Security Fears vs. Awareness


I had an interesting conversation last year with a Data Security Consultant, Mark Turturo, CISSP. I have been working since then to better understand the mission of these professionals and their relevance to the physical security specialist. I operate in a business community dominated by ASIS certified CPP’s and PSP’s and BICSI certified RCDD’s.  There has been slow progress, but I am coming to understand how an ISC2 certified CISSP can impact security design and the role they play in vulnerability and risk assessment.

Examining Related Industries

I have spent an entire career learning how to design and deploy solutions that Deter, Delay and/or Detect physical access to a site, or building. What I have come to learn is this is only the beginning in the bigger picture…

In a Physical Protection System design capacity, I rarely thought to assess vulnerabilities introduced by the data infrastructure, or the software application(s) supporting its functionality. The CISSP offers the perspective that evaluates these concerns and more. I spent 90 minutes discussing securing source code, data encryption formats and not just identity verification, but data source authentication. My head was spinning! Previously, my design concerns were focused on better integration and inter-operability and now I realize, these are just a few of the coming challenges we will be facing.

This category of consultant pulls back the curtain and questions the secure nature of the platforms we physical security professionals regularly deploy without question. This idea of software and networks having a “back door” is scary stuff! I typically think of my greatest challenge as asset protection, but without data security ensuring the integrity of these systems… it all becomes irrelevant.

Fear Versus Awareness

Mark and I worked our way through data security concerns such as hackers capitalizing on network vulnerabilities and malicious code in firmware and drivers, in addition to core applications. My first thought as I was listening to Mark was, “this is too advanced for the average end-user”, but I am learning these attacks are becoming a common occurrence. As I evaluate the importance of the contribution offered to systems design by the information security consultant, it is becoming clearer… the physical security industry should be keenly aware of the influence this other discipline is having on our common clientele. The typical security contractor still regularly deploys old card access credential technologies where digital identities can be cloned and data transmission technology can be simply intercepted to spoof credentials. There are technologies available today to eliminate these vulnerabilities… why isn’t the physical security community discussing these issues with clients? I understand these topics can cause fear in the user community, but isn’t it our responsibility to provide proper advice regarding the entire spectrum of risk and liability? If this does not become part of a physical security consultant’s repertoire… our relevance will be put into question. Here is a great example… McAfee produced a white paper on Proximity Card vulnerabilities at: McAfee White Paper. Why does McAfee (Anti-Virus  Developer) feel the need to be evaluating physical security credential technology?

Where Next?

I will be making this education a priority in coming months. I am hoping to have my employer authorize trips to events such as: RSA Conference, BlackHat Briefings and ISC2 Secure Events. I will be reaching out to more data security professionals and searching for convergence in our disciplines… actively looking for areas we can find partnership in adding value for our common clients. It is my hope that strategic alliances will bring these two perspectives together.

A BIG thank you to Mark Turturo for a beginning education into his world! Douglas Levin is a consultant employed by ASSA ABLOY.

If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

About Doug Levin

Doug is a certified (PSP, AHC, LEED AP), experienced business development professional with a focus on the physical security industry. With a diverse background that includes delivering products & services through multiple channels (manufacturing, distribution, specialty & general contracting), he brings a broad industry perspective that adds greater value for his clients. Having decades of experience with sales engineering and design-build of low-voltage automated systems, he also offers a strong emphasis on technical knowledge and consulting services. His career has included responsibility for: profit & loss, operations and sales management with front-line experience in estimating, sales/marketing, project management and developing security design documents & spec writing.
This entry was posted in Cybersecurity, Data Security, Physical Security, Technology and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s