Linda Howson - Agile Physical Security And The Inevitable Paradigm Shift

Automatic Summary

Adapting to Rapid Change: Insights from Truman

As Truman has aptly suggested, the current time zone is irrelevant as it is always a good morning, good afternoon, and good evening for learning something new. This article, penned by UK-born security research and development engineer Linda Hausen, looks into the world of risk and security. What began as an exploration into issues around security governance soon revealed that the biggest challenge was responding effectively and timely to the unknown and the unexpected.

The Only Constant in Life Is Change

"Do not resist change," says Heraclius. As history shows, the only constant in life is change. With the global pandemic forcing many businesses to adapt, this notion is becoming an increasingly acknowledged reality. This shift has been a massive wake-up call for businesses, presenting varying challenges that range from unearthing new opportunities to simply ensuring continuity.

Business Change in Perspective

Netflix, once a mail-by-DVD service switched to a subscription model then to a streaming site and now creates its own content, demonstrating that change is not new to the world of business. From a security perspective, this means constantly reevaluating the risks associated with the business choices.

The New Paradigm

The current world view suggests that constant change is now the normal. As such, risk and security professionals are faced with a predicament. To survive and manage change, they must avoid a survival-led approach and instead adapt remain proactive. However, developing a new security strategy is often challenging and complex.

A Lesson from Weather Prediction

Weather prediction, as explained by Hausen, is an apt example of a complex environment that seems chaotic and unpredictable, but actually follows clear principles. Scientists create models and use accumulated data to predict the weather - an approach that can also serve as a blueprint for managing the challenges in the world of security.

Applying the Concept to Creating a Security Strategy

To create a similar model in the context of risk and security, think of your organization as a physical location. Allocate functions to specific spaces, identify roles and define the organizational structure. It is crucial to have experts that can bring this model to life by applying the details accurately to reflect the real situation and analyze the generated information.

The Power of Visualization

However, simply generating data is not enough. This information must be visualized in a way that stakeholders can understand and evaluate the areas that directly impact their roles. Visualizing the model fosters communication and collaboration, allowing for agility.

Making Informed Decisions

This approach not only clarifies the return on investment, but provides means to respond timely and effectively to the unknown, allowing companies to test, experiment and validate their decisions before making substantial investments.

Remember the Human Factor

Despite the benefits, we must also recognize that a model is a simplified version of reality and cannot foresee all outcomes. It is, therefore, essential to have a contingency plan ready. Quality personnel is the best asset in this dynamic environment.

Wrap Up

As Heraclius once said, change is inevitable. However, if we accept this new paradigm and arm ourselves with the right tools and models, we can anticipate the unexpected and make informed decisions.

If you have any thoughts or queries regarding the concepts discussed, feel free to drop us a message. Here's to wishing you a pleasant read!


Video Transcription

I'm gonna make a start. Um So as uh Truman has been known to say, depending on where you are in the world. Um Good morning, good afternoon and good evening.Um My name is Linda Hausen and as you can possibly hear from my accent, I am originally from the UK. Um but I live and I work in the Netherlands as a physical security research and development engineer at N A at N A. We've, we've invested a considerable amount of time and effort investigating the world of risk and security governance and whilst we've identified and categorized many interesting issues, it became very quickly clear that the greatest challenge in the world of risk and security is being able to respond timely and effectively to the unknown and the unexpected.

I can get that slide to react. Yes, there we go. So explain this properly. Let's start with a quote to which we can all relate. Given the last 18 months, the following quote is from Heraclius and it's perhaps the most relevant, the only constant in life is change. And it's perhaps rather ironic that since ancient Greek times, this quote has been replicated and regurgitated in numerous forms. But for many of us, it's only just becoming an acknowledged reality. The constant adjustment and consequential level of uncertainty is gradually gaining acceptance as the new normal.

After more than a year and a half of the pandemic, this extraordinary normality has created unprecedented changes for businesses. The challenges range from exciting opportunities to simply ensuring business continuity but business change is nothing new to give you an example.

Netflix, Netflix started in 1998 renting out DVD S by mail for the people that can still remember DVD S shortly after they changed from a pay for use model to a subscription model. Now, almost a decade later, they changed their proposition to streaming video content provider and now they even offer original content from a business perspective. This rate of change is pretty impressive from a security perspective. This means constantly re evaluating the risks associated with the business choices.

And this is all irrespective of the changes external to the business from social, economic and political environments consider. Now the effect that the pandemic has had on every single business, irrespective of size or market or geographical location. How many businesses can you think of that have held on to their original strategy and are still going strong. After 18 months in the pandemic, the world of risk and security is experiencing an accelerated rate of change. And for some of this, the variability is challenging and captivating.

But for others, it's experienced as unstable and unmanageable. Now, inherently, humans seek routine. We all need some form of structure in order to cope with change. And this varies per person. If we have too much structure, we become bored and we seek change and excitement.

And if we have insufficient routine for our personal needs, then we experience stress and enter survival or firefighting mode. As with many professionals having dealt with the inevitable firefighting required to address the addi initial pandemic situation. Most security experts have spent recent months rebuilding structure and adapting and rewriting existing strategies and policies to cope with the new normal. But what is the new normal is our current situation stable enough to make predictions about the future or should we embrace a new paradigm and accept that rapid change is the new reality. Now imagine we choose for a new paradigm and we accept the reality of constant rapid change. This demands a dynamic security strategy sounds logical, right? But let's first discuss how professionals deal with the current situation and create a new strategy. The allure of developing a new security strategy may seem attractive but is a lengthy and complex task requiring the generation analysis and interpretation of huge quantities of data. The process involves many stakeholders, increasing the need for effective communication and collaboration, but this can be difficult, especially when stakeholders have conflicting needs and goals in the real world. Security professionals do not have the luxury of starting with a clean slate.

