Defense in Depth: Convergence of Physical and Digital Security

Security convergence is the melding of all security functions from physical to digital and personal to business. The concept has been around for 17 years yet organizations are still very slow to adopt. A company’s overall digital convergence appears to be happening at a faster rate than security convergence.

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest is Anne Marie Zettlemoyer (@solvingcyber), business security officer, vp, security engineering, MasterCard.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor Tessian

95% of breaches are caused by human error.
But you can prevent them. Learn how Tessian can stop “OH SH*T!” moments before they happen, why Tessian has been recognized by analysts like Gartner and Forrester, and which world-renowned companies trust the platform to protect their data.

Full transcript

David Spark

Security Convergence is the melding of all security functions, from physical to digital, and personal to business. The concept has been around for about 17 years, yet organizations are still very slow to adopt. A company’s overall digital convergence appears to be happening at a faster rate than security convergence.

Voiceover

You’re listening to Defense in Depth.

David Spark

Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO series and joining me for this very episode is Geoff Belknap, the CISO over at Linked In and he’s making a face, where he’s putting his hands, or his face into his hands, I guess. Geoff, the sound of your voice, so everyone knows what it sounds like.

Geoff Belknap

This is the sound of my voice, welcome, yet again, to another amazing Defense in Depth.

David Spark

And he’s sticking to that.

Geoff Belknap

That’s my story.

David Spark

Our sponsor for today’s episode is Tessian, and they do human layer security, more about that later in the show. But first, I want to mention Dan Lohrman, who we actually have had on the show in the past, he’s now currently the field CISO with Presidio and he wrote an article for GovTech about the need to merge physical and digital security. He admits that this is far from being a new topic and there’s an endless stream of benefits, but we’re still having a hard time getting there and it’s just costing us more money and making us less secure. So, Geoff, I will ask you, why are we still holding back on security convergence?

Geoff Belknap

Boy, it’s lost on me. I have had teams where they have been converged, I have teams where they have not been converged. In my experience, it is something that is very beneficial to the organization that chooses to go down the path of convergence, but I think, like many things, people have different opinions on where the value should be and where the priorities are.

David Spark

And we will talk about this on the show and I have some theories and many of them echo in these quotes that I’ll be reading later as to why it’s been held back so long. Helping us in discussion is a former guest who has not been on for a while, so I’m so thrilled that she’s back again joining us, it is Anne Marie Zettlemoyer, who is the business security officer, VP for security engineering over at MasterCard Anne. Marie, thank you so much for joining us.

Anne Marie Zettlemoyer

Thanks for having me, David.

How is this relevant?

David Spark

Caston Thomas over at Interworks said, “The question is not about if we should, the question is, how we should. Merging CyberSec with physical security is inevitable, if for no other reason, then the digitization of the physical.” And, Johnathan R, CISO over at Lightspin said, “I don’t think I’ve been in an organization, at least ones with a proper CSO, that physical and information security were not converged at least a little bit.” And he mentioned badge scanner’s, biometric scanners, keypads, tracking shipments, etc. So, the reason I hear this all the time, Geoff, is all these physical security devices are pumping out some kind of data. So that’s where cyber security gets involved. I think that’s why it’s inevitable that there is some level of this, yes?

Geoff Belknap

Yes, most modern physical security teams are using a ton of digital technology today. So I think it’s a little bit of misnomer to think there isn’t some convergence. Like, most of the badge readers are connecting back to a controller that’s based on IP, all the cameras are IP cameras at this point. People are using digital systems, maybe even Jira or something like that, to track incidents and plan rotations. So it’s already happening. I think the real question is, why aren’t more of those teams reporting into CSOs, or CISOs. And, I think the answer to that really gets to, what are the organization’s priorities and how do they make those decisions? Because it clearly adds value to the physical security team for it to be connected to a more modern information security team. But what is the organization looking for out of their physical security team? I think that really is the deciding factor.

