Can you manage cyber security with the Human Risks platform? The short answer is yes, and we are currently working on making it even better suited for that purpose. To make sure we do it right, we embarked on a mission to conduct a gap analysis and establish what our platform is missing in that regard. By speaking with different stakeholders across various industries, we managed to get a clear picture of different approaches, insights and opinions on how to manage information security well, even in cyberspace.
It turns out that the gap between cyber and physical security is not only that significant, but sometimes it is not there at all.
Same same but different
Not all organisations are managing cyber in the same way. There isn’t also one true level of detail to make it right. As companies differ in size, complexity and budget, so do their security programs, including cyber.
Some global organizations in largely compliance-driven sectors, such as finance, have the need to go in-depth into the threats and/or assets and outline them with surgical precision. This grants a clear view of potential structural vulnerabilities and provides a deep understanding of relevant risks. The downside of this approach, is, of course, the insane complexity of such a task. It is extremely time and resource-consuming. Creating it is just step one, maintaining it and keeping it updated, for most organisations, is just a task beyond their capabilities.
“Asset management is a red ocean”
– Senior Security Advisor at a cyber security consultant company
That is the reason why a more general approach will work much better for most. Instead of taking apart every single asset down to its core components, this approach focuses on making in-depth threat assessments and impacts on a strategic level. Sometimes it can be just focusing on the current mega-trends (such as ransomware or DDoS attacks) or conducting scenario-based risk assessments based on the critical systems.
Did someone say “framework”?
Business Impact Analysis, Continuity Plans, Crisis Management, Risk Assessment, Incident Reports – sound familiar? All those practices, tools and platform modules are used when dealing with cyber as well as physical security. Of course, the Assets, Threats and Treatments are going to differ, but the overall processes are almost identical. The approach can also be quite similar: it can be either based on compliance, scenarios or impact. These similarities are good news: it will be easier to understand what the other team is doing and find a common ground for any potential inter-departmental discussions. It can also make any coordination easier and more comprehensible and will allow the teams to merge over time if necessary.
Word of the year: resilience
To manage information security it might be best to simply not mind the gap in the slightest. Cyber and physical tend to overlap: why hack a computer when you can walk into a building and simply pick up some papers? And why go through a highly secure building if you can drop a USB stick in a parking lot and conduct a ransomware attack? To build real resilience and truly protect your organisation, you have to consider both physical and cyber security as well as proactive and reactive capabilities. Sometimes it is simply not worth it to separate the cyber and physical domains into two teams or looking at the risk management and business continuity management disciplines in silos. Having them work closely together in a unified framework and shared tool is how one achieves true resilience.
So, what is the gap, really?
To sum up, the gap between cyber and physical consists of people. Everyone varies in knowledge, experience and technological background. The communication levels determine how closely those two are intertwined. However, the processes, systems and approaches tend to share a whole lot of significant similarities. The gap can be jumped over, and here at Human Risk, we are making sure, that our tool can be that bridge to connect those two different security facets and disciplines together, making organisations resilient on every level. We are progressing fast in our development roadmap and can’t wait to disclose more about our all-around resilience solution!