Top 10 physical security considerations for CISOs

While chief information security officers (CISOs) are rarely tasked with the full range of health and human safety concerns that facilities teams or chief security officers must act upon, CISOs still have a huge part to play in enterprise physical security strategies from physical security systems that connects to IT systems to physical access to IT assets.

What is physical security?

Physical security is the protection of people, property, and physical assets from actions and events that could cause damage or loss. Though often overlooked in favor of cybersecurity, physical security is equally important, with estimates of its size as of 2023 of between $110 billion to $123 billion.

Why is physical security important?

Most modern physical security systems and controls are inextricably tied into IT systems — demanding cybersecurity oversight from the CISO’s team to ensure they’re appropriately hardened. This goes for everything from physical credentials and badges to video surveillance systems. But more crucially, physical access to IT assets can trigger a range of cyber incidents and breaches. As such, the CISO has a vested interest and is required by many regulations and standards to ensure physical security measures are taken to protect access to these assets.

“There is, by necessity, scope for CISOs in the physical world,” says Mike Pedrick, vice president of cybersecurity consulting for Nuspire. “The charge of the chief information security officer is to protect information in all forms, including physical media and the mechanisms by which digital information may be accessed.”

Now, this isn’t to say that CISOs should be put in charge of all physical security duties. While some smaller organizations may merge the CISO and CSO position or just place physical security into the CISO bucket, at many large organizations this just doesn’t work well. “If there are regulatory requirements or if it is a larger corporation, it may not make sense to combine the two teams as the responsibilities of the physical security teams may be greater than what cybersecurity can manage, such as a security guard force, executive protection, and so on,” says Max Shier, CISO for Optiv.

CISOs must collaborate with physical security teams

When merging duties isn’t the answer, then communication and coordination with physical security teams becomes crucial for CISOs to achieve their objectives, says Howard Taylor, CISO of Radware. This should sound familiar to many cybersecurity veterans who’ve been called to navigate dotted line relationships with everyone from product management to development teams to achieve goals in other areas of their cyber program. It’s no different here. “CISOs must collaborate with physical security experts in their planning processes for business continuity, disaster recovery, and facilities design and implementation. This includes securing physical access, network and data center assets, and power, as well as fire prevention and monitoring,” Taylor says. “In addition, security experts must work with the CISO to secure the implementation and operation of access and monitoring controls. This includes ensuring that cameras and surveillance images do not violate privacy rules and regulations.”

Regardless of the organizational structure, CISOs will need to work with facilities, CSOs and anyone else in charge of physical security to plan out measures that take the following crucial physical security considerations into account.

Top 10 physical security considerations

• Hardening IT facilities and data centers
• Day-to-day office facility concerns
• Blocking lateral movement in physical spaces
• Protecting assets in co-located and cloud facilities
• Physical-cyber connections OT environments
• IoT devices in far-flung locales need special consideration
• Locking down devices in a remote/hybrid world
• Integrated access control is ideal
• Securing surveillance systems and their data
• Ready access to surveillance data for investigation

Hardening IT facilities and data centers

Data centers, sensitive IT facilities and computer rooms in multipurpose office facilities are some of the most obvious areas where CISOs will need to focus their efforts to instill control over physical access to sensitive systems.

“A CISO should mandate access to all computer rooms be limited to only people who need access and enforce that contractors are escorted and never left alone in computer rooms. Access to computer rooms should be logged and reviewed daily,” says David Ortiz, CISO at Church & Dwight.

The measures taken should vary by facilities, scaling up or down based on risk, Justin Fier, senior vice president of red team operations at Darktrace, tells CSO. “Facilities that house critical information, like offices with sensitive servers, should have tighter security controls than facilities with less sensitive assets. CISOs must understand what data and resources are stored in which facilities, assess the risk these facilities pose if breached, and harden physical protections accordingly.”

Day-to-day office facility concerns

At the same time, even the most ho-hum office settings can be a target for a wily attacker looking for foothold into the corporate network. “Any network jack in a facility can be a potential entry point to the IT environment,” says Will Bass, vice president of cybersecurity at Flexential. “A CISO should be heavily involved in the physical security architecture and standards for all facilities, sensitive or not, to ensure that the right defense-in-depth measures are in place to prevent unauthorized physical access to the IT environment.”

