Physical security and cybersecurity have much in common — and digital threats these days often can have very tangible consequences on real-world environments. In response to the convergence of physical and cyber, some business organizations are merging these two security functions into a single, unified operation.
But not quickly enough, according to Cathy Lanier, senior vice president and chief of security at the National Football League. “I wish it was much more widespread, that there were a much larger percentage of ... corporations that have made this leap to integrate cyber and physical security,” said Lanier, speaking at the CyberRisk Alliance’s InfoSec World digital conference on Wednesday. “It's just a matter of time before people realize that this really is an important part of securing your organization.”
Lanier, who served for nearly 10 years as chief of the Metropolitan Police Department of Washington, D.C., before joining the NFL in 2016, explained why she migrated infosec responsibilities from the league’s IT department to the security department.
“It’s getting more and more difficult to define them separately these days,” Lanier said of physical security and cybersecurity, “because there are there are physical elements to cyber and there are cyber elements to physical. … There's no way to separate the two anymore. So to define them independently almost doesn't do justice for what it is that you're trying to accomplish when you provide security as a whole.”
Lanier said she believes one of the biggest barriers for companies looking to adopt a similar mindset and strategy is that personnel who are more familiar with either the cybersecurity or physical security side of the equation “don’t feel like they can do both.”
But security professionals and leaders cannot allow themselves to be intimidated by cyber — because digital threats are not going anyway, and they only going to become more intertwined with the world of physical security. Likewise, cyber experts must be comfortable operating in the realm of physical security. “It's not that difficult to learn the physical requirements,” said Lanier.
“It's just kind of [about] moving those barriers that people get more comfortable with us.”
What everyone must understand, opined Lanier, is that “security is security,” and that dividing security into physical and cybersecurity is an antiquated approach.
“We speak the same language; we're all doing the same job,” said Lanier. “Nothing is going to be secured by a single a single layer, a single tool or single technology. Security must account for multiple layers of protection, but it always begins with detection deterrence and prevention. … The goal is to make it nearly impossible for an adversary succeed. So thinking of the physical layers and cyber layers is kind of ‘yesterday.’
Speaking of her own experience at the NFL, Lanier said it wasn’t an easy task shifting cyber from IT’s domain to security. But it became necessary, she continued, as the league continued to introduce new digital innovations that introduced new elements of cyber risk.
“As you add layers of technology and you start integrating those technologies, your attack surface becomes larger and larger and larger,” said Lanier, noting the NFL’s “huge digital footprint.” But the lack of direct access to the cybersecurity team impeded her ability “to protect not only the operation itself, but to make sure that the integrations are done in a way that you don't have cascading failures.”
“So for me, it was a it was a nonstarter: I had to have cybersecurity as a part of my team. … It took me a couple of years but I finally was able to get cybersecurity team working with me on our team and it really has been beneficial for all of us.”
To make this shift happen, however, Lanier had to earn buy-in from key members of executive leadership.
“It's a sales job,” said Lanier, who approached the NFL’s CISO and invited him to learn more about the league’s security team operations and its challenges. “This CISO was 100% for the integration [and] realized the urgency,” she said.
Lanier also worked with the in-house CIO to negotiate the terms of the move. “We communicated very well… there [was] no ego in the room,” she said. “We had to split up people who had multiple duties… but it was a it was a decision that was necessary and everybody committed to it.”
Ultimately, creating a wholistic security strategy that incorporates the physical and cyber domains comes requires evolving the way that organizations look at securing their environments, said Lanier.
“Security should not just be… guards, gates and guns. My job is to secure everything about the NFL, to protect the brand, to protect the reputation, to protect the intellectual property too,” said Lanier. “By integrating cyber with physical security, I can be much more effective at protecting all of those other things. … It's not just people, places and things. It is everything.”
For related SC Media coverage, see how security experts protect the Super Bowl and other large-scale events.