Skip to main content


Protecting Employee Data is an Organization’s Legal Obligation or Is It?

In today’s world, countless organizations fall victim to data breaches that involve employee data. In 2014, I was engaged to lead the remediation efforts of a data breach for a Pennsylvania-based client.  Hackers gained access to the company’s employee payroll information containing the salaries, social security numbers and other Personal Identifying Information (PII) through an insecure email system. It was crucial to develop and execute a corporate security strategy along with the tactical tasks of remediating the breach.

During 2013 and in 2014, infamous cyberattacks resulting in significant data breaches occurred against notable companies such as Target Corporation, Home Depot, JP Morgan Chase, along with many others.

The legal repercussions from those events set off an avalanche of employee and customer lawsuits. Many banks subsequently filed suits against the afflicted organizations citing negligence and other allegations. Organizations did not view protecting employee data was…

The Great Security Divide

The global landscape with security is divided up for the most part between informational and physical. With the many examples more than anyone can count regarding the conflict why CISOs, in particular, feel about reporting to the Chief Information Officer (CIO). The Chief Information Security Officer (CISO) in most organizations has an inherent drive to secure the vital assets of their company with regards to data in electronic form. Grant it the electronic data can and has escaped out of organizations in physical form. It is natural for someone to associate information security as a technology and the CISO explaining why it has a much broader scope. Perhaps the “narrow” CISO title is what kills the profession from the general over perception within organizations and the industry where the Chief Security Officer (CSO) title is more in tune to physical security than informational. One has to play devil’s advocate not in particular seeing security from a CIO’s, CSO’s or CISO’s point of view but what the ordinary person would think of it.
Somewhere in our recent past security diverted from its core roots and that was in the age when electronic data emerged. Today we all live in that aura of information in electronic form a vast explosion of innovation, yet security is fundamental to human survival. Security can be in a physical way like a deadbolt lock on your door to protecting access to electronic data using specific credentials. Security is security and the very reason it should not be divided between informational and physical but converged, and with that convergence, there would be no question, no hesitation, and no ambiguity.

History of Human Survival

From the beginning of mankind, security has been at the forefront, an essential practice for human survival. If one studies security from a historical perspective, the relationship is mostly between population and resource conflict. Population increased in early societies, pressure for self-sustenance often led to exploration, domination of vulnerable people, and exploitation. Does this sound familiar in the world we live in now? Key historical examples include:
  • Warfare Due to Population Pressures – In one study it was theorized that the rise of the first states in Egypt, Mesopotamia, and Peru were all linked to increasing conflict between neighboring villages. Once no longer possible for people in one sector to cultivate land sufficiently to feed their hungry they attacked neighboring communities to acquire their resources. Indeed, an empty belly is a definite motivator to instigate a hard fight to survive. Neighboring communities waged war with each other as a consequence of limited resources. These conflicts lead to the creation of hierarchical structures in early society the Darwinism survival of the fittest.
  • Stratification in Early Societies – This has produced numerous effects including establishing laws to assure peaceful coexistence. The many reasons were to stimulate commerce, to encourage specialized work, and to provide security for dealing with threats from external forces. Leaders of these stratified societies were likely to be ones who could be most effective in organizing a community to fight ferociously at all costs and successfully thwart against aggressors, or to lead offensively in attacks against others to increase their resources.
  • The Have and Have Not – Early societies grew becoming kingdoms, and later nations merging as a matter of convenience to pool resources. The accumulation of wealth, influence, improvements of agricultural lands made existence precarious from outside attack by those who coveted such assets and resources. The fear of strikes led to the evolution of defensive means to protect the precious resources.
  • The Wall – A fundamental strategy was to use physical barrier implementations of security such as the Great Wall of China and other fortifications wherever possible to protect from external incursions. The Maginot Line of barricades built by France after World War One and the Wall of Berlin erected by the Soviets, all remnants of security infrastructures in bygone eras.

Security Divergence in the Information Age

Fast forwarding to the present we find defensive physical fortifications of the past with the same characteristics in modern technology. We deploy devices such as firewalls to protect our data from intrusion, in the past, we built massive brick or concrete walls. Today we now have IPS/IDS along with SIEM, to guard and identify incoming intrusion attempts, in the past, we had sentries guarding the physical walls. So why the divergence? Many feel it was an aspect of the cultural conflict between physical (mechanical) and informational (hi-tech). Turf battles ensued within organizations between the technologists and physical specialists not understanding their root similarities.
In most organizations, a remarkable “skills gap” compounds the divide and in a conversation with a security executive colleague of mine over dinner, he dramatized his reaction of that divide and conviction. When technology captures someone trying to exfiltrate data into a physical form, his immediate answer was to pass the baton and inform the physical security people to keep an eye out on the specific individual(s).
In another example one prominent colleague of mine best described it within his company:
“Surveillance can be a completely separate animal from other security including and particularly cyber. The regulatory controls are very strict. For example, physical assets must have a minimum of two surveillance cameras covering them. If coverage goes down for any reason, those assets must be shut down until the cameras are back up. Failure to report outages, or to have outages and not shut down the assets will result in stiff fines. Most companies in this industry have switched over to digital systems. That also makes it easier for them to run their specialized software systems like facial recognition. The surveillance teams are very, very protective of their systems. I have seen cases where the CSO who owned all other physical security, did not own surveillance. The surveillance guys had their own independent fiefdom. It took the CISO there quite some time to convince the senior executives that he needed access to the surveillance network to test for vulnerabilities. It was imperative to ascertain if these systems could be breached, exploited, or otherwise manipulated by malicious actors and insider threats. Fortunately, the surveillance systems were an isolated, closed network but this was not confirmed until the CISO was able to conduct a security assessment. I don’t know if the CSO acquired control of the surveillance team or not.
As far as the rest of convergence, the CSOs and CISOs in my industry mostly work very closely together, as there are a number of issues and investigations where they support each other. The FBI field office supports two separate working groups, one for CSOs and one (Infragard) for CISOs. Also, the FBI sponsored Domestic Security Alliance Council (DSAC) allows two to three persons from certain larger organizations (I don’t recall what their revenue criteria is) to obtain or maintain a government security clearance, as part of the U.S. Government’s public-private partnership program. Usually this is one CSO and one or two from the CISO organization.”

