I had an interesting conversation last year with a Data Security Consultant, Mark Turturo, CISSP. I have been working since then to better understand the mission of these professionals and their relevance to the physical security specialist. I operate in a business community dominated by ASIS certified CPP’s and PSP’s and BICSI certified RCDD’s. There has been slow progress, but I am coming to understand how an ISC2 certified CISSP can impact security design and the role they play in vulnerability and risk assessment.
Examining Related Industries
I have spent an entire career learning how to design and deploy solutions that Deter, Delay and/or Detect physical access to a site, or building. What I have come to learn is this is only the beginning in the bigger picture…
In a Physical Protection System design capacity, I rarely thought to assess vulnerabilities introduced by the data infrastructure, or the software application(s) supporting its functionality. The CISSP offers the perspective that evaluates these concerns and more. I spent 90 minutes discussing securing source code, data encryption formats and not just identity verification, but data source authentication. My head was spinning! Previously, my design concerns were focused on better integration and inter-operability and now I realize, these are just a few of the coming challenges we will be facing.
This category of consultant pulls back the curtain and questions the secure nature of the platforms we physical security professionals regularly deploy without question. This idea of software and networks having a “back door” is scary stuff! I typically think of my greatest challenge as asset protection, but without data security ensuring the integrity of these systems… it all becomes irrelevant.
Fear Versus Awareness
Mark and I worked our way through data security concerns such as hackers capitalizing on network vulnerabilities and malicious code in firmware and drivers, in addition to core applications. My first thought as I was listening to Mark was, “this is too advanced for the average end-user”, but I am learning these attacks are becoming a common occurrence. As I evaluate the importance of the contribution offered to systems design by the information security consultant, it is becoming clearer… the physical security industry should be keenly aware of the influence this other discipline is having on our common clientele. The typical security contractor still regularly deploys old card access credential technologies where digital identities can be cloned and data transmission technology can be simply intercepted to spoof credentials. There are technologies available today to eliminate these vulnerabilities… why isn’t the physical security community discussing these issues with clients? I understand these topics can cause fear in the user community, but isn’t it our responsibility to provide proper advice regarding the entire spectrum of risk and liability? If this does not become part of a physical security consultant’s repertoire… our relevance will be put into question. Here is a great example… McAfee produced a white paper on Proximity Card vulnerabilities at: McAfee White Paper. Why does McAfee (Anti-Virus Developer) feel the need to be evaluating physical security credential technology?
I will be making this education a priority in coming months. I am hoping to have my employer authorize trips to events such as: RSA Conference, BlackHat Briefings and ISC2 Secure Events. I will be reaching out to more data security professionals and searching for convergence in our disciplines… actively looking for areas we can find partnership in adding value for our common clients. It is my hope that strategic alliances will bring these two perspectives together.
A BIG thank you to Mark Turturo for a beginning education into his world! Douglas Levin is a consultant employed by ASSA ABLOY.
This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.