Optiv’s Shier adds that even though remote and hybrid work has changed how workers perceive the office and may have lessened foot traffic into many facilities, CISOs should be overseeing some basics in physical security hygiene. “We still need to ensure we have adequate controls in the office for physical security,” Shier tells CSO. “Port security, wireless access point security, badge access controls, and cameras are all still relevant today and should not be overlooked.”

Blocking lateral movement in physical spaces

As CISOs review controls for physical security across their organization’s facilities, they should be mindful of how easily the attacker can move laterally across physical spaces and through different restricted zones. According to Alethe Denis, a senior security consultant for the red team at Bishop Fox, once an attacker manages to sneak their way into a building, warehouse or service yard, they’re often home after that unless proper measures are put in place.

“Once an adversary has obtained initial access to restricted areas, the likelihood that they will be challenged once inside diminishes dramatically as most people would assume they had been granted access appropriately prior to being allowed to enter any sensitive or restricted areas,” Denis tells CSO.

Just as an organization uses segmentation and zero-trust authentication to protect logical assets across a network, it should be challenging people’s access as they move across different physical spaces within buildings, with more stringent measures paced as they approach the most sensitive areas or rooms. “Ideally, badge access stairwells, badge access elevator areas, and elevator floor selection buttons, along with keenly observant employees who do not allow tailgating would prevent lateral movement and limit the damage an attacker could do following initial access beyond a public lobby or delivery area,” Denis says.

Protecting assets in co-located and cloud facilities

CISO oversight over physical security shouldn’t stop at facilities owned by the organization, either. Shier explains that CISOs need to consider how they’ll protect assets in co-located facilities or data centers as well. “Being in a facility with other companies’ assets requires individual racks to be secured and able to be controlled and audited through badge readers or other means,” Shier says. “Ensuring the data center has cameras, guards, and other controls in place will be extremely important as well.”

Additionally, even when physical handling of systems is completely abstracted away from the organization — as is the case for public cloud and SaaS resources — CISOs still need to be mindful of how the systems that house them are physically controlled,” Nuspire’s Pedrick says. “This does not absolve them of responsibility. If anything, it puts pressure on CISOs to understand the importance of contracts and service level agreements, and the value of third-party audit attestation.”

Physical-cyber connections in OT environments

In addition to worrying about how physical actions can impact the cyber environment, CISOs who work in organizations that manage critical infrastructure must also be able to flip that equation. In other words, they’ll need to consider how cyber activity could potentially adversely impact physical environments — be it a manufacturing assembly line, power plant or mining operation.

“Cyberattacks in industrial settings can pose a significant threat to physical safety,” says Almog Apirion, co-founder of Cyolo, which focuses on remote privileged access management in operational technology (OT) environments. “Malicious actors can infiltrate devices and disrupt critical infrastructure like water treatment plants or power grids, causing widespread harm to communities.”

With IT and OT environments so converged these days, CISOs must be mindful of physical to cyber connections in their facilities — even if they aren’t necessarily operating in an industrial business. Basic physical plant assets could be in play for a CISO if they can be controlled or managed remotely. “Unauthorized access to industrial machinery, like boilers or blast furnaces, can cause malfunctions that seriously injure workers,” Apirion explains.

IoT devices in far-flung locales need special consideration

Speaking of physical-cyber connections, one of the other physical security considerations that the modern CISO needs to take into account is the protection of IoT devices that are spread all over hill and yon.

“IoT devices are often exposed in a non-secure area, such as a security camera on the exterior of a building,” says Bass of Flexential. “Physical access to a device is a potential entry point, and preventing an IoT device from being used as an entry to an IT environment can be challenging and require unique defense measures.”

Additionally, like OT systems, IoT devices can often control essential functions in the physical realm. “IoT systems provide a bridge between information and action, making them an appealing target for physical attacks,” notes Taylor of Radware. IoT systems control cars, boats, airplanes, factories, elevators, etc. These devices must have internal monitoring capabilities to detect and prevent malicious actions, such as unauthorized software changes or virus infections. In the event that someone destroys the IoT device with a baseball bat, there must be a disaster recovery plan.