Instead they inherit an existing operational situation, complete with history and associated baggage. Whatever the case, very often, the essential reasoning, driving choices and decisions is lost in the midst of time, leaving only the remaining operational processes and procedures behind the connection between strategy and operations is gone.

And the opportunity for an agile approach is missed. The challenges involved in creating a new or modifying an existing security strategy and associated operational policies, processes and procedures doesn't pose a significant problem if the business and all the associated environments in which it operates never changes.

But as seen in recent times, Heracles has a valid point and the real security challenge becomes apparent. So if we accept the new paradigm and the ever increasing rate of change, how can risk and security professionals avoid the survival firefighting approach and learn to adapt and remain ahead of the game. Now, fortunately, we're not ahead in, we're not alone in this dilemma. There are other problem domains with comparable characteristics that have tackled the issue and are making good headway. Think about weather prediction or stock market forecasting. I honestly don't know too much about the stock market. So let's discuss something that everybody likes to talk about. The weather.

Weather prediction is a really good example of a complex environment which on first sight appears chaotic and unpredictable, but in actual fight it behaves according to clear definable rules. The impression of chaos is generated by the interaction of a wide variety of influencing factors.

This is a level of detail that challenges human cognition. However, by creating a virtual model of the physical world and augmenting the model with details of the influencing aspects, it becomes possible to reproduce and even justify many weather situations. So once scientists begin to capture weather data and recreate the scenarios in which the data was generated models begin to form, that facilitate the understanding of how all the aspects interact and the consequential effect of that interaction. So imagine adopting the same approach, let's create a model of your organization, starting with the physical location and structure. Your business model managers allocate functions to the relevant spaces and they identify the functional roles that operate in those spaces. The facility team adds building property detail and facility assets. Your human resources team define the organizational structure and connect actual employees to functional roles. The security and risk professionals specify the required security rules and roles and physical spaces and detail, the required countermeasures.

Now having built your model, you can finally start to investigate how all the relevant aspects interact and influence one another. Now, this can be used for example, to model the impact of threats and vulnerabilities to your business continuity. Alternatively, you can investigate business change ranging from downscaling to physical relocation. Now we have in fact created a platform to explore cause and effect. Now, before I get too carried away, you might stop me and remind me that whilst the weather report is often useful, it isn't always right. And this is because the predictions are entirely dependent on the quality of the model and the expertise of the person interpreting the information that it produces. This is why you need experts, you need experts to ensure that your model correctly reflects your reality. And you need experts to analyze and interpret the information that it generates so that it applies to your company and your problem domain. And if I'm going to mix my metaphors, Rome was not built in a day. This is an iterative process that starts small and builds over time. The gradual enrichment through the addition of layers of data and information and the interconnectivity of the layers increases the accuracy and the applicability of the model.

So let's return just for a moment to that really useful analogy of the weather. Despite the complexity and the immense amount of information and data needed to generate relatively accurate weather reports, it's really quite impressive that you and I are able to understand the analysis that is presented to us by our favorite weather reporter. They do this by creating a visualization of the results, the conclusions and the insights so that we're able to understand the consequences of all the influencing aspects without having to know how it works or understand the underlying theory. And this is what makes a model an incredibly powerful tool. This approach is equally powerful for our security model. By visualizing the model output. It's possible to involve all key stakeholders in the analysis process. The virtualization reflects the reality allowing the stakeholders to investigate the areas which are affected by their input and consequently identify where that information interacts with that of others. It's this confrontation that creates a solid foundation for communication and collaboration and enables agility.

So as with the weather, it becomes not only possible to interpret the information but also provides the potential to predict and anticipate by defining potential risk scenarios and playing these out within the confines of the security model, we gain further insights which allow the refinement of earlier choices and implementations.

Additionally, the model provides an environment in which we can visualize test, verify and validate decisions before making any investments. This not only significantly simplifies the process of calculating the return on investment but also provides the potential to prepare and react to the unknown and the unexpected.

Now, as lovers of science and technology, we have no problem in placing our unconditional faith in science and that's why it's really important to remember that the map is not the territory. The model is a simplified version of reality. It focuses on specific aspects that have been identified as important and relevant. So just as you cannot blame nature for not behaving according to the weather forecast, it cannot answer all questions or predict all outcomes. However, it is wise to accept the inevitability of change and in doing so, arm ourselves with the tools to make informed decisions when the unexpected occurs in military language. The model is a force multiplier. It places the emphasis very clearly on the human element. In the equation, the security model can provide leverage but the quality of your personnel remains your greatest asset and even then we remain inherently human. So it's always wise to have a contingency plan. If we place this in context, I am dependent on the many weather apps on my telephone. And I often check the weather report before leaving home. When I leave the house, I still check the sky to ensure there's no conflicting evidence. But even if all the evidence points to a warm dry day and the sun is shining, having lived in northwestern Europe all of my life, I always bring an umbrella if you're interested in any of the concepts mentioned today and you would like to know more.

Please contact me. I'd love to hear from you. Set some messages in the chat. I'll answer directly and I wish you a great woman tech event.