Edward Snowden did an important thing: He made an important conversation on security and ethics popular and international.
On one hand, he told us something we always knew: Spies spy. That is they stealthily gathering secrets. This is usually associated with times of war or matters of national security. I’d venture to say spying may be the third oldest profession.
Spying on specific national interests is assumed, expected, and probably universal, which is why the feigned indignation of global leaders is somewhat laughable.
However, spying on a populous is extreme. Spying is deemed by many as normal when its targets are decision makers, influencers and information handlers. Regular citizens, though, don’t qualify for surveillance unless they are associated in some way with a security threat. I would contend:
- Surveillance of a high crime street corner is appropriate
- Surveillance of a shoplifting-prone market is appropriate
- Surveillance of military leaders engaged in assault on national interests is expected
- Combining private communications, collecting information that may someday be factored as a risk – destroys the fabric of trust between a people and its government.
Therefore, surveillance in itself, in my view, is morally neutral, neither good nor bad. Sometimes it’s downright necessary for security or loss prevention. It’s a simple formula: Analyze Meta data, identify risks, manage risks.
This surveillance and spying conversation, however, sends shivers down the backs of security managers and executives.
Recent informal research I conducted found that security executives are the ‘Least Aware’ of physical threats to information. Every security executive I’ve interviewed had an understanding of physical threats to information (unauthorized visitors, dumpster diving, etc.) but almost none had studied or measured the risks associated with physical threats to information, nor did they have in place thorough procedures to protect against it.
…and Least Prepared for Social engineering and physical penetration. The security enterprise executives I spoke with confessed that their confidential company information was as risk of social engineering attacks (phony phone conversations, pre-texting, impersonation, spear-phishing, etc.). Physical penetrations were even more frightening to some executives who were certain that their confidential company information could be collected and conveyed out of the building (in the form of printed documents, photos, memory sticks, etc.) by:
- an unauthorized visitor tailgating into the building
- an attacker bypassing security controls at doors and fences
- rogue employees or contractors (a la Snowden)
- an internal attacker of any type
We are all in this discussion now, public and private organizations, data and physical infrastructures. Now tell me your opinion. Do you think the “Snowden affair” is relevant to your organization? Is it a physical security issue? A cybersecurity issue? Both? Something different?
Steve Hunt, CPP CISSP, is a strategist focusing on cybersecurity, safe cities, safe business, and critical infrastructure protection. He entered the ISSA Hall of Fame. Steve’s career covers the breadth of the industry: cybersecurity, physical & homeland security. He also ran the risk management think tank at Forrester Research. As a recognized expert on best practices, security trends, and technologies, Steve helps executives at the world’s largest organizations create value in light of physical and cyber threats. Security Magazine named him one of the 25 most influential people in physical security. CSO Magazine gave him the “Industry Visionary” Compass Award.