Information security can learn from physical security
Physical security can provide a number of guidelines when establishing an information security model, says Johann van der Merwe, global head of information security at De Beers.
"You can get a lot of tips from physical security when you want to get a company's information security off the ground," says Van der Merwe.
"However, once it has established its own foundation, it really lives better within its own IT environment."
Van der Merwe was speaking at ITWeb's Security Summit this afternoon. He says it is important to remember that diamonds are at the centre of De Beers' pipeline and that everything - including information security - essentially revolves around that.
Van der Merwe has headed the information security of the largest diamond company in the world, by value, since its information security team was established.
He highlighted specific lessons that role-players in information security can take from physical security:
- Physical security is ahead of information security; they know who, what, why and how. "Understand who you are dealing with," said Van der Merwe, "because it is often much more complex than you realise." Because information technology normally works with a "theoretical threat", it can be very obstructive when explaining how your defences work. Know exactly who your enemy is and what their objectives are.
- One can only look at the tip of the iceberg when understanding a threat. "If someone asks, 'how much information am I losing really?', this is a very hard question to answer," explained Van der Merwe. "When you discover a problem, start asking some questions to understand how big the problem really is."
- Understand the effectiveness of your controls. "From an information point of view, we often just add more and more controls and more and more layers. Meanwhile, you are going down already."
- Expect the human element to fail. "If you have a really strong threat model, the people in your organisation may become a victim of it," explained Van der Merwe. Know that people within your organisation could be targeted to become a pawn in the enemy's game, he added.
- Technology can become a company's biggest weakness. Van der Merwe explained that technology can give a sense of comfort that is detrimental to a security model. "People can abuse technology to obtain their goal. Never assume you are safe."
- IT leaders are critical. Physical security recognises the importance of having a strong leader in place. The same goes for information security, says Van der Merwe.
- Companies can only be successful if they have all their multi-disciplinary teams working together. "You have to be able to integrate all your teams when dealing with a strong targeted threat model," said Van der Merwe.
- All systems must be on par. "The only way to make sure all your systems are on standard is to have proper management systems in place that understand the objectives and are driven to reach them," said Van der Merwe.