Locking down devices in a remote or hybrid world

The traditional ‘edge’ of the network has changed, so the CISO must consider the threat models and control measures that make sense for the business, its specific context and what is deemed an acceptable level of risk. The security stakeholders need to work closely with supply chain partners to ensure hardware integrity and educate employees on physical, personal and operational security best practices, as each has an impact on cyber security and vice versa.

Even as many workers are going back to the office, the post-pandemic realities of the working world have amplified the issue of very distributed devices. This means CISOs must expand their scope of physical security oversight of remote devices.

“The popularity of remote and hybrid work has made securing physical IT assets a growing challenge for CISOs,” Fier explains. “As employees are increasingly moving from location to location with their devices, there is greater risk of device loss, device misuse, and increased opportunity for threat actors. Additionally, as employees more frequently work from home, CISOs must address the issue of securing at-home devices — such as routers.”

Fier says the bad guys are catching on, referencing the recent Volt Typhoon campaign against small office/home office routers as an example of that. He suggests sending hardened devices to priority target individuals like C-suite executives and privileged administrators.

Integrated access control is ideal

While facilities teams are responsible for day-to-day administration of physical access control and building protection, CISOs should ideally be involved enough in the design to at the very minimum understand the status of entry points at each facility.

“A CISO should collaborate with physical security teams to understand the risk posture of a physical access control,” explains Ortiz of Church & Dwight. “This includes knowing if entry into a facility is monitored by a reception area or has badged access, if entry points into a facility are recorded using closed circuit TV (CCTV), if badge access and CCTV is logged and reviewed for suspicious activity, and if computer networking closets data center areas have additional access requirements.”

CISOs should also be offering input into design of these access controls and finding ways to integrate those into logical access as well, says Taylor. This coordination can greatly aid in investigations, as well as smooth offboarding of employees. “Physical access and logical access controls must work together, especially when credentials are lost or when an employee is terminated,” he says.

Securing surveillance systems and their data

Like with physical access control, the nuts and bolts of monitoring surveillance systems will likely fall outside the purview of the CISO, but they will usually have a vested interest in helping to design and harden these systems. CISOs are typically the domain experts on privacy concerns and regulation in an organization, so they will help advise on what can and can’t be filmed and how the data is stored.

“Given the varying privacy concerns, regulatory responsibilities, and other sensitivities that come with video surveillance, it is crucial CISOs play a major role in its management. It is essential that they collaborate closely with other relevant teams, like their legal team, to ensure their organization is aware of and complying with laws and regulations around video surveillance – which can vary from region to region,” Fier says.

Additionally, modern video surveillance is also a part of the IT environment — meaning that these systems are another cyber-attack surface for the CISO to worry about. “It’s common to find an office’s CCTV cameras connected into the main corporate network, both leaving them vulnerable to being watched by other users on the network but also by threat actors,” Jonathan Sword, director at Agility Cyber, explaining that this is why CISOs need to have input into the architecture of these systems.

Ready access to surveillance data for investigation

Finally, having ready access to the output of those surveillance systems is also an important consideration for CISOs and their incident response teams. Because some serious breaches can be the result of an initial breach of physical facilities, responders will need to be able to easily link activities in physical spaces with actions on logical systems. Camera footage can help bridge that gap.

“If there is an active incident during which data could be at risk, and camera footage may be critical to determining the current state of the incident, then the information security team should have the capability to review it if the physical team is unavailable to do so,” says Bishop Fox’s Denis.

Budget considerations will underly all decisions

Often the big limiting factors for CISOs in appropriately addressing all these physical security considerations are budgetary and clear ownership of responsibility. Denis says that CISOs can help gain credibility and esteem by taking a common sense, budget smart approach to their recommendations. This can best be achieved when they’re working closely with the CSO and/or facilities team — this coordination can also help delineate who is responsible for what so that nobody is stepping on each other’s toes.

“A vault door to secure a room made from drywall would be a poor use of budget, for example,” she explains. “In order to determine the best path forward, the CSO and CISO should create a list of goals and then their desires for physical security controls that would strike the balance between sensible and affordable.”