From the Fall 2017 Issue

Security by Design

Jeff Spivey, CRISC, CPP, PSP
Ret. CEO | Security Risk Management, Inc.

A holistic “life cycle” perspective is to prioritize security risk levels of security for the proper governance and management of all security.

The future is already here — It’s just not evenly distributed yet.  William Gibson, Neuromancer

The complexity of protecting our personal and organizational value is increasingly difficult to navigate.  Similarly, threats come from so many directions that attaining awareness of important security risks to the business is challenging. An incomplete understanding of how dependent security components are on each other, results in a clouded, partial and inaccurate view of risks and risk management.  As a result, governance and management is less effective, leaving vulnerabilities unaddressed, some of which may be existential in nature.

It’s a Trust Issue

Enterprises are finding it increasingly difficult to trust their security organizations.  In part, this is an integration issue.  Security entities are often siloed from the rest of the enterprise and operate without sufficient oversight from senior management.  There are often incomplete or unvetted security processes that provide, at best, an illusion of security while permitting risks to continue unmitigated.

As a result, the enterprise loses trust in its information systems and doubts the value added by security organizations and activities.  Since the value add is unknown or doubted, security budgets are often deficient, and the security organizations lack the capability to provide the protection necessary to enable the enterprise’s goals and objectives within an acceptable level of risk.

It’s a Governance Issue

Value creation for business and government is increasingly dependent technology that connects and digitizes an analog world.  Over time, the volume and velocity of new technology adoption increases to the point where it overwhelms existing vetting, governance and management structures.  Despite good intentions, new governance and management structures often remain immature and, occasionally, unused due to the pressures of new technology integration.

Business risk therefore increases exponentially in both magnitude and scope.  The problem is compounded by security gaps where protections and controls were either forgotten or never considered. An organization’s failure to understand the complete security risk life cycle as applied to all its activities, assets, employees and devices produces vulnerabilities without the required risk acknowledgement.

The absence of structured, continually updated security risk governance, resulting from a lack of  holistic and integrated security risk assessment results in reliance on guesswork and personal relationships within an ever-changing staff to hold the security risk management framework together.  This ad hoc security risk management creates an inconsistent and insufficient protection regime that is siloed and out of step with the larger enterprise.

Despite good intentions, new governance and management structures often remain immature and, occasionally, unused due to the pressures of new technology integration.

There are dependencies that such a siloed approach simply ignores.  One of the dependencies is the interdependence of cybersecurity and physical security:

  • Cybersecurity is dependent upon physical security providing access control and surveillance.  With respect to information security, physical  access control covers data closets,  the data center and any place where network connections are accessible.   Access control also means maintaining control of all sensors and tokens used to gain physical  access to enterprise facilities.  This includes ensuring that employee records are current and auditing access control logs.  Physical security then controls physical access to connected devices, mitigating an important cybersecurity risk. Cybersecurity functions are thus dependent on physical security.  Despite this, in many organizations, the physical security department reports to the facilities or real estate department (whereas cybersecurity reports to the Chief Information Officer (CIO) or the Chief Information Security Officer (CISO)).   Between physical security and cybersecurity there are separate processes, reporting lines governance structures, management structures, metrics, goals and audit structures.  These silos create inconsistent recognition of security related risks and hide important risks that could be catastrophic to the enterprise.
  • Physical Security is dependent on a robust and reliable information technology (IT) infrastructure to communicate access control data and surveillance information. Physical security also includes the Internet of Security Things (IoST). IoST is the domain concerned with the protection of connected devices and networks. These may include:
    •        Cameras at remote sites that are connected by WiFi or hardwire to the corporate network to stream video to a Security Operations Center (SOC).
    •           Intrusion or burglary alarm system.
    •           Sensors, such as beacons that provide security information for the access security triad (i.e., control, surveillance and territoriality).

A specific example of the threat’s possible impact is when Jason Ostrom and Arjun Sambamoorthy confirmed how to hijack network connections to various common video surveillance systems and extract, record and replace video on their servers, providing attackers a way to replace video of a physical intrusion with looped video showing no intrusion1.

“Security by Design” is security “on purpose” and focuses on early warning and prevention instead of remediation and restoration after a breach or other security incident.   An effective security risk management approach demands a complete life cycle perspective to maintain appropriate levels of security.  Facing uncertainty, all security risk management stakeholders should turn to a framework of governance, risk and compliance combined with enterprise risk management (ERM).

Security by Design ensures that security risk governance and management are monitored, managed and maintained on a continuous basis.

Security by Design: Holistic Security Contributes to Organizational Health

Instead of letting an evolution of good and bad security solutions occur by chance, enterprises are advised to take a step back and create a roadmap for managing all of the organization’s security risk.

The security life cycle is comparable to the product development life cycle, in that it starts at ideation and culminates in delivery and support.  Security by Design ensures that security risk governance and management are monitored, managed and maintained on a continuous basis.

The value of this “holistic” approach is that it ensures that new security risks are prioritized, ordered and addressed in a continual manner with continuous feedback and learning.  It ensures that all stakeholders know what to expect and when, with respect to who is doing what and when.

Security by  Design requires the user of a proven operating framework, such as COBiT or NIST (Special Publication 1800-5b) combined with ISO 31000 to combine security controls with a robust risk management program.

Core Principles for Security by Design include:

  • A common governance, management and operational framework for all stakeholders.
  • An integrated knowledge management system that is available to all stakeholders that manage any security risk for the organization.
  • Integration of security with the organization’s ERM.
  • Ensuring that the enterprise risk manager creates a reliable risk data management and prioritization mechanism.
  • Establishment of risk taxonomies, heat maps or other templates for documenting and reporting risk and mitigation efforts.
  • Achieving consensus as to the controls required for security risk management.
  • Integrated real time risk situational awareness that includes:
    • risk categories dynamically designed and catalogued,
    • risk owner name, organizational hierarchy,
    • definition of risk to the business/organization, and
    • risk metrics for all using a common language. The risk metrics include:
      • Risk dependencies and notifications to owners of dependencies, upstream and downstream,
      • Impact to the organization,
      • Likelihood or probability of risk occurring,
      • Alignment of security risk metrics with organization risk measurements,
      • Relation of technical risk to other risk types or dependencies, and
      • Responsibilities for cross functional security risk management.
    • Agreed upon internal and external audit mechanisms and interactions with all stakeholders to:
      • Ensure understanding of security and controls in a dynamic field. Use and agree to samples from audit of NIST Special Publication 1800-5b, ISO 31000 and COBiT 5.
      • Ensure all relevant stakeholders are members of the enterprise security governance group.
      • Ensure management has given clear direction for all security responsibilities.

The value of this “holistic” approach is  that it ensures that new  security risks are prioritized, ordered and addressed in a continual manner with continuous feedback and learning.


All security risks are not equal and should not be governed, managed or resourced to the same level.  It is essential for enterprises to acknowledge the importance of creating a shared understanding of security related risks and be able to assign priorities based on each risk’s impact and potential for mitigation.


1. ViperLab, Sipera Systems, DEF CON 17, “Advancing Video Attacks with Video Interception, Recording, and Replay,” by Jason Ostrom and Arjun Sambamoorthy, July 31, 2009, < 17-presentations/ defcon-17-ostrom-sambamoorthy-video_application_attacks.pdf>
Jeff Spivey

Leave a Comment