The day I discovered Cybersecurity was chic and Physical Security was old news
I get it — we are living in a text, tweet, twerk world where the things that we hold closest have a high degree of digital exposure.
I have long been of the school of thought that says: to have a successful cyber-security operation, an organization must have an equal focus on the physical security operation. The keyword being “equal.”
To me, physical security has always been the cornerstone of any enterprise security solution.
Imagine my surprise to find out that Cybersecurity had sucked up all of the oxygen in security, and physical security had become an oft-misunderstood relic of an analog era.
The elites have spoken!
I was brushing up the requirements for a CISSP certification (a premier certification experienced security practitioners, managers and executives) and I was shocked, shocked, (yes shocked two times!) to find out that Physical Security was removed as a domain.
The same was the case with CompTIA Security+ (the industry standard for early-career security experts). Buried deep within one of the domains that account for 14% of the exam was a section within that section about physical security controls.
The Security+ test is 90 questions… so basically, if you’re not worried about missing one-half-of-one-question, you can skip Physical Security altogether.
At first, I thought it must be a fluke. I had assumed it was a decision made by an elite cadre of IT professionals conjuring up ways to inflate their self-importance by minimizing the importance of domains that they had little to no experience in.
Even if physical security was a critical pillar of information security (and vice versa), these guys couldn’t be bothered by learning it early in their careers.
The people have spoken!
I wanted to compare search interest in a topic or search term over time, so I turned to Google Trend to compare “cyber security” to “physical security.” I quickly discovered that it wasn’t just CISSP that had changed their preferences.
For the bulk of history before 2009, Cyber Security and Physical Security shared an equal amount of the public’s interest.
As we look at this trend line, something very magical happened in 2009 in the wake of a series of a rash of cyber-attacks, and the passage of new federal legislation Physical Security had begun to take a back seat.
Then I thought to myself, “perhaps the hallowed halls of academia would provide some respite to shifting whims of the masses.”
I checked out the National Center for Education Statistics, and they were in line with everything else I’ve read: the young people are studying up to become IT professionals, physical crime stoppers.
https://nces.ed.gov/programs/digest/d18/tables/dt18_323.10.asp
This trend started in 1970, and I think (moreover I hope) that it merely reflects the money to be made in the new information systems industry, rather than profound reflection of interests
But even if I throw out the charts, and did the most unscientific of studies, I would still find that people just don’t care as much about Physical Security as they do cyber. When I go to enter a tag, “cybersecurity” has over 32K tags, and Physical Security has a measly 891.
The Board has spoken!
The United States’ top companies have adopted an attitude where physical security is an afterthought.
Walmart, the largest company by revenue, has its CIO as part of its executive leadership team, while its Chief Security Officer (the one in charge of physical security and safety) doubles up as head of aviation and serves at a lower level in the organization. This is despite its losing up to 300 Million Dollars a year due to revenue theft.
There is also a more complex and confusing problem with the term Chief Security Officer. Most CSO’s are elevated CISO’s (Chief Information Security Officers), while some are just in charge of physical security aspects.
I’m sure any C-suite security professional can speak ad nauseam about protecting servers using RBAC, but much fewer can have a casual discussion about preserving the same assets using a WADSC.
Final Thoughts
If Physical and Information are combined, then the head of that organization is generally more experienced in IT, and if they are separate, then the allocated budget and corporate focus are less poignant.
Free speech doesn’t pay the bills. This blog doesn’t represent my employer, nor reflect my experiences and their strategies therein.