By George Dionisopoulos, Head of Security
Security teams play many roles in their organisations. First and foremost, we’re the frontline sentries protecting our people, data and operations from attacks and accidental breaches.
Lately I’ve also been thinking we’re a little bit like builders and carpenters, too. We build and tinker with our internal and external environment daily to ensure it’s in the best possible state to sustain the organisation for the long-term. And that doesn’t just mean the doors, walls and other barriers to the outside world – every single item within the house must be reinforced, protected and maintained. This is never a “set and forget” process, because the world around us changes on a daily basis.
It is a bit like painting Sydney Harbour Bridge. When you get to the end of the process, you go back and start again. The maintenance never ends.
It’s a tough job, simply because there are so many facets to it. And the more we hear about cyberattacks in the public domain, the greater the pressure becomes to protect the organisation at all costs. And so it should. The immediate fallout of cybersecurity breaches is well-documented, and potential repercussions keep many of us awake at night.
The average cost of a data breach has reached US$4.35 million, according to research by IBM, and that’s not even considering the possibilities associated with long-term brand reputational damage and loss of stakeholder confidence.
Bringing balance to security risk management
Lately many of our customer contacts who are involved in organisational risk management report they are being asked about cybersecurity planning on a near daily basis. This is a positive step forward, considering that even just a few years ago, there was little appetite for it.
However, this keen focus on cyber can actually be detrimental to the broader security risk management portfolio in the longer term. Why? Because it’s going to affect the balance. Just like a builder or carpenter, as security professionals, we need to be obsessed with balance and symmetry in our work – or risk disaster.
The four pillars of Security Risk Management
When it comes to digital infrastructure, I think of a balanced security risk management portfolio as being a bit like a beautifully crafted chair. It sits solidly on four legs of equal length and width, to balance the load above it:
1st Leg (Cybersecurity): Effective management of the various networks related to critical digital infrastructure, which generally means keeping them functionally separate (to avoid the risk of a bad actor accessing multiple systems in one maneuver), but integrated for usability and operational purposes.
2nd Leg (Physical Security): The physical environment in which your infrastructure is housed is critical. This is not only about overall surveillance and security systems – small details matter, as do the brand names on the box. How confident are you that every part of every piece of equipment in each of your facilities is guaranteed “secure” to Australian standards?
3rd Leg (Personnel): Never underestimate the “insider risk” – whether intentional or unintentional, your own people are likely to be responsible for the vast majority of security lapses. This risk can only be mitigated with a comprehensive program of training and education, coupled with extensive background checks of anyone who has access to the facility.
4th Leg: (Supply Chain): Have you factored in the potential for disruptions from your supply chain, whether through force majeure, accidents or malicious acts? Have you vetted personnel right down the supply chain, and can you ensure all equipment is installed as specified – no matter how far removed from your core operations?
The All-Hazards Approach
Many risks fall across more than one category, which highlights the need to take an integrated approach. For example, if you have a sub-contractor who is looking to gain access to restricted parts of your facility to wreak havoc, you have a three-pronged risk: personnel, physical and supply chain. The risk needs to be mitigated accordingly from all three directions.
Some refer to this as an “all hazards” approach. Whatever you call it, the intent is the same: create a balanced and even distributed base, so you’ll have a more resilient overall security posture that will be able to hold up, whatever weight comes down on it.
On the other hand, if you focus on one it will come at the expense of the others and disturb the balance. Unfortunately, that is the path upon which we’re seeing some organisations embark, with their current laser-like focus on cybersecurity. Don’t let yours be one of them.
Let’s fix the wobbly chair together
As our physical and cyber security environments continue to merge, creating a balanced approach to security risk management of digital infrastructure requires strategic thinking and partnerships. NEXTDC can help you take a more holistic approach to keeping your critical infrastructure secure, while reducing the costs and complexity along the way.
Reach out to NEXTDC if you would like to find out more about securing your critical digital infrastructure.