The Tech Factor

Dec 1, 2004 12:00 PM, By Bill Woloch

Billions of dollars are spent each year on technology used to protect people, assets and facilities, and yet security failures occur daily. Technology and security have been converging for decades, with a direct impact on risk management at the top of the organization. Technology can bring new capabilities — and vulnerabilities.

To understand the impact technology has on risk, it is important to understand the dynamics involved when technology is added to the physical security paradigm. One must understand the difference between static and dynamic security systems. One must also take into consideration the inherent weaknesses in any security system. Finally, and most importantly, one must understand the impact that technology has on risk and security internal controls.

Static and dynamic security systems

Security systems can be classified as either static or dynamic. Dynamic systems are adaptable, flexible, resilient and elastic. They rely less on technology and more on people.

Dynamic systems do not need additional programming and new costs each time the threat and situation change. They are also the most expensive. People are not cheap. Technology should be viewed as an enabler to dynamic systems instead of a replacement.

Static security systems can be characterized as being rigid, difficult to modify and inflexible. A concrete barrier or gate, once installed, can change little in response to changing threats.

The same holds true for technology. Software and hardware upgrades come out periodically, yet the threat is constantly changing.

Technology cannot make decisions in the context of a threat situation. People can. Yet organizations spend millions of dollars on technology-based security solutions, only to discover they still have vulnerabilities.

Used properly, technology closes vulnerability gaps by enabling people to do their jobs more effectively in protecting assets. How many terrorists or criminals are located and captured by technology alone? It is the people that use the technology that protect us against these threats.

Security system design

All security systems have weaknesses. When technology is introduced into a security system, its weaknesses are much more difficult to discover and protect. User interfaces hide the complexity and vulnerabilities of security technology solutions.

Technology promises to enable, yet physical security is designed to deter — quite a paradox.

Designing security systems requires testing against a number of threats to find new vulnerabilities. The testing is performed each time a new component is installed and before the threat strikes. Thus, the security solution's weaknesses are discovered (what made them fail) and adjustments are made accordingly to protect those weaknesses. We are also less prone to test complex systems fully to determine their weaknesses, thus resulting in insecure systems that may be more vulnerable because of the new component.

For instance, prisoners sit in their cells all day, every day, using plastic utensils to destroy door hinges, locks and anything else that they can find. They have the time and opportunity to discover and attempt to defeat the protection against abuse in all prison cell components. Modern prison cell construction uses pre-cast concrete, doors with minimum clearances and tempered steel construction.

The same holds true with technology. The difference is that the prison cells can be inspected daily, while tampering with technology, a.k.a. hacking, is much more difficult to discover and defend against. User interfaces — designed for ease of product use — can hide complex systems underneath.

Testing for vulnerabilities in technology-based security solutions is minimal at best — unlike, say, the testing done on a bullet-proof vest. The prototypes and production units of the vests are initially tested in labs replicating real-world conditions. They are also tested by actual use in the field. On the other hand, when a new technological tool is developed, it is tested only in the client's labs. Very few end-users continue to test it once the solution is implemented. This lack of field testing allows exploitation of vulnerabilities unknown to the client.

Security systems can also fail at the edges. The edges are where different security system components meet each other — for example, a blind spot between two cameras or an access control system and a human resource database. Technology-based security systems can also be attacked successfully just because they exist. For instance, once hackers find a vulnerability in a popular technology-based security tool, they can exploit the same vulnerability against hundreds of companies that use the same tool.

Well-designed security systems center on people and use technology to maximize the value people provide while adding minimal new vulnerabilities inherent in the technology itself. A wall or locked gate will not stop threats; it is the people behind them that are the deterrent.

Impact on internal controls

All of the factors discussed, such as system design and static and dynamic security systems, greatly impact the ability of an organization to protect itself. A factor that is most overlooked when adding new technological components into a risk management and security program is the impact of the new components on the internal controls that support them.

Internal controls can be defined as mechanisms used by organizational leaders to convey strategy, vision and desires to the rest of the organization. They exist in the form of standards, policies, procedures and rules.

Proper internal controls allow the organization's risk management support organizations to work effectively and in harmony. The CIO's security staff will specify, test, install and support the physical security department to ensure that new technology tools are adequately tested and due diligence is given to securing the physical security IT components. This may include a two-man policy for ordering, installing and upgrading physical security IT components. Additional vetting of IT personnel who support the physical security department and other risk management functions may be a reasonable standard.

When adequate internal controls are in place, dynamic systems are the most effective method of addressing threats. They may also be the most expensive. Focusing only on costs and the bottom line can doom a good security system. When internal controls and the resulting policies and procedures are too rigid, dynamic systems begin to act like static systems, rigid and unchangeable; thus creating a gap in the protection of vulnerabilities.

These questions should be asked:

1. Are alternate security controls in place in the event of a security system failure?

2. Has risk analysis been performed prior to the approval of design specifications for new security-related computer systems and equipment acquisition and/or installation?

3. Are there readily available written procedures providing instructions as to required actions in case of an alarm or equipment malfunction or suspicious activity?

4. Has testing been performed on technology components of security systems that identify vulnerabilities when technology components fail?

5. Do current risk and security policies center on people and not technology?

The list of questions goes on. The point is that organizations should perform the same level of due diligence regarding the introduction of technology into their operations as they would a new employee or critical asset. More can be accomplished in fine-tuning internal controls than can be achieved by adding a new technological solution.

Physical and logical security have common processes and procedures, yet there is no pathway to get to the symbiotic relationship necessary to meet the new threats.

Convergence offers a roadmap to a total security, or holistic approach to risk management. It is an evolution that is becoming more important to organizations each day. The risk management components of physical security and technology must be treated as financial assets — performing due diligence to locate the vulnerabilities of new technological components before they are fully implemented. It is important to address the issue as soon as possible, and to make a conscious decision to look at risk and security from a holistic point of view.

FOR THE RECORD…

About the author

Dr. Bill Woloch has 26 years of experience in risk management, starting as an architect in the U.S. Air Force. Working for the Joint Chiefs of Staff, he assisted in the design and construction of four air bases in Saudi Arabia. He currently consults and speaks on the impact that convergence of physical security and IT have on risk management.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue