Traditionally, those responsible for managing their organization’s security operations were primarily concerned with the physical—that is, safeguarding employees, overseeing security guards and protecting physical (and some digital) assets. Known today as chief security officers (CSOs), their remit has greatly expanded and continues to do so given the current unpredictable and fast-paced business operating environment.
Here we take stock of the current state of physical security, including how our hyperconnected global world is transforming the CSO role into one that is more digital, increasingly linked to the chief information security officer (CISO), and more visible to senior management and the board.
What’s driving the current state of physical security?
Economic instability and geopolitical disruption. Steep increases in severe weather, lingering post-pandemic effects and a security talent shortage. All have created a larger attack surface and thus new challenges for CSOs who, with fewer resources, are feeling the pressure to do more with less.
Long-term effects of COVID-19
The COVID-19 pandemic drove some of the most visible changes to the CSO role, starting with a nearly overnight switch to remote work for a majority of employees. Security teams were responsible for getting devices to employees spread across multiple locations, while ensuring company data remained secure in a variety of physical environments.
What’s clear post-pandemic is that protecting a dispersed workforce is now the status quo for CSOs and their teams. According to McKinsey’s The State of Organizations 2023 report, “90% of organizations have embraced a range of hybrid work models that allow employees to work remotely from off-site locations.”
Ensure you can answer the following questions to protect a dispersed workforce:
- Do I know where my data is and how it’s being accessed? What controls do I have in place?
- Do I have enough resources and readiness to discover risks, so that appropriate remediation can occur quickly and effectively?
- When a potential threat or crisis arises, do I have the tools and processes in place to quickly identify and notify affected employees and confirm their safety—whether they are working from home, in the office or at a remote location?
More frequent and severe weather
Climate change is leading to more extreme and severe weather around the world, creating a “new normal” for weather events, according to the World Meteorological Organization. In the U.S. alone, damages from 2022 weather and climate disasters totaled $165.1 billion. That same year, 10 climate-fueled extreme weather events—from flooding in China to a drought in Europe—caused more than $3 billion worth of damage per event, according to the World Economic Forum.
This puts more pressure on—and makes it more difficult for—CSOs to prepare for such weather extremes. They must continuously work to stay ahead of severe weather and determine how an event, like a typhoon, forest fire or flood, might impact employees, customers and business operations. As such, CSOs are increasingly focused on crisis management, business continuity and overall business resilience.
Make sure you understand what your organization’s weather exposure is and that you’re taking into consideration key questions such as:
- What is the criticality of operations at sites that are vulnerable?\
- Are the elevation levels of our buildings above flood risk zones?
- Do we have established relationships with the right external partners, such as emergency services and disaster relief organizations?
- Do we have the real-time information needed to stay ahead of and respond to the risks and impacts of extreme weather?
Russia’s invasion of Ukraine—deemed the “defining security issue of 2022”—has placed a larger spotlight on the global reach and ramifications of geopolitical events. Much of the coverage on the conflict focused on cyberwarfare, but Russia’s attacks on Ukraine’s on-premises networks and critical energy and communications infrastructure were just as significant. The latter had knock-on effects around the world, including significant supply chain disruptions.
Or take for instance, what happened in April 2022 when former U.S. House Speaker Nancy Pelosi visited Taiwan. The geopolitical tensions over her visit sparked Chinese military exercises that resulted in the cancellation of over 400 flights and the closing of several shipping routes.
CSOs will need to keep a close eye on the potential impacts of such geopolitical events including competition between the U.S. and China, dissemination of misinformation and country-specific regulations on internet and platform usage.
The uptick in geopolitical events and the ongoing Ukraine-Russia conflict can cause CSOs to operate in a constant state of permacrisis. International SOS recommends CSOs learn to move beyond that and instead focus on being more resilient.
Security talent shortage
Finding (and retaining) qualified security experts has become increasingly difficult for CSOs. More than half of security leaders surveyed for the Dataminr-commissioned Strengthening Business Resilience report cited a lack of resources and talent as having the most negative impact on their security operations and business resilience over the last 12 months.
Even when filled, in-demand security roles have high attrition as security experts jump from company to company. Some of this can be attributed to the “great resignation,” which saw a flux of people—not just security professionals—leaving jobs. But there is also an ongoing trend of security employees trading their full-time positions for consulting roles.
Survey respondents also cited a lack of funding for security operations as a major challenge. Less budget means it’s harder to hire people with the right skill levels. And if employees don’t see enough growth, they are likely to leave. When combined with the general dearth of security talent, CSOs are facing a perfect storm of talent challenges.
As an alternative to increasing budgets to retain talent, consider moving from a capital expenditure model to an operational expenditure (OpEx) model. One key benefit: It opens up options for outsourcing security operations—reducing staffing concerns, minimizing large capital investments and lessening the need to constantly upskill talent. Also vitally important is employing the tech needed to extend and bolster the capacity of your security teams by making them more productive.
Cybersecurity moves into the CSO purview
Cybersecurity is far from new, but it has emerged as a significant driver of change for CSOs. This is because the digital and physical worlds are now more connected than ever. Take for example, industrial control systems (ICS), assets that solidly fell into CSOs’ purview. Originally designed to be offline and deployed in isolated networks, millions of ICS have gone digital and are now high-value cyber targets.
The Strengthening Business Resilience report also found that physical security professionals cited cybersecurity as a top challenge to managing employee and visitor safety—a key finding given that a significant part of CSOs’ remit is to protect the people their organization employs and serves. Yet only 36% of leaders surveyed said they are looking to invest in cybersecurity-related tools to improve their physical security environment in the next 12 months.
This indicates the need for CSOs and their teams to take additional measures to incorporate digital security tools and strategies into their security operations. It also shows that CSOs and their teams can no longer operate in their physical security silos. They must now ensure they are closely connected to and collaborating with their digital counterparts: Chief information security officers (CISOs) and their teams, who are responsible for overseeing a company’s cybersecurity, which has various subsets, e.g., IT security and Internet of Things (IoT) security.
According to Gartner this includes “optimizing cybersecurity to levels that business leaders define, balancing the resources required with usability/manageability and the amount of risk offset.”
The convergence of cyber-physical risks
One of the primary reasons cybersecurity is spilling over into the CSO purview is because of the recent increase in cyber-physical security convergence—where an attack in either the cyber or physical domain creates a threat in the other. For example, if a wildfire cripples mission-critical equipment or a cyber attack on a factory’s operations technology stops production.
Traditional organizational hierarchies have spurred silos between the CSO and CISO, which means their teams may not be set up to readily and efficiently share information in the event of a cyber-physical attack.
It’s incumbent upon today’s CSOs to create an intentional partnership between their team and their cyber counterparts as they both have the same goal: Protecting their company’s employees, assets and brand.
- Break down team silos, for example, by building a shared culture, and close critical skill gaps
- Understand each other’s responsibilities and challenges
- Work together to plan for future cyber-physical threats
- Employ real-time data to ensure you can stay ahead of cyber-physical attacks
Learn More: Are You Prepared for a Cyber-physical Attack?
The future state of CSOs
Given the new challenges and expanded responsibilities of CSOs, it’s vital that they position themselves as strategic security leaders critical to the safety and operations of the business. While security teams are not revenue driving, they are responsible for helping to ensure the business is resilient and for mitigating risks and responding quickly to events, which can impact the bottom line of a company if done poorly.
This means CSOs should know how to effectively communicate with senior management and the board as well as key business partners such as heads of HR, communications and operations. For example, when communicating with the C-suite they should, via a high-level summary, articulate the business outcomes and risks associated with security.
During an actual risk event, they should expect and be prepared to answer a plethora of questions such as: How did this happen, what went wrong, is this a direct or indirect risk to the company, and what are we doing to mitigate risks. With today’s uncertain and unpredictable climate, nearly all CSOs will eventually find themselves in that position.
While we don’t yet know how the CSO role will continue to evolve, it’s important to consider the possibilities, like whether the differences between CSOs and CISOs matter and what new organizational models can best support the strategies needed to address current and future security challenges. Whatever the outcome, it’s evident that the CSO’s number one objective will remain the same: To help their organizations keep pace with new and emerging risks—and ensure the business is resilient enough to withstand them.
Learn how Dataminr Pulse for Corporate Security can help. Its end-to-end solution has the real-time information and integrated tools needed to plan for and respond to risks and crises faster and more effectively.