David Spark

How do you feel about that and do you think what was said by both Cass and Jonathan, Anne-Marie, that we see this as the bare minimum, because it’s inevitable for everybody now?

Anne Marie Zettlemoyer

Well, I think it’s how an organization approaches and defines security. So if you come from an organization where you brand yourself as cyber, or you brand yourself as InfoSec, you’re going to focus on those traditional disciplines. And yes, physical security, if you look at the CISSP doctrine, let’s say, that’s a domain of security knowledge. And there’s such an intersection between the two, that if people lean one way or the other, but if an organization looks at the practice of performing security, then that’s going to encompass more than just InfoSec, it’s going to encompass more than just physical, it’s the discipline of making sure that the environment, the people, what we build, how we behave, how we act, is safe and secure. And that’s multi-disciplinary, so why wouldn’t physical be in there, if that is your approach? Now, like Geoff, I’ve been part of organizations that have approached it both ways. At Mastercard, we approach security holistically, where we have physical and cyber under one roof, right? But other organizations don’t necessarily do that and they might think of physical as more executive protection or what have you, but all of that still, even an execute protection, you’re looking at online threats, you’re looking at intelligence, you’re looking at geopolitical, which are going to also inform what’s happening with your InfoSec infrastructure, your data setters and how you recover from things. So, to me, it’s the overarching discipline of security that needs to expand, or that should expand, in order to reap the benefits.

David Spark

Geoff, this seems that this is just a leadership issue and it’s not just a leadership from the cyber security side, but from CEO and physical security, like what direction are we taking with security. Can a leadership change cause or convergence to happen?

Geoff Belknap

Oh, absolutely. Thinking back to the times, where I’ve seen these separate, where they were separate, it was a combination of that organization had a different threat model and a different way to manage its risk, where it’s probably fine that those things were not directly connected. Certainly, even if the physical security team is not reporting in to an information security team, or not meeting at the CISO, they’re working together, those are two risk management focus teams that are solving problems. They’re still working together, they’re still solving problems. I just think, in my experience, you have to convince the leadership that there’s a holistic benefit to those teams being together and usually, it’s not that hard. But also, if you have a relatively minor physical security team, if it’s just a couple of contract guards, then it’s harder to make that argument. But if you’re Mastercard, or a larger organization, then certainly it’s much more realistic to believe that you’re managing it holistically.

Does it play nicely with others?

David Spark

So, these next quotes, I think is one of the reasons, or maybe the main reasons it’s been held back. And Jens Nasstrom, of Safeture said, “In most organizations, the two teams are run by different departments with different cultures and, most importantly, different bosses. No one wants to be folded into the other.” And Presley Presscott of LOEPRE GmbH said, “Both cyber and physical still tend to operate in their own box, because they speak different languages.” And, lastly, Kevin Weakley of Wellstar Health System said, “Does bureaucracy stifle this convergence, and/or lend itself to separate security groups not wanting to give up their domains, literally and figuratively speaking?” And, Anne Marie, I have been to just one physical security conference and I will say, it definitely seemed like a whole different world. And while they did have some sessions on cyber, they were very like, 100 level, very beginner level discussions with this very savvy physical security community. I think it’s not the desire of being folded in, and honestly, I think cyber’s the one who’s gonna win out here. What do you think?

Anne Marie Zettlemoyer

So, it’s interesting that folks say they speak such different languages that they can’t translate to each other. I would challenge that thought. Everybody has nuances to their topic or their domain expertise, and as I said, security has several domains of which cyber has sub-domains and so does physical. But the overall discipline, if you take physical, there’s an investigation component to that, there’s an investigation over to cyber. Well, that’s a common lexicon, running an investigation is running an investigation, you have to know how to perform certain technical capabilities and the genres of both, but there’s still a method to running an investigation. So you can get caught up in the nuance of nomenclature. I’m going to start looking through logs, or I’m going to start looking at physical access logs. I’m going to still look at who’s accessing this over here digitally, who’s accessing this over the physical realm. It’s still the same discipline, it’s just a different context. I’ve talked about this before, sometimes we cyber security folks can think that we have developed something new. A lot of our disciplines are carried over in a lot of other well established disciplines, whether it’s warfare, or business, or accounting, or legal, or risk, anything to do with risk. These things have been around far longer than the digital realm and those practices on how to handle crises have been around far longer than us cyber folks, so I think it’s interesting.

