There has been an awakening of physical security within the InfoSec world.
That is just one verbatim from the recent ISC conference that reinforces the relevance of what Insite’s Chris Falkenberg discussed at his presentation Are Your People Protected as Well as Your Data?
Well over 100 CISOs and InfoSec experts participated in the lively discussion that raised such questions as:
What are the most common physical security threats that I should worry about?
Is there a template for a risk assessment of physical security?
How do I better coordinate with internal teams when a security incident happens?
Another verbatim: I’ve been tasked with managing physical security, how can I handle this?
Clearly in a post-pandemic world, CISOs are feeling the burden.
LET’S GET TO SOME ANSWERS
Monitoring and analysis of threats and negative chatter from surface, deep and dark web sources is one of the most effective ways to mitigate issues that impact physical security. Most common of these issues are:
Threats from a terminated employee/disgruntled customer
Protests at/near the office
Leaked addresses and phone numbers of key executives
Social media profiles impersonating the brand
Risk Assessment Rubric
There are nine key disciplines that underpin corporate physical security including:
Physical Security Systems
Emergency Preparedness and Response
To provide an unbiased comprehensive risk assessment, Insite uses a proprietary Security Rubric that grades all vital aspects of physical security measures in place. The outcome is a road map with actionable recommendations on vulnerabilities that should be addressed.
To a large extent, physical security focuses on threats to the safety of an organization’s people, and in rare cases, we are talking about life and death. Another important aspect of physical security is the protection of a company’s assets, which can be harmed in infinite ways. At Insite, we use an all-hazards framework with a ‘toolbox’ approach when developing a playbook for incident response.
When a physical security incident occurs, a cross-functional internal team is usually involved in the response. The best practice is to have a practiced Crisis Management Team (CMT) comprised of representatives from the C-suite, HR, Legal, IT and Operations—each with clearly defined responsibilities. Use role-based plans as opposed to person-based plans. Also, we have found that conducting mini-tabletop exercises optimizes the ability of a CMT to respond effectively when called upon.
Just as IT security programs are dynamic and require adjusting to rapidly evolving threats, physical security programs must be as well. If you end up being responsible for physical security, remember that some elements of managing these risks sit in other departments. If your organization doesn’t have the bandwidth to manage these risks internally, make it a point to identify outside expertise. Insite can help.