Are information security professionals missing a trick?
Penetration testing, hacking, digital forensics, security architecture, operational security, situational awareness, cyber-crime, risk management, identity management, PKI, platform security, NIPS, HIPS… etc.
These are all disciplines and components of the information security world that InfoSec professionals need to be aware of. However, it does not what list you create to represent our wonderful profession; it’s not complete until you add physical security. Especially at the CxO level, physical security is a key component of your company’s risk management strategy, yet at the CSO level it is often overlooked, left to the security guarding company you have employed or the facilities management company that runs your building. The government has a reasonable grasp of physical security, for sure, and a military mindset lends itself to physical measures being as likely to be considered (especially in deployed operational environments) as are technical measures, however, how do private companies, not typically security aware, fare? Not well, is the blunt answer. However, to put staff through appropriate Security Industry Authority (SIA) training is not expensive – a mere snip of the price of typical InfoSec courses – yet the resultant risk reduction through physical security awareness is invaluable. If you adopt an information security awareness programme, such as the Securing the Human course offered by SANS, you should compliment it with a physical security course which may lead to members of your team detecting rogue members of staff, the suspicious cleaner, or the shoplifters working as a team on the store’s floor plate.
When you look at the courses offered by industry bodies such as HABC, on first look it seems as if they only support specific security roles as the target of training, such as Door Supervisor and CCTV operator. However, the baseline course, Working in the Professional Security Industry (WIPSI), is actually a great introduction that delivers a level of awareness that comes with a Level 2 certificate to boot.
So, I recommend that CSOs should consider such a course as part of the overall security awareness training programme for their organisation, value for money is certainly extremely high.