CISO Reporting Structure Turf Battles

The “Great Security Divide” is written into federal law with discussions I had among prominent CISOs in the public sector. They point to FISMA which legislates the CISO must report under the CIO. Many NIST documents also state the CISO reporting structure should be under the CIO as well. Diving deeper into FISMA and the workings of the federal government, I taped into the experience of Bruce Brody, and in our conversation, he explained:
“FISMA botched governance, but it did so for logical reasons (logical for the people who did it). The Clinger-Cohen Act gave specific authorities to the CIO as the single responsible and accountable IT executive in any agency. When Y2K was over, and Congress needed another act to beat up on the Executive Branch, FISMA was created, and the authors could not go back on their previous legislation, Clinger-Cohen, So they slapped a “senior agency information security officer” under the CISO.
The more senior and respected members of the Federal community now argue that putting the CISO under the CIO makes information security a “technology” issue rather than a “mission” issue. My prediction is that there will soon be a move to unshackle the CISO from the CIO.”
Bruce published several articles but two, in particular, dig deeper into the discord are referenced here:
Another practicing CISO colleague of mine in the private sector pointed to the ISO 27001 framework under section 5 which describes leadership responsibilities as being a broad area that “hints” the CISO role be independent of the CIO. To take it one step further ISO 27001 addresses Physical and Environmental controls under the same framework which demonstrates convergence.
The arguments by many in the security industry that the CISO should not report under the CIO is a matter of conjecture. It does not hold water and rationale to many corporate board members even the layman on the street feel “Cyber-whatever” or information security is technology.
Corporations who adopted a role reversal where the CIO now reports to the CISO are the MITRE Corporation and Booze Allen Hamilton This reversal does not diminish the conflict it merely reverses it and is arguably a knee-jerk reaction based upon the hot-button topic of cyber. In some organizations, the CISO does not report into the CIO but under other department heads.

The Reasons For Convergence

Discussing the views of convergence with three CEOs in a private and frank discussion over the phone where all were explicitly asked where should the CISO, information security, a report in the organization? All said under the CIO and taking a step back I rephrased by taking information security out and focus on one thing “security.” One said he would merge both physical and information security into one department reporting to him and the others followed in agreement.
Isn’t it obvious why “Cyber” or “Information” security is solely a technological issue and why nearly every corporate board member thinks that way? I see it as the root cause of the industry’s frustration that’s ailing it.
It is far and more logical to sell security as a complete package than sell it individually. It is like the chemical elements hydrogen and oxygen combined makes water, security by itself is fundamental and should not be confused between its physical and informational components.
It’s also undeniable merging advocates see physical and logical security as a big cost-saving step. But more than that it is a natural evolution for facilities maintenance, guard operations, door-access equipment and video cameras are increasingly IP-enabled. We all use a smart card based badge to access both buildings and computers. Resistance to convergence runs deep among physical security managers who fear IT departments taking control. There are others who otherwise welcome to know more. In one of my examples, some CISOs voice concerns that it’s risky and strongly opposed to the idea of physical security operations, such as video surveillance streams, riding on the same IP corporate network as the rest of the business. I must point out that the IoT (Internet of Things) forces convergence in a big way. Physical and logical security must work together than ever before.
As a practicing security professional where I have been to many organizations the compelling thing, I found where convergence demonstrates a dramatic difference is enforceability of security policies where otherwise they remained unenforceable. For instance, where logical and physical security merge is with the badges. It allows for instantaneous user lockout from physical facilities and networks IT assets. Moreover, eliminates latency between badge revocation and IT provisioning.
Other benefits include location-based authentication, ensuring specific users accessing network resources in an office have entered or have left the building. There is a Network Access Control (NAC) that prohibits remote VPN access if that person is already in the building. With the push for “Bring Your Own Device” (BYOD) and the IoT make that convergence imperative by controlling end-point security on physical devices.
And if the examples above are not enough, with law enforcement, the “smart guns” are becoming a reality in which these weapons have authorized user recognition that allows access to the gun after proper authentication. Crucial advancements are controlling who can use a firearm also has controversial uses in business and military environments.
Convergence of information and physical security is imperative, a natural progression that must be embraced in all organizations globally. I see it as the cornerstone of global acceptance that security is security standing indisputably as a fundamental part of any organizational environment and what we practice in our personal everyday lives.