There’s no Physical and Cyber its just ‘Security’

Posted: Wednesday, Nov 19

KBI.Media
$
There’s no Physical and Cyber its just ‘Security’

Karissa Breen, crowned a LinkedIn ‘Top Voice in Technology’, is more commonly known as KB, and widely known across the cybersecurity industry. A serial Entrepreneur and co-founder of the TMFE Group, a holding company and consortium of several businesses all relating to cybersecurity. These include an industry-leading media platform, a marketing agency, a content production studio, and the executive headhunting firm, MercSec. She is also the former Producer and Host of the streaming show, 2Fa.tv. Our flagship arm, KBI.Media, is an independent and agnostic global cyber security media company led by KB at the helm of the journalism division. As a Cybersecurity Investigative Journalist, KB hosts her renowned podcast, KBKast, interviewing cybersecurity practitioners around the globe on security and the problems business executives face. It has been downloaded in 65 countries with more than 300K downloads globally, influencing billions of dollars in cyber budgets. KB is known for asking the hard questions and getting real answers from her guests, providing a unique, uncoloured position on the always evolving landscape of cybersecurity. She sits down with the top experts to demystify the world of cybersecurity, and provide genuine insight to executives on the downstream impacts cybersecurity advancement and events have on our wider world.

i 3 Table of Contents

There’s no Physical and Cyber its just ‘Security’

From Karissa Breen

Christian Morin, Chief Security Officer at Genetec, knows the convergence in this space better than most. The adage of “set and forget” is the norm and the line between physical and cybersecurity blurs with every connected device in the industry as we know it, is shifting. The main question isn’t whether organisations can respond to breaches, but whether they have the muscle memory to do so when the panic sinks in and replaces protocol.

“My fear is that as a society [we] get numb to these incidents and to these threats that are around us because they’re just so many. Are we going to get to the point where we stop caring about it and it’s like we just live with it?” adds Morin.

The standard organisational playbook is littered with plans and protocols that include incident response plans (IRPs) that sit in pristine binders, compliance regs that breed more paperwork than preparedness.

“One of the mistakes… is that [the IRP] is a checkbox item, right? And that’s not how it has to be looked at.”

When the crisis hits, the panic often outpaces the practice. It’s not the documented plan but the actual planning itself that include the rehearsals, the what ifs, the honest postmortems which reveals whether an organisation can weather the storm.

Most organisations believe that they’re ready, but in reality are not ready.

Yet, as Morin points out, “Many organisations still to this day lack incident response plans. So how can you actually have any form of resiliency if you lack some of the basic fundamentals?” Morin went on to say.

Even if and when plans exist, the signal for going beyond baseline compliance is often missed or coupled up with chaos. The organisations that regularly conduct tabletop exercises, simulate diverse incident scenarios, and learn from actual events are rare, and they’re the ones less likely to improvise in mayhem.

The ticking of the IRP box hides an underlying problem of performing security, especially in hierarchical firms: that security is someone else’s problem.

“Cyber awareness needs to happen all the time and needs to happen through various different channels or mediums,” Morin adds.

A vanilla poster once a year isn’t enough. The real transformation is cultural, and is predicated on experience, like childhood accounts that’ve been hacked, or everyday devices compromised which dawns on employees that there are cyber risks. We’re long past the days when cyber and physical security lived in silos. Unfortunately, legacy thinking persists, accompanied by muddy lines of accountability and technical complexity.

“There is no such thing as physical security and cybersecurity. It’s just security,” Morin insists.

The threat vectors may differ, but the mission is the same which is protecting people, assets, and facilities accompanied by controls. Morin reflected on the infamous Mirai Botnet which are innocuous devices, edge routers, home surveillance cameras that became powerful conduits for distributed denial-of-service attacks. “These devices are small computers,” Morin reminds us, “and we have to secure them.” The proliferation of smart buildings, IoT sensors, and legacy systems compound the challenge. The critical question for executives is no longer just, “Are we secure?” but, “Do we even know what’s connected?”

Most CISOs are aware, but few have visibility. Inventorying physical devices across facilities, OT systems, and supplier networks is a monumental task. The fragmentation isn’t just technical, it’s organisational too. Physical security teams often operate with scant interaction with cyber peers, even in environments like banks. Critical gateways remain overlooked until a breach traces its roots to something as innocuous as a connected fish tank or a forgotten sensor.

We as an industry need to break the ice between departments, merge inventories, conduct joint exercises, demystify the fortress mentality around cyber teams.

“They’re there to help,” he says, not hinder.

The baseline must shift from compliance for its own sake to genuine shared responsibility for security.

“There are so many opportunities to bridge information and have controls that span across both worlds. That will only make the overall security posture that much better and make the bad guys’ jobs that much harder.”

The convergence of physical and cybersecurity isn’t just a technical shift; it’s a human one. This problem needs more than technology, it needs process, conversation, and the kind of common sense that too often flees in crisis.

Regulators will push harder; awareness will, hopefully, deepen. But without the commitment to rehearse, revise, and reach across silos, organisations risk letting numbness become their new normal.