David Spark

You make a really good point. I mean, cyber security, of all these fields you mention, the newest and really new, but it sure is getting a ton of press now and, as we all know, it’s growing really rapidly. Geoff, what do you think? Anne Marie makes an extremely good point, and yet, I have seen this, there seem to be two very different worlds here.

Geoff Belknap

You know what, it is two different worlds and I think, to Presley’s point, both cyber and physical seem like they operate in their own stand box, and they seem like they speak different languages, but the reality is, once you converge those teams and, I get it, I think Kevin’s got a point, nobody really wants to converge teams if they’ve been operating in their own silo for a long time, but once you converge those teams, once you get those people breaking bread at lunch or at dinner together, they find out real quick that they all speak the same basic language. Like, yes, in information security, they’re going to be engineers first, and focused on technology sometimes, but when you get down to it, to Anne Marie’s point, like we’re solving the same kind of problems. We’re running investigations, we’re detecting intrusions, we’re trying to build risk mitigation plans and detections, all of those really do belong together.

Anne Marie Zettlemoyer

Access control.

Geoff Belknap

Yes, like I said, the language is the same, whether we want to believe it or not. Now, the tools in the physical security space are more limited, because that space is more limited. But the reality is, when you put those together, you really see benefit and I think one of the problems, if you really want to look at what’s holding back convergence is, most physical security teams are in the workplace or the physical facilities team, the same team that the janitors, the people that are building your desk, or painting the offices are in, and it’s a really weird place for somebody like physical security to be. So when you bring them into the broader security organization and give them access to resources and people that can help solve the problems at higher level, you really do see the benefit.

Sponsor – Tessian

00:12:34:04

Steve Prentice

That moment, when you click on a link that you know you shouldn’t have, we’ve all done it, because curiosity, reflex or habit just get the better of us. Josh Yavor knows this extremely well as CISO at Tessian, he and his team work to deliver techniques and solutions that allow us humans to get our work done, without the mistakes that can cause great damage to the company and its customers.

Josh Yavor

We need to deliver a safe by default of an experience as possible. And when we’re thinking about coaching, what we need to do is get away from the world of legacy annual security training, where we take 30 or 90 minutes of your time, give you a quiz afterwards and actually meet people in the moment, or as close to the moment as we can, where they need that coaching, where they need that advice. And, critically, where they need to be able to remember who to reach out to for help. And so, our tooling needs to be able to be dynamic and responsive to changes and how people work, the platforms that they use and how they interact. And that’s why our approach to focusing on human behavior and applying technology that provides security based off of, observations of change and changes in human behavior, that’s the way in which we’ll be able to continue to provide excellence in security outcomes, despite the inherent reality that we will continue to see massive evolution and changes in how people work and how they collaborate together.

Steve Prentice

For more information, visit Tessian.com.

Nothing will happen until we take action.

David Spark

Brian Wrozek of OPtiv said, “Sounds good in theory,” referring to security convergence, “but harder to achieve operationally. The skill sets are too different to truly achieve a highly functioning cohesive team.” And Marc Sokol at Citi, who actually did complete security convergence and he said, “We achieved many positive outcomes, transformed the perception of the role/function, optimized productivity, lowered expenses, lowered risk, all while broadening growth opportunities for staff and the company, their mergers and acquisitions.” So, Geoff, let me throw this to you first, I mean, Marc Sokol just says, “All these wonderful things happened when we did it.” Like, once you start hearing stories like that, wouldn’t people want to start running towards convergence?

