August 1, 2019
Every organization must identify multiple blind spots to improve their overall security posture, said George Finney, CISO for Southern Methodist University, in his keynote address to close the Cyber:Secured Forum in Dallas this week. And, companies that look at physical and cyber security holistically can address shortcomings in both.
It starts with people: team members of a diverse staff (from an experience as well as social standpoint) can help each other with personal blind spots and career growth. A lack of diversity can be a blind spot that creates vulnerabilities for the organization. “If you want to change diversity, you start with the job description,” Finney said.
Another blind spot (to which security analysts might not be so blind, but others can be) is information overload. Addressing this vulnerability comes down to streamlining tools. In some organizations, CISOs might have teams of 100-200 people and they may have 200 different tools. If they’re lucky, they can whittle that down to 20, Finney said. The goal is to quiet the noise. Analysts are struggling to find real threats in the noise, which is why understanding the impact of information overload is critical to strengthen an organization’s overall security posture.
Cognitive bias—systematic errors in thinking that affect decisions and judgments—is another pitfall that affects some companies. “As security people, we can be a mirror to reflect back what people look like to the world, particularly with social media,” Finney said.
One of the most important keys to success in uniting cyber and physical security is in building relationships. Developing internal and external partners and collaborating takes time, sometimes years to plan and execute. “If you don’t plan for relationships that are long term, that’s not going to translate into success,” Finney said.
Whether you’re an integrator or a CISO, relationships are going to be key to success. “We’re all going to run into problems along the way,” Finney said. Relying on penetration testers to identify vulnerabilities can successfully avoid a bad situation. “Sometimes in cybersecurity, we forget the impact that these things can have. When you add in physical safety, you’re talking about safety. Having physical and cyber together on the same team keeps that perspective in check.”