Our physical security colleagues seem to understand some things better than cyber security practitioners. This better understanding tends to include a deeper appreciation, prioritization, and balance of operational risk.
An example: sometimes a simple fence is sufficient for managing the risk from a physical security viewpoint.
I often wonder what physical security would look like if cyber security practitioners (and our vendors) were responsible for managing those risks.
How much more or less effective would our approach be? I suspect that cyber professionals would be building moats, emplacing strongpoints, implementing flaming oil, shopping for crocodiles, and generally releasing the Kraken just to protect the local shopping mall.
Why the difference?
Physical security professionals tend to more deeply understand operational risk and how to balance it. Perhaps they have a longer history. Perhaps they have far less budget within which to work. Maybe their process and approach is defendable enough to be considered reasonable.
Cyber teams should pay attention.
Physical security practitioners focus on the basics first. They know that there are a basic set of controls. They dont skip over these basic controls to get to the sexier, more fun controls. Implementing the physical security equivalents of machine learning, AI, or blockchain without the basics in place and shown not to be sufficient would be laughed at. The risks would need to warrant such measures.
Unlike many approaches that I read in social media, they start by building capabilities that broadly protect against the likely risks rather than chasing and over-engineering for less likely individual threats.
They tend to prioritize their budgets on defense and they’ve internalized the importance of reducing vulnerabilities in a purposeful way.
They understand that red team testing is a capability to measure the effectiveness of their controls and not the foundation upon which they build their security program.
I can’t recall ever hearing or reading that the first handful of hires for an in-house physical security team should include a full time red teamer. They contract that out. Perhaps, there’s something to consider in that approach.
All one needs to do is balance the risk of a user error, lack of patching, or an over privileged user being the cause of a breach versus a state actor like APT attack outside of email.
It’d be difficult to say with a straight face that cyber practitioners are skilled at balancing the effort and focus against actual risk.
At best, we aren’t doing it well. On some teams, fun stuff or side projects receive more attention than fundamentals.
We can think about these physical security approaches as being constrained. More foundational. Not sexy. But the fact is that physical security teams have generally been more successful in figuring out many things with which cyber security practitioners still struggle.
I’m not saying that we need to copy from physical security professionals. That said, there are some good thing to learn and apply from them.