Geoff Belknap

You would think so. But I think there are a lot of people like Brian here and not to pick on you, Brian, but yes, it sounds good in theory, I can tell you it’s also very good in practice as well. Now, there are limited gains on the InfoSec side for the physical security team to be connected with them, but there are almost unlimited gains for the physical security team to be part of a team that has more budget, newer attention, that’s got more engagement from the executive level team, all of those things really bring a halo effect to the other parts that you bring in there. I can’t stress enough, if you up level your physical security team by connecting them to other engineering teams, you will see all these benefits that Marc is talking about, the expenses will be managed, they’ll be using new technology, they’ll be optimizing things that can optimize their work and their cost, but a lot of that has to come from thinking about them as part of your overall security program, and not as part of an overhead cost, like janitors and copy machines. You really have to be thinking about this as part of your holistic security program.

Anne Marie Zettlemoyer

I don’t know, I think there are some pretty strong benefits to incorporate both on the InfoSec side as well, that they can reap from physical. And it depends of course, how the physical organization is set up, you definitely are going to look at physical as the first line of defense for things like social engineering attacks, in person social engineering attacks, which, as you know, are part of the trade craft of securing things like data centers and making sure that there’s integrity within those systems physically, they’re part of the resilience efforts, they’re part of making sure that if intelligence is one of those common lexicons and physical security usually has the domain expertise in intelligence, to monitor not just geopolitical issues that might affect your operations, but also environmental issues. And it’s that physical expertise that is going to help you know how to respond to get people out to move, to recover, to physically deploy agents into a field, let’s say, in order to recover whatever. Let’s say, like, discs or get things moving all over the world, they have that. So I feel that it can be mutually beneficial, if what you are trying to do is approach overall security. Now, are there organizations that, we were talking about must a lot and we have to do this a lot, and I will push back on that too, because I would say you don’t have to. If, like any other risk discipline, you have an operating model that knows where the hand offs are and can work cooperatively, and be able to share intelligence and be part of that working group and crises responds or happens, in order to respond, then you’re doing well. It’s when you don’t have those partnerships, when you don’t have that line of sight, that organizations start thinking of the need to combine. But if you have two high performing teams that are able to work together, and it will be more than two, they have to work with legal too, they have to work with every other risk discipline, then why change just to change?

David Spark

Let me ask you a question, Geoff, have you hired anyone that came from the world of physical security first?

Geoff Belknap

Sure, yes. I guess it depends on how you define that, but I’ve hired people.

David Spark

Like they were a locksmith maybe, or something like that?

Geoff Belknap

I mean, not a locksmith explicitly, but I’ve hired people that have come from executive protection or come from doing physical security as a guard, or a protector in some way, we’ve hired a lot of people in that space.

David Spark

I’ve always noticed, when I talk to those people, they look at physical spaces and they think about security when they’re in physical spaces, not like a cyber person does. My feeling is, that kind of knowledge can bring a level of education to the cyber world that would be hugely valuable.

Geoff Belknap

I think we talk about this all the time, one of the things that your security program derives benefit from is hiring a wealth of people from different perspectives and bringing those all together in one place. So why would we exclude people that have physical security experience and think that that’s lesser? I think the other part, to Anne Marie’s point, the way I think about security is not, I want to drive an improvement in information security, I want to drive an improvement in how we mange security holistically, and how we’re decreasing risk and increasing security outcomes for my customers, for my members, for my employees and my shareholders. All of those things mean I want to bring together as many security resources in one place. And help them drive positive security outcomes. And if you’re excluding physical security from that, I think you’re being shortsighted.

How do we go about measuring the risk?

