security-matters-sept21

Feature Opinion Read more online at www.securitymattersmagazine.com ASIS in the UK There’s now an ever-growing number of system integrations designed to drive increased business insight and realise proactive data lakes. How might security professionals make their mark in this area? As Letitia Emeana observes, they must be part of the solution rather than add to the growing challenge 18 IT HAS long been in my way of working in security to make everyone's lives easier by naturally looking to the root causes of issues and tracking them back to where they can be altered. The ultimate goal? To provide alternative or otherwise improved outcomes. One such area that I’ve been looking to improve upon is how to work better with cyber, information, privacy and ethics-focused teams on the subject of surveillance cameras. The latter offer many business benefits and, generally speaking, security professionals have a decent grasp of the legal, data, privacy and ethics implications that are now attached to such technology. In today’s world, though, surveillance cameras have uses beyond pure security. There are clear advantages to be had from the integrations they offer. As such, it can be the case that camera systems are no longer viewed as the sole preserve of the security professional. What does this mean, though, for the latter? The challenges associated with the convergence of logical and physical security remain. Security professionals need to have regular and collaborative conversations with their colleagues in IT to ensure that, together, they protect the IT infrastructure, the software, the hardware and the data. In many instances, security professionals must also begin to manage entire business operations and be involved in ‘Smart’ developments. New word on the block ‘Smart’ is the new word on the block for the Internet of Things which used to reside solely in the cyber domain. As system integrations now involve cameras, are the departments deploying such ‘Smart’ devices as acutely aware of the ramifications of the General Data Protection Regulation (GDPR) – and the ethics and privacy rights of employees, contractors and visitors – as is the case with security teams? From my own perspective, I’m finding that they’re often not aware or even clear on any of the implications. Stepping outside of the realm of their own environment, security professionals are uniquely positioned to provide more ‘value add’ to the business and help other functions deploy their solutions in a compliant way. Initially, this process may not be as agile as the business would prefer as it will likely be a new one which isn’t yet fully understood. The underpinning benefit of security expertise resides in the ability to enlist advocates in these other teams by explaining matters to them in simple terms. Typical scenario Let’s say a given company wants to deploy surveillance cameras on its production line. These cameras will be used to monitor fault alerts and quality issues, etc. The images realised from them will be stored and used to investigate the root causes of any issues that arise, as well as to derive improvement insights for times hence. Does the team in charge need to be aware of the European Union’s GDPR? The answer to that particular question is a very definite: ‘Yes’. The cleaner, the maintenance person or a saboteur may be the reason for the fault and, depending on the placement of a given camera, might now be in its field of view and, as a direct result, identifiable. Does that camera require the same controls as a pure security camera? Again, the answer to this question is also in the affirmative. That said, I wouldn’t expect to fix that situation in a single day for all similar cameras on all sites and across all operations. Is it even my issue as a security-focused professional? Yes. It’s my issue because my purpose is to do the right thing. I believe that I’m employed to provide continual improvements and look for (and then implement) solutions. My department is tasked with protecting the company, its people and its assets. However, the way in which I approach that task is not to go to each department and ask about their cameras or try to gain a sense of the scale of the issue globally or, indeed, within the organisation itself on the basis that I’ve found a vulnerability. It’s a vulnerability that’s likely to grow. Who allows this ‘Smart’ tech on the network? Our good friends in IT. They then become the safety net. If the technology cannot work without a connection, we can help build a process to support the business at the root of its need rather than from a ‘Security’ position. Building-in controls for all camera systems is the essential part of compliance. The business is then directed towards doing the right thing. Such a scenario will only arise when you’ve gathered a network of advocates in IT. It’s also very dependent on the size of the organisation and the size (and number) of those teams involved. Surveillance cameras are now multi-faceted. They have multiple uses for various end user consumers operating in different environments and with different legal, cultural and ethical issues in play. Whatever the use scenario, the security, privacy and ethical implications must always be considered. • Letitia Emeana CPP PSP CISMP is Chair and Board Director of ASIS International’s UK Chapter (www.asis.org.uk) /www.securitymattersmagazine.com /(www.asis.org.uk) /www.securitymattersmagazine.com /(www.asis.org.uk)