Drawing parallels between Fire Safety and Cybersecurity
Some notes from comparing Fire Safety of an office building with Information Security / Cybersecurity of an organization operating in that office building.
| # | Fire safety | Cybersecurity |
|---|---|---|
| 1 | The physical building is an infrastructure used by the organization | The IT and IS systems are infrastructure used by the organization |
| 2 | Fire safety efforts protect the building | Cybersecurity efforts protect data and information |
| 3 | Fire safety is heavily absorbed into building design and operating standards | Cybersecurity is not yet built into IT and IS systems by default, as much as it should be, proportionally to the threats it faces |
| 4 | Occupants of the building are NOT significantly burdened with fire safety concerns during their regular use of the building | Users of IS systems are currently burdened with concerns of security |
| 5 | Occupants need to undergo minimal fire safety-related training and validation exercises, and their productivity in their core competency is maximised | With the burden of ensuring security weighing on them, due to inherent insecurities/vulnerabilities in the IS systems that they are provided with, users are distracted from maximising their core productivity |
| 6 | Because the fire safety concerns are abstracted away from the occupants to a large degree, there is minimal loss of productivity faced by the organization | Because the cybersecurity concerns are not yet abstracted away enough from the users, the organization faces significant productivity losses, on top of larger risks |
More thoughts
| # | Physical infrastructure safety | Cybersecurity |
|---|---|---|
| 1 | The office building and campus is designed and constructed based on matured security frameworks and best practices | IS systems are not yet secure-by-design |
| 2 | There are matured access control matrices and policies implemented through tried-and-tested, reliable physical access control devices and workflows | Identity management and access controls are not yet matured, and can often be haphazard, outdated, and unmonitored. |
| 3 | Operational scenarios like visitor management is managed using dedicated visitor meeting rooms and extended support items like visitors' parking and reception | Data export, sharing, collaboration are all mostly running on shaky foundations replete with security holes - most of which remain as unknown vulnerabilities. |
| 4 | Visitors are maintained as air gapped from critical business assets | Unauthorized agents (both human and non-human agents) can come dangerously close to critical business assets without much effort, and often as just mistakes/errors |
Summary
The realm of Organizational Information Systems and Cybersecurity as a whole, critically needs sweeping paradigm upgrades and implementation, and is believed to be undergoing such changes.
Until these changes mature, the threat landscape poses immense risk. Interim measures are needed to 'hold the fort down' until then. A dynamic approach to cybersecurity risk management, involving assessments, audits, strategies, and their implementation actions such as secure process re-engineering/hardening, and security awareness training can be efficient and immediate interim measures.
Aravind Jose T