Taking an integrated approach to security models

In a recent survey of UK citizens conducted by PA and Opinium, when asked about the biggest threats to national security over the next ten years, a third of respondents chose cyber attacks on critical national infrastructure – more than for any other threat (including terrorism climate change, war, or future pandemics). Regardless of the type of threats, over half (55 percent) of respondents said the UK is less safe now than it was five years ago.

The traditional security model used by most organisations to protect their business and assets relies on separate functions for physical, cyber, personnel, information, and operational security. There have been many benefits to managing security in this way, including building communities of deep specialists who are highly capable of protecting the business and rapidly responding to tactical incidents. Often these security functions have been embedded in the part of the business they have the most affinity with, for instance physical security sitting within the facilities management team. Again, there are advantages to this approach in terms of easier cooperation with those who may need to be aware of and take action based on security threats.

But as threats have evolved, attackers are able to target vulnerabilities, transcending individual security disciplines, to create a larger effect. In a traditional approach, the information flows around security functions may be limited, so the full threat picture may not be available in one place and therefore learning from experience is less likely to be shared with relevant colleagues. Security data needs to be shared and analysed at the pace of relevance, something which is now much easier thanks to digital capabilities. But security organisations need to evolve to make the most of this opportunity.

How can security organisations protect against and pre-empt new threats through an integrated approach?

To respond to new threats, organisations should develop a more integrated security operating model that enables information sharing and coordination of actions. This doesn’t have to be a monolithic security function, and in most cases probably shouldn’t. Monolithic models risk diluting and suppressing the specialist knowledge that makes individual security disciplines so valuable. But straightforward actions can be taken to allow all parts of security to work together and achieve shared security outcomes:

Develop a single set of threat scenarios

Organisations can’t protect against every eventuality. Having a bounded set of scenarios will help focus the entire security effort on the most plausible set of threats faced. Scenarios should be descriptive and have enough detail to allow you to understand where the limits of that scenario are. They form the foundation of everything in a security model.

Agree a single set of design principles

Design principles are choices that steer how to build a security model. Principles for an integrated model will not be specific to a security discipline but should provide strategic guidelines that can be followed by all. For instance, you may want to set principles around how much security effort is in-house versus outsourced, the level of intrusion around staff and visitors that a security approach will entail, or the preference for overt deterrence versus more subtle detection and response mechanisms.

Have a more integrated Threat, Vulnerability, and Risk Assessment (TVRA)

Threat, Vulnerability, and Risk Assessments (TVRAs) are incredibly useful tools for understanding where risk sits in an organisation. If you build a TVRA using threat scenarios and consider the vulnerabilities and mitigations in place for all security disciplines together, it is much easier to understand how different security disciplines interact with each other. You can then make informed, timely, decisions on which elements of your security model to dial up and down to give you the best protection using an aggregated set of data.

Build appropriate light-touch governance

Integrating your security model doesn’t need to create huge amounts of additional bureaucracy – you need just enough to keep the overall system aligned. Governance should focus on strategic decisions informed by your threat scenarios, TVRA, and design principles. The particulars of how those strategic decisions are then implemented should remain with individual security teams.

By taking an integrated approach, security organisations can more easily identify the best combination of actions to mitigate the threats they face. Doing this in a coherent way is also likely to identify cost savings through the avoidance of duplicated work and crisis management. However, depending on their own circumstances, they may want to explore more aspects of integration, including building a single portfolio of security projects and having an integrated testing and exercising regime. This can provide the assurance to board level sponsors that they genuinely have a coherent and effective security model.

Ultimately, a world of interconnected threats calls for joined-up, collaborative working across organisations and different elements of the security landscape. These four steps provide the foundations for successful integration, enabling security organisations to present a united front against shifting challenges.