2024 – A New Year, New Objectives and Creating Certainty

Each New Year brings with it hope, opportunities and from a business perspective, new objectives. Objectives can follow a top down approach as individual departments ensure their outputs matches an organisations needs, but it is a two way street. New and better working practices emerge, technological advances take place and threats transform, exposing what might have been hidden vulnerabilities. 

In the face of challenges such as the Red Sea shipping attacks, cybercrime, and extreme weather events, security measures must adapt to protect organisations and generate a higher degree of certainty. The 2024 security plan should focus on enhancing product delivery, ensuring team member development, and addressing uncertainties with five suggested objectives for strategic implementation.

1. Cyber Security – Establish A Memorandum of Understanding

The goal of Cyber and Physical security convergence has been a matter of discussion for a considerable period of time.  However, there have been difficulties in achieving it, whether that’s through inertia, siloed thinking, a misunderstanding of the roles or perhaps it’s not even considered a good idea in the first place. Despite that, in a world where threats are evolving and working practices changing, it probably means that understanding what each is delivering, the impact they might have on each other and the organisation as a whole, isn’t just desirable but necessary.

To clarify potential misunderstandings, prevent overlaps in delivery, increase bi-lateral communications, a Memorandum of Understanding should be considered. This will crystalise common objectives and how they can be achieved, set out where divisions in responsibilities lie and bring in a series of timelines and overall expectations that can be met and their effectiveness measured.

It does start however with Security defining its role, which is wider than Physical Security and as set out in a RedLeaf Consultancy’s blog, Physical Security v Protective Security – It’s a Difference that Matters, (to view, click here), provides much more than the stereotypical limitations of gates, guards and passes. With CSO online effectively dismissing security as access control and surveillance the need for that definition is perhaps paramount.

2. The Insider Threat – Developing a Coherent Programme

The problem of the insider threat is not new and clearly pre-dates the cyber age. Historically, and while it might be seen in terms of Cold War espionage, the problem remains, not only at a nation state level but within organisations. It has been well publicised by MI5 and the FBI that there are ongoing threats from the Chinese state and others, in a bid to acquire leading edge IP, but it is not all about information. It can be to do with the ability of an organisation to actually function, the protection of employees and the threats to high value physical assets.

It is a threat that will fluctuate over time as an organisation develops its products and services or brings on new customers, who in themselves might be under threat. The problem can be exacerbated when organisations express opinions or act in a way that some of its employees might not find acceptable. However, the process is like proving a negative as the actions of an insider may never be known. What is being looked for is the absence or a lack of enforcement and ongoing monitoring of a series of protective measures. It’s against these measures that the effect of any coherent Insider Threat programme can be judged.

Although there are a series of measures, it is a continuous programme and starts with understanding why an organisation would be under threat in the first instance, who those threat actors might be and the capabilities they have. Not everything is hi-tech, the potential for information loss, for example, is set out in this RedLeaf Consultancy paper, Six Ways to Lose Information (to view, click here).  

3. Data Analytics – Enabling Predictions

Predicting when and where the next security breach might occur is difficult as each one can appear to be a random event. Although they can be, in the case of major breaches they probably aren’t, as the potential for compromise builds up over a period of time and is caused by multiple factors. One of those factors can be the lack of interpretation of data from individual sensors within electronic security systems. 

Intruder Alarm sensors, access control readers, CCTV cameras and other electronic devices all produce information that can be analysed beyond the immediacy of operational events. As described in a RedLeaf Consultancy blog, Access Control – It’s More Than Getting Through a Door, (to view, click here), it is about the collection and interpretation of data. 

The overall evaluation of that data, when combined with, for example, threat appreciation, changing business practices and emerging risks, enables a composite picture to be drawn up on how the controls are impacting on identified risks. This is not only used for compliance purposes, but when analysed can provide leading edge indicators on the effect that security is having.

4. Artificial Intelligence – Influence the Change

Artificial Intelligence represents a paradigm shift in how organisations will create and deliver their services, as it automates routine tasks, enables decision making, reduces costs and increases business agility. Within Physical Security, Artificial Intelligence seems to be characterised by its ability to analyse video images and bring potentially suspicious activity or people to the attention of operators. Although that might be the case, it is only enhancing controls on what should be a means by which risks are already identified and mitigated, rather than a fundamental shift in the product that Security is delivering.

The introduction of AI is an organisation wide activity that should include Security on two levels. Firstly there is a need to understand how it will impact on the product that Security is delivering. While Security might only be able to work at the same pace as an organisation, any interaction with Chat GPT will see the democratisation of information that it has brought and which can be transferred to the security domain. Departments could access information for their specific security needs, security policies and procedures could be revised automatically in light of emerging threats and integrating all forms of data into a rolling threat analysis could be possible, but would have to be explored. 

Secondly there is a need to evaluate the threats that there are and how they will evolve through the phases of design, implementation and ongoing use of AI. Even if an organisation does not engage quickly or effectively with AI, it does not mean that critical suppliers won’t be, with Security having to understand what risks, if any, are increased by them doing so. 

AI is a new field that promises great potential but the risks have to be measured, with their impact and mitigation plans, if necessary, put in place.

5. Resilience – Bringing it All Together

The ability to prevent, adapt, respond to, recover and learn from operational disruptions defines Resilience, in what is becoming an increasingly important element of business operations. This is not only in a reflection of the Covid-19 pandemic, but of the wider interconnected world in which organisations function.

While Resilience was not a role created for Security, it does reflect the work that Security should be undertaking as it enables an organisation to deliver its objectives. Although there might be a tendency to see security as bounded within a “perimeter fence”, it should be remembered that during the pandemic it was processes and information that were being protected, as people worked and continue to work from home. 

The ability to prevent, or at least reduce the impact of any event, is grounded in understanding what it is an organisation delivers and how through multiple and interconnected layers of outsourced suppliers and inhouse resources it achieves that. This process will generate information on the relevant criticality of those resources and through an effective risk and governance regime, allow prioritisation of the controls to be introduced and maintained to mitigate and adapt as business risks evolve.

Even if an outage is ultimately generated by a security related event, it is unlikely that the response and recovery will be solely the responsibility of Security. In a cross organisation response, Security provides critical input not only on the impact an event might have had, but on how an organisation wide recovery might be affected by it. Operationally, one of Security’s core skills, the acquisition of information and the production of intelligence, as described in a RedLeaf Consultancy blog, Intelligence – It’s All About Information, (to view, click here), will be seen as essential in this phase, without it, decision makers may not have information on which they depend. 

While recovery is important, so is learning the lessons, adapting and coming back stronger. Undertaking a Security Investigation as it digs into what happened and why, together with recommendations to reduce the possibility of reoccurrence, is the final phase in what can be months of work. At times, it is desirable to bring in an outside consultant to do that, not because the inhouse teams aren’t capable, but because it can be seen without question to be independent, (for more information on Security Investigations, click here).

RedLeaf Consultancy – Advising Clients

RedLeaf Consultancy is a consultancy which is primarily concerned with advising clients on how security might impact on the risks that they have have and from that generating solutions.