COMMENTARY: With the rise of hybrid conflicts comes a renewed awareness of physical security among cybersecurity professionals. However, the two disciplines rarely work well together. This is likely due to the fact that both come with different mindsets and assumptions, making it harder for concepts to transfer from one discipline to the other.Bridging this gap would improve overall security and enable enterprises to be resilient against hybrid threats.
Two mindsets
As physical security has been around for much longer than cybersecurity, one could assume that it has to be much more mature.
In reality, centuries of physical security haven’t changed the core concepts. You put a wall around the thing you want to secure, lock the doors, add some guards and detection systems, and you got yourself a secured location. That’s how you secure a medieval castle and a data center. There has been a lot of innovation for the individual components, but the core concepts remain unchanged.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts.Read more Perspectives here.]Cybersecurity is not even close to completing its first century, and the pace of innovation has been incredible. For authentication alone we have seen: passwords, multi-factor authentication (MFA), single-sign-on (SSO), biometrics and are now moving towards passkeys. The innovation has been rapid and also changed the underlying concepts.Now, these differences are not much of a surprise considering that the whole IT industry has changed much more rapidly than any other industry and the threats to their assets are ever evolving. This and a mindset that is used to innovation are driving cybersecurity to constantly reinvent itself.The background of many physical security professionals is in military and law enforcement, which change much slower, but are known for extensive training. The nature of the threats they need to defend against is evolving at a slower pace, and destructive, kinetic threats remain a primary concern.This influences their perspective on security.
This leaves us with two mindsets when it comes to physical and cybersecurity.The focus of cybersecurity is much more on the insides of an organization. Detection is supposed to catch attackers lurking on compromised devices. Response activities have to consider the entire infrastructure rather than individual hosts. Security measures are spread out across the network, taking a defense-in-depth approach.Physical security is much more outward looking, trying to prevent threats from entering. Detection systems exist within premises, but focus on the outer layers. Response activities are focused on evicting individual threats or denying their access. The majority of security efforts focuses on the perimeter.
The gap between the disciplines
Although both disciplines have distinctive mindsets, they undeniably influence each other. Even in the age of cloud and software-as-a-service (SaaS), IT assets have physical footprints. Be it the server hosting them, the media containing backups, or simply the devices used to access these assets.Today, physical security is largely handled by IT devices. This includes CCTV, electronic access control, building automation and alarm systems. If these devices do not follow proper cybersecurity principles, the physical security of the assets they protect will be compromised. Knowing that they are intertwined should stimulate a lively exchange between the two.Sadly, reality is different.Companies often handle both topics in different teams. Conferences and publications may feature both topics, but often focus on one and rarely address their interdependence. Security assessments like pentests and red team exercises sometimes include a physical component that tends to focus on social engineering without involving deep physical security expertise.Overall, the mindsets seem to be incompatible. Cybersecurity people call for interconnected, AI-powered detection capabilities, where physical security professionals have to find solutions with a 20-year lifespan and resistance to explosions. This results in a situation that hinders the exchange of knowledge and leaves organizations with real security vulnerabilities.
Bridging the gap
After all, security is in itself neither physical nor cyber. Security exists to prevent risks from materializing. Risks, especially in the form of human threat actors, will always look for the easiest way to materialize. Therefore, they will attack physical assets via their digital components and vice versa, if these flanks are not protected.Aside from this, both disciplines have valuable lessons to offer to their counterpart.Cybersecurity has seen rapid innovation and scale, and therefore has developed approaches like vulnerability management and zero-trust that are almost non-existent in physical security.Physical security has centuries of experience and topics like understanding your enemies and using their traits to your advantage have been known since the age of Sun Tzu and their lessons transfer to cyber threat intelligence, but are often overlooked.Having a deeper conversation with empathy for different viewpoints and challenges between cyber- and physical security will close the gap, move both disciplines forward, and improve security for everyone.
