Feature Opinion Read more online at www.securitymattersmagazine.com
ASIS in the UK
There’s now an ever-growing number of system
integrations designed to drive increased business insight
and realise proactive data lakes. How might security
professionals make their mark in this area? As Letitia
Emeana observes, they must be part of the solution rather
than add to the growing challenge
IT HAS long been in my way of
working in security to make everyone's
lives easier by naturally looking to the
root causes of issues and tracking them
back to where they can be altered. The
ultimate goal? To provide alternative or
otherwise improved outcomes.
One such area that I’ve been looking
to improve upon is how to work better
with cyber, information, privacy and
ethics-focused teams on the subject of
surveillance cameras. The latter offer
many business benefits and, generally
speaking, security professionals have a
decent grasp of the legal, data, privacy
and ethics implications that are now
attached to such technology.
In today’s world, though, surveillance
cameras have uses beyond pure security.
There are clear advantages to be had
from the integrations they offer. As such,
it can be the case that camera systems
are no longer viewed as the sole preserve
of the security professional. What does
this mean, though, for the latter?
The challenges associated with the
convergence of logical and physical
security remain. Security professionals
need to have regular and collaborative
conversations with their colleagues in IT
to ensure that, together, they protect the
IT infrastructure, the software, the
hardware and the data.
In many instances, security
professionals must also begin to manage
entire business operations and be
involved in ‘Smart’ developments.
New word on the block
‘Smart’ is the new word on the block for
the Internet of Things which used to
reside solely in the cyber domain. As
system integrations now involve
cameras, are the departments deploying
such ‘Smart’ devices as acutely aware of
the ramifications of the General Data
Protection Regulation (GDPR) – and
the ethics and privacy rights of
employees, contractors and visitors – as
is the case with security teams?
From my own perspective, I’m
finding that they’re often not aware or
even clear on any of the implications.
Stepping outside of the realm of their
own environment, security professionals
are uniquely positioned to provide more
‘value add’ to the business and help
other functions deploy their solutions in
a compliant way.
Initially, this process may not be as
agile as the business would prefer as it
will likely be a new one which isn’t yet
fully understood. The underpinning
benefit of security expertise resides in
the ability to enlist advocates in these
other teams by explaining matters to
them in simple terms.
Let’s say a given company wants to
deploy surveillance cameras on its
production line. These cameras will be
used to monitor fault alerts and quality
issues, etc. The images realised from
them will be stored and used to
investigate the root causes of any issues
that arise, as well as to derive
improvement insights for times hence.
Does the team in charge need to be
aware of the European Union’s GDPR?
The answer to that particular question is
a very definite: ‘Yes’. The cleaner, the
maintenance person or a saboteur may
be the reason for the fault and,
depending on the placement of a given
camera, might now be in its field of view
and, as a direct result, identifiable.
Does that camera require the same
controls as a pure security camera?
Again, the answer to this question is also
in the affirmative. That said, I wouldn’t
expect to fix that situation in a single
day for all similar cameras on all sites
and across all operations.
Is it even my issue as a security-focused
professional? Yes. It’s my issue
because my purpose is to do the right
thing. I believe that I’m employed to
provide continual improvements and
look for (and then implement) solutions.
My department is tasked with
protecting the company, its people and
its assets. However, the way in which I
approach that task is not to go to each
department and ask about their cameras
or try to gain a sense of the scale of the
issue globally or, indeed, within the
organisation itself on the basis that I’ve
found a vulnerability.
It’s a vulnerability that’s likely to grow.
Who allows this ‘Smart’ tech on the
network? Our good friends in IT. They
then become the safety net. If the
technology cannot work without a
connection, we can help build a process
to support the business at the root of its
need rather than from a ‘Security’
position. Building-in controls for all
camera systems is the essential part of
compliance. The business is then
directed towards doing the right thing.
Such a scenario will only arise when
you’ve gathered a network of advocates
in IT. It’s also very dependent on the size
of the organisation and the size (and
number) of those teams involved.
Surveillance cameras are now multi-faceted.
They have multiple uses for
various end user consumers operating in
different environments and with
different legal, cultural and ethical issues
in play. Whatever the use scenario, the
security, privacy and ethical implications
must always be considered. •
Letitia Emeana CPP PSP CISMP is
Chair and Board Director of ASIS
International’s UK Chapter