Managed Physical Security

Physical security is justifiable for nearly every business today. Across the United States, employees assume a baseline level of security in the workplace, and with a seemingly endless number of liabilities, it’s simply not possible for employers to be too careful. However, it’s the vast minority of organizations globally who can afford (or justify) dedicated security management personnel who intimately understand the security technology the organization has invested in. As a result, security systems oftentimes are underutilized, misused, or bypassed entirely as those tasked with managing these systems lack the time or experience to do so effectively. How, then, might an organization better leverage their initial investment without being forced to double down by further investing in internal security management resources? The answer just may be managed physical security.

In the manner that physical security solutions are not “one size fits all,” the same can be said about their initial delivery. Though purchasing systems outright is typically preferred, it isn’t always realistic. Other options may be a system lease, a lease to own agreement, or even an “as a service” subscription for hardware and/or software. Regardless of structured under which an organization’s security solutions are delivered, it’s prudent to consider a managed physical security agreement with the service company once fully implemented. Managed physical security agreements entitle subscribers to submit requests, generally via forms provided by the service company, to their service company for completion. As well, it’s common for these service companies to leverage some form of active monitoring, which then allows them to identify and mitigate issues that may otherwise go undetected for an extended period. Furthermore, proactive maintenance and system updates are common under these types of agreements, as service companies seek to eliminate vulnerabilities published by system manufacturers on a regular basis.

If we were to examine the lifecycle of a common request under a managed physical security agreement, for example, adding a new approved cardholder to an organization’s access control system, it may look something like this:

1. An approved resource from the subscribing organization will send a request to the service company, typically a written request via email, requesting that “John Doe” be granted access through specific doors at certain times throughout the day.

2.Typically, the request will be documented on a “request template” provided to the subscriber by the service company. The benefit of leveraging this template is it empowers the subscriber to account for all the necessary information – i.e. cardholder name, access permissions, access schedule, etc., the first time the request is submitted.

3.The service company then confirms receipt of request and that all of the required information has been included in the request.

4.Finally, the service company completes the outlined change and advises the subscriber that all requested changes have been completed.
In our hypothetical scenario, these changes were completed more expediently than if the subscribers had completed the changes themselves. In the time organizational personnel were not working to complete these changes themselves, they were instead benefiting the organization by focusing on the responsibilities they were hired into the organization to complete.

Not every physical security service company offers managed physical security packages, but oftentimes those that do will have a tiered set of offerings. Examples of these might be remote support only during normal business hours (tier 1), remote and onsite support during normal business hours (tier 2), and after-hours support (tier 3). When evaluating which package to subscribe to, subscribers should partner with the service company to complete a criticality assessment of their (anticipated) most popular submitted requests. If the subscriber is a healthcare organization who commonly onboards new staff overnight, then subscribing to a managed physical security agreement that only entitles them to support 8:00am – 5:00pm may prove detrimental. As well, it would be fiscally irresponsible for an organization only open from 9:00am – 3:30pm to pay an additional fee for afterhours support.

Managed physical security is not always justifiable. When there is a logical business case for such an agreement though, it can really aid subscribers in streamlining security operations at a much lower and more predictable cost to the organization than dedicated internal security management personnel. Any organization considering an investment in physical security measures, large or small, should take the management dynamics into deep consideration following initial delivery. As stated in one of my previously published articles, today’s threat landscape is dynamic and ever-changing, organizations determined to keep up can only do so if they’re protecting the solutions they’ve invested in with an appropriate level of security management.


Jake Kuncaitis, CPP

Original article: