal are being owned by IT. Some integrators get that. The ones that I think are positioned for greatest success are those that are offering IT services in addition to fire, security access and intrusion. Our industry is starting to change, and as we recognize the importance of cybersecurity in addition to things like the pixels on target.