Security Technology Executive

SEP-OCT 2018

Issue link:

Contents of this Issue


Page 16 of 59

www. • September/October 2018 • SECURIT Y TECHNOLOGY E XECUTIVE 17 with PSIMs and incident management software. The progress over the past few years has delivered many benefits to users in the way of convenience and efficiency. For example, a person can go from street to secure office without ever touching a key or card. Using an app on their phone or facial recognition technology, they enter the building through a security revolving door or turnstile. An integration with the elevator system automatically brings a car to the lobby floor, opens the doors and whisks the employee to their floor. Once at their desk, if they have authority as a facility manager, they can log in to the building's HVAC system, make adjustments and read logs directly from their laptop/computer. While these capabilities are a powerful demon- stration of integration, they still fall short of full convergence with IT and OT systems. What is more concerning , today's IP-enabled and connected world has created new vul - nerabilities for organizations for which they are not yet prepared. This gap leaves organizations with a danger- ous shortfall when it comes to proactively identify and mitigating risk. The situation becomes even more clearly untenable when you consider that beyond direct risk to people, property and assets, there is virtually limitless exposure to liability – to the organization and to the C-suite itself – engendered by the lack of communication between those areas of business operations. To address these issues, a new set of converged standards is in development now; standards that apply to every industry, which will help companies holistically assess and improve their current risk pos- ture. Yet this is only one part of the solution. Traditional Business Risk Assessment – a Broken Paradigm Business risk assessment, separate from and not to be confused with business security risk assessment, has traditionally been handled by professional ser- vices firms. The goals of such an assessment could include finding new investors, evaluating potential liability or obtaining insurance. This is an assess- ment model which is top-down in nature; the anal- ysis is based on business activities such as profit- ability, retained earnings, personnel and workflows. Security itself is often not given any particular con- sideration in this model. Another key factor in traditional risk assessments is the application of compliance regulations and their oversight. Depending on the industry, there are many different regulations that must be followed, neces- sitating an additional layer of business operations. Since these regulations have been created to help reduce risk, some of them do cross over into the realm of physical and cyber security – yet that factor may not be specifically included in the assessment. Overall, the risk assessment done by a profession- al services company will be looking at governance, which can be defined as the collective management activities of all the diverse business operating units of an enterprise. The better the governance, the the- ory goes, the less risk and liability exposure there is to the organization. However, again, security is not typically a part of this assessment, and so it is left out of the governance overview as well. See figure 1. FIGURE 1: This risk funnel represents how Enterprise risk is managed and evaluated by professional services companies. The wide section at the top indicates all of the risk that must be managed and mitigated; the narrow section at the base represents a reduction in risk due to the application of governance. Security and the risks present from threats are typically evaluated topically without any converged, overall risk score. The final result of the assessment is typically a rating and a maturity level, which are then used to achieve the above-mentioned goals. Yet without the consideration of security practices relating to IT, OT and physical security, the rating and maturity level can only tell part of the story, particularly when it comes to liability. A company can still be vulnerable to security threats such as cyber hacking , theft, workplace

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - SEP-OCT 2018