David Spark

Now, here are a couple of quotes that I thought challenge this conversation. First, from Anthony Mini of Pearl Technology and he said, “The most significant topic here is the potential to hold employees accountable for their actions in cyber, the way we do with physical. For example, if an employee left the building doors unlocked overnight, and hundreds of thousands of dollars were stolen, that employee would be disciplined. However, if that same employee clicks on a link that could have resulted in a million dollar loss, that employee would simply redo their security awareness training.” And I’m definitely going to want your thoughts on that, as I see, by the way, Anne Marie shaking her head, she doesn’t buy that. Jim McConnell of Verizon–

Anne Marie Zettlemoyer

Interesting assertion.

Geoff Belknap

It’s pretty wild.

Anne Marie Zettlemoyer

It’s quite telling.

David Spark

I think it’s an interesting call. I liked it. Jim McConnell of Verizon said, and this actually teases something that you had said earlier, Anne Marie, he said, “I challenge everyone to actually start with mapping, think organization chart, all, yes, all the humans and suppliers, vendors, that do ‘security’, all types within your organization operationally. I think people might be surprised at the number of different groups that do these functions and the gaps.” Alright, I’m going to throw it to you first, Anne Marie, who questioned Anthony Mini’s theory that people will get more severely disciplined by an error with physical security than digital security. And also, what Jim said that, “Hey, a lot of us are doing security more than you think.”

Anne Marie Zettlemoyer

I think that’s an interesting assertion and certainly a telling one. How we deal with incidents is indicative of the leadership within an organization. If it’s an accident, or what have you, there’s probably still consequences. I don’t know about severity or not. I can tell you that intent should be part of the process, in disciplinary or coaching actions, so is repeatability. I’m really surprised that he would assume, and everybody can click on a link once, but what if this person was reckless within that, what if they kept failing repeatedly phishing simulations, or what have you, and there were dire consequences because of that, and huge infections. Your leadership should address that with compassion and effectiveness in both scenarios, right, that’s a leadership discussion. And, as far as Jim’s comment goes, I think that’s true. Because, it’s always interesting to do a perspective map, on what folks believe that their role and their job is. You might be surprised on how many people believe that their responsibility is to do a certain thing and that might be very similar to yours. There might be nuances in the terminology, there might be nuances in the method, or in the limit of jurisdiction for those types of test, let’s say. You might find that audit believes that they can order up Pentass, I’ve certainly seen that happen before. Security would be like, “Oh, my God, what are you doing? That’s our job.” But, they may feel like they have the ability to assess in certain ways. So I think it’s a valid exercise, but I think it also can uncover where your champions are going to be, and not to use consultant speak, but your synergies, right, where you can start breathing in these efficiencies and these little points of championship for security. Because that’s the overall goal. Get the ego out, focus on the goal of security, the mission of security and not who reports to who and who does what.

Geoff Belknap

Yes, absolutely, plus one to everything you just said, Anne Marie, I strongly agree. But I’m also going to just bring this back to Anthony’s comment and I want to really highlight something here. Because I think it’s important and I think when people are thinking about the convergence of information security and physical security, here’s an important detail that we might be overlooking. In both of these cases, if you leave a door open and it leads to hundreds of thousands of dollars of loss, or if you click a link and it leads to many dollars of loss, in both cases, you have to ask yourself, where is your defense in depth, why was a single door being held open, or a single link being clicked, why did that directly led to a huge loss? In both of those cases, this is a great example of, if you have a converged team, you have teams that are combining their resources and their perspectives to make sure that a single link clicked, a single door being held open are all contingencies that the program is designed to detect and respond to. I’ve seen these, in cases where a door left open can lead to a cyber intrusion, it’s really beneficial to have these teams working together and to be thinking about the potential side effects, or unknown long tail effects that can happen as a result of these things. And I think Jim’s point, there are a ton of people that are contributing to the security outcomes in your organization, it definitely behooves you as a security leader to understand how different people contribute. Not every single one of those people that is contributing to security needs to report to a CISO, but certainly, they need to be your partners and the people that you are building relationships with, if you are in the security organization.

