Achieving 'Safe and Secure'
By Clint Hilbert, CSO, Betafence
Regularly, my wife and I go out for a couples’ night with some of our friends. We tend to frequent this quaint pub in a nearby town; the pub offers a separate sitting area for the kids next to the fireplace, and the food’s great. Last month, we all showed up on time and as the pub began filling, we ordered drinks and food and I hung our coats on the rack separating the coffee bar from the sitting lounge. For a moment, I sat back and just relaxed, listening to the bustle; it seemed everybody was comfortably into their groove and having fun. But, tonight was going to be different. I slowly pulled a clicker from my pocket that remotely controlled a gag gift (an electronic fart-sound maker) that was tucked secretly away in my coat hanging on the rack next to the bar. I waited for the right moment …a lull in the music …and buttons-away! “Pffffert!”
“In the field of security management, we must recognize the influences of human behavior as we venture on the way to being safe and secure”
It was much louder than I expected! I knew everyone in the pub heard it. To my surprise, no one reacted! The music blended in and the conversations started back up. Hmmm. “Pfffst-ert-ert-ert!” Now, everyone heard it that time! I was getting some reactions. People sitting at the bar started looking around, some laughing, some with disgust. I just couldn’t keep this to myself any longer, so I shared what was happening with my friends at our table. The remote was quickly snatched from my hand and my friends pushed the button over and over. Suddenly, an elderly lady got up from the bar, came around to the fireplace and with her elbows drawn back scowlingly stared at our kids as she prepared to leave. What happened after that is another story, but here’s the take away from this particular episode: People tend to default toward tolerance rather than confrontation, even when unpleasant events are repeated, and while they may even suspect or recognize the culprits they are hesitant to intervene. This natural complacency is a part of human nature and works against us while we are trying to achieve ‘safe and secure’ and allows for the eventual erosion of what is ‘safe and secure’.
In the field of security management, we must recognize the influences of human behavior as we venture on the way to being safe and secure. When we protect things, we should expect confrontation. To effectively influence behavior, both Identity Management (IDM) and Gate-keeping (GK) are essential, and happen to be the two areas that have challenged me the greatest. These two functions seem to manage all of the ‘people movement and people activity’ that happens daily, and they make up the root-feeds to provisioning and credentialing. Almost every security program addresses IDM/GK in some fashion; together they vet and regulate access, and if managed properly can reap benefits to the business by increasing efficiencies throughout every operation. Developing a security program on the premise of IDM/GK ruling operations is the way to achieve ‘safe and secure’. The ability to achieve ’secure’ also depends upon the degree of risk exposure involved and how we approach the management of such risk. In general, there are only four real options for addressing risk: a. avoiding it altogether, b. transferring it to someone else to handle, c. embracing it, accepting it, and basking in its consequences, and lastly, d. trying to mitigate it because “it ain’t going away.” Most businesses choose to take the final option because there seems to be a greater willingness to try controlling certain risks by targeting their respective drivers …and, many believe that with greater risk comes a bigger profit, so we take more chances.
Achieving “secure” involves a. defining domains and assets (using IDM), streams and operations, and areas of controllership and ownership (process architecture), b. establishing gatekeepers (GK) with the means to keep the gates, c. verifying the credentials of those permitted within, and d. recognizing attributes of those players nearby and afar who can do harm. If these elements of protection could remain somewhat rigid in their application, all else succumbs to the constant disquietude, the change that is more analogous to the condition of being disturbed by players and events, more commonly known as criminals, chance (accidents) and Mother Nature (natural disasters). Herein is the making of a firm framework of protection that supports an all-hazards defense approach and supported by a mature IDM/GK model.
There is a road map on how to realize protection using an all-hazards approach. With the elements somewhat framed above, we must arrange a rendering of the processes involved in the essence-of-business (such as revenue generation) to sustain basic business continuity. Mapping an organization’s process architecture helps define the playing field (map) and generates an outline of where impact analyses are needed through the recognition and exploration of process feeds—A.P.E.L. (Automation, People, Equipment and Location). Every stream requires A.P.E.L. to exist. For each of the four A.P.E.L. process feeds identified, we must ascertain primary, secondary and tertiary resources within each feed, shore-up relationships with key functional owners, cross-train and drill. The resulting action becomes the simplest form of a business continuity plan, since you’ve located redundant resources and you know where to find them when needed.
Gatekeepers must know the business, they must know the road map; if not, then they will be at a disadvantage in recognizing vulnerabilities and knowing which resources will be needed during a crisis. Gatekeepers must understand the art of ’gate-keeping’. GK has many facets; it is an integrated, living practice using bits of information and physical structures to control the presence and actions of people. GK must also be interactive at all levels in the organization as most adverse events prompt the need for rapid decision-making in the physio-cyber control centers, in both the SOC and NOC. If evaluated collaboratively and investigated thoroughly, these decisions will have appropriate responses with favorable outcomes.
Protection is achieved when the solution eliminates the vulnerability. Our most common model of protecting physical assets today still uses a static, fixed-location approach that applies the concentric rings of defense, paying attention mostly to the insides and those breaches of the outer ring. Progressive models include an outward awareness using both surveillance and counter-surveillance methods to lessen the advantage of the criminal’s anonymity and element of surprise. As the algorithms behind both video and behavioral analytics improve, our ability to predict events and actions will in turn strengthen our protection posture.
Lastly, as we set up our mature models of IDM/GK, we also have to pay attention to our environment, our surroundings and look for ways to have subtle anomalies presented as actionable events. Most crimes (and victimization) can be avoided by design; control of access, control of movement, surveillance, counter-surveillance, and the proper application of analytics, all play integral roles in crime prevention. The consistent application of concentric rings of security allows for both detection and intervention to take place before harm is done. We are not at an “alarm, zoom-in, analyze, point, click, and eliminate-the-threat” stage, yet, but we’re getting there quickly, and soon we can all be ‘safe and secure.’