Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

10:58 AM
Connect Directly

Why Should Physical Security Professionals Learn Cybersecurity Skills?

In the first of a series of columns set to be hosted exclusively on IFSEC Global, Sarb Sembhi, CISM, CTO & CISO, Virtually Informed outlines why physical security professionals should be investing in their cyber security skillset.

Most physical and cybersecurity professionals have worked completely separately since cybersecurity became a field in its own right. This continues to be the case, despite the efforts to promote a joint approach with converged security risk management, of my good friend and colleague James Willison and I.

Whether enterprises see the benefits of the two areas of security risk working together or not, there is one thing that must change – physical security professionals must learn cybersecurity skills. Here’s why…

The Coronavirus is not the only cause of change in the world!

Physical security has been around for centuries, and over the last 20 plus years it has benefited from technological advancements in CCTV, access controls systems, centralised alarm control systems, sensored perimeters, and many others. And, over the last few years the technology has advanced even further to facilitate many more benefits. However, these are only achievable through these systems not only operating on an IP network, but also sharing other technologies, such as protocols, services and applications. The sharing goes beyond the basics, as it involves connecting with many more systems, which are totally different from each other, especially when we are talking about systems in smart buildings.


I call this last change the 'IoT-isation of technology,' which has pushed what were once physical security systems open to cybersecurity vulnerabilities.

This means that regardless of what physical security professionals think – be they installers, maintenance or facilities staff – they will have to learn enough cybersecurity practices to ensure that they are not making the rest of the network any more vulnerable than before the devices were installed. Unfortunately, if the current installers are not able to secure such devices, then enterprises will need to replace these suppliers with those who have the skillset to do so.

Change in skills requirements

Many of the devices being installed in a commercial environment are also being replicated in the home. More and more people are implementing surveillance technology into their houses under the guise of security, not understanding that they are probably more vulnerable to attack with some of these products than they were without them. Many of these products are amazingly simple to use, however, in many cases the functionality was never extended to include securing the device or system from hackers.

Since these systems are often purchased based upon their price point, and not the security built into the device or system, the chances of them being replaced due to cybersecurity issues is remote to non-existent.

Whilst some may be aware that there is a UK and EU coordinated law that is coming into operation in relation to consumer IoT products, it is so low level that it only deals with the top three of the thirteen ETSI standard requirements for device and system security.

Although commercial and domestic products are not exactly the same and being skilled in one doesn’t necessarily make you an expert in the other, they do utilise many similar technologies, which creates a fantastic opportunity for many small installer/integrator businesses.

However, there still needs to be a major shift in the skills required to install, maintain and oversee facilities, with cybersecurity at the forefront of this requirement.

Job security

Another driver is that several professional bodies and industry standards are beginning to include cybersecurity skills for any smart products that are installed into buildings, be they domestic or commercial. So, physical security professionals may only be left with a limited range of options:

  • ignore cybersecurity and lose business to those who are willing to adapt to the market needs, or;
  • leave the profession or industry because cybersecurity isn't for them, or;
  • learn enough cybersecurity to adapt and add value to customers and the industry, or;
  • go the whole hog and explore a career in cybersecurity, where you are able to provide the additional physical security and safety skills that most current cybersecurity professionals don’t have.

Basically, it seems that if you are or have been in physical security, and want to keep your job security for the longer term, you will have to learn some cybersecurity skills if you want to keep your job security!

Add value to your business offering

The good news is that there is currently a cybersecurity skills shortage and the profession is looking to fill the gap from various avenues.

Unfortunately, some of my cybersecurity colleagues feel that many physical security professionals are not interested in working with cybersecurity teams to provide a single view of risk. There is a view that installers or facilities teams are too entrenched in their views about any non-physical security that they will resist change for as long as they can, while also holding back those who want see change. This resistance is there and will be there for some time, but with the world moving towards smart technology, those who have at least some cybersecurity skills won't be completely left behind.

I do believe that since there is little or no chance that cybersecurity people will attempt to learn the risk skills physical security professionals have, the only chance we have of keeping good physical risk management skills is to train physical security professionals into cybersecurity. On this basis, physical security professionals can create a new breed of security professional. Not only that they will be meeting an immediate gap that needs to be filled around the world not just the UK, US and Europe.

In closing…

As a cybersecurity professional who researched into the vulnerabilities of networked CCTVs, intruder alarms, fire alarms, HVAC systems, and other physical network devices at the time when they were not called IoT devices and they were all under the management of physical security teams, things have changed! Physical security is going to change must faster in the next few years, often in favour of those with cybersecurity skills.

To respond to this big shift, physical security professionals will have to learn some cybersecurity skills, whether it is for 5-10% of their jobs, or as much as 20-30% each working week.

I would like to start this discussion and ask what you would like to see to help you make that progression and have the sustainable future you need for yourself and your business. If you have any questions or there are any topics that you would like me to cover, please feel free to post them on this page, and I will try to respond when I get the chance.

This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies – like video surveillance, access control, intruder/fire alarms and guarding – and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things and more.

Sarb Sembhi CISM, is CTO & CISO at Virtually Informed and a contributor to IFSEC Global.





Sarb Sembhi CISM, is CTO & CISO at Virtually Informed and a contributor to IFSEC Global. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/1/2020 | 2:25:54 PM
Seems most people think of "physical security professionals" as security guards and their staff. They do not make good cybersecurity professionals.

People who install an maintain security equipment are technicians. They have IT skills as well. They understand some aspects of cyber and can level up.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-21
Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
PUBLISHED: 2020-09-21
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
PUBLISHED: 2020-09-21
Insufficient policy enforcement in media in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
PUBLISHED: 2020-09-21
Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
PUBLISHED: 2020-09-21
Insufficient policy enforcement in intent handling in Google Chrome on Android prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.