David Spark

Excellent points, both of you. And I want to echo something we were saying off the microphone, because we had a little small stop down in the middle of the show. This was a solid show. Thank you very much, Anne Marie, thank you very much, Geoff. Now we get to the portion of the show where I ask you, what was your favorite quote and why? I’m going to start with you, Geoff.

Geoff Belknap

So I think my favorite quote is from Caston here, from Interworks. The question is not about if we should, the question is how we should. Merging cyber security and physical security is inevitable, if for no other reason than the digitization of the physical. I don’t know what digitization of the physical means, but I do know that I think it’s inevitable and we really should just be having the conversation about how we bring these things together.

David Spark

Alright, Anne Marie, your favorite quote and why?

Anne Marie Zettlemoyer

I like that one too.

Geoff Belknap

Sorry, I picked it, you can’t have it.

Anne Marie Zettlemoyer

Oh, well, I’ll fight you for it.

Geoff Belknap

Alright, I’m going to lose.

Anne Marie Zettlemoyer

I’m just saying. I mean, we’ll arm wrestle, it’ll be fine. But I don’t know that it’s inevitable for everything, it depends on how the company works. But I do believe that it shouldn’t be a fight or a controversy. If it makes sense, then think about how, not fight about why. Think about how, because you have a common goal.

Closing

David Spark

Good point. Alright, this is now wrapping up our show. I believe both of you have final comments or final pleas as well. By the way, Anne Marie, I always ask our guests, are you hiring? So make sure you have an answer for that question. I want to thank our sponsor for today’s episode and that is Tessian, for human layer security. More about them at Tessian dot com. And Geoff, I know that you’re hiring, you’re always hiring and if you don’t find a job working at LinkedIn, you can go to LinkedIn to find another job.

Geoff Belknap

That’s right. LinkedIn dot com/jobs, there are my jobs and many others there. Come hang out. And especially if you have interesting ideas about a converged physical and information security, I’d love to talk to you.

David Spark

Excellent. Anne Marie Zettlemoyer, who’s the business security officer, VP security engineering over at Mastercard, first, are you hiring?

Anne Marie Zettlemoyer

Oh, yes. Yes, I am.

David Spark

Alright. If I wanted to find a job at Mastercard, where would I go?

Anne Marie Zettlemoyer

Well, you can go to Mastercard dot com under careers, or go to LinkedIn, or if you’re interested on working on my team, I am definitely hiring, so you can reach out to me. But I do want to take the opportunity to plug the Cyber Talent Initiative, David, because this is related. And what I would love to do is have this be a call to action for anybody who’s listening that really wants to be involved in growing the security talent here in the United States. So what the Cyber Talent Initiative is, is it allows for more opportunity, more capability, more palatability, if you will, for new college grads, or even graduate students to enter into the government for government service. A lot of times, government cannot compete with commercial salaries, but this program encourages people to get trained up in the government, give back to the government, give back to the country with service and get all that great experience. And then you get access to accelerated hiring and interview schedules and opportunities with the sponsor firms. And if you choose to come onboard, and you go through that recruiting process, then you have a $75,000 pool of money to help you pay off your student loans as part of the program.

David Spark

Wow.

Anne Marie Zettlemoyer

Yes.

David Spark

That is spectacular. And I just looked it up, CyberTalentInitiative.org.

Anne Marie Zettlemoyer

The Cyber Talent Initiative. So partner with us. I’m looking for new partners that want companies to champion this effort, as a win win for a public private partnership and to stand alongside with us to do that. So if you’re looking for a call to action, reach out to me and see how you can get involved.

David Spark

By the way, best way to reach you is LinkedIn, or somewhere else?

Anne Marie Zettlemoyer

LinkedIn.

David Spark

Anne Marie Zettlemoyer, if you just go to our website for this episode, there’s a link to her LinkedIn page as well. Thank you very much, Geoff. Thank you very much, Anne Marie and thank you very much to the audience as well. For your contributions and for listening to Defense in Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.