Specifically Speaking with Jeff Spivey

President of Security Risk Management in Charlotte, N.C.
 - 
Monday, November 30, 2015

During our conversation you mentioned the “new security model.” Can you explain what you mean by that? 

There is a movement away from an older, more fragmented approach to security. The former management framework of “guns, guards and gates” did not enable effective communication about the real business risk derived from security risk. The “new security model” I refer to takes a collective and holistic systems view of all security risk. This more complete view dictates a complete recognition of degrees of security-related risk to the organization/business. The new model acknowledges that managing business risk to best enable the organization to exist and to thrive is the reason the need for “security” exists “period.”

A “security renaissance” is occurring. At the same time the business, including security, is becoming more dependent on new technology/information systems. As we see with cybersecurity-related risk, the security of the technology is important to provide trust in the information systems and therefore value to the business. This includes security devices themselves and their connections to the technology networks which business is so dependent on for success or failure. 

You mentioned that a project designed/implemented by Security Risk Management (SRM) included a separate IP network dedicated only to physical security devices and that is now a standard for SRM. Are there any exceptions to this rule? Why or why not?

SRM’s objectives in the design of any systems include the assurance of reliability and security of all of the systems and their components. Systems reliant on IP networks provided by others may or may not provide the reliability and security SRM feels is important. We have evolved a set of security principles for any of our services to help clients create and maintain a secure environment from which to operate. At present, these are proprietary and used in some fashion with everything we do.

What are the physical security risks of IoT?

I would reframe the question as: What are the business risks associated with security of the Internet of Things? Technology risk does not equal business risk and business/organization risks are all that count. So, by framing this issue as a “business risk” issue, we show the connection of security to the dollar impact to the business and likelihood of this risk occurring. Those people responsible in the business can then determine if that risk needs resources, changes in process or a multitude of treatments that would be recommended.