Security is a subject that, depending on who you’re talking to, might mean different things. Even in the same context, in this case business, security can have several different definitions for different people. For some, security means locked doors, alarm systems, and CCTV cameras. For others, security might be a bouncer or a guard. Still others might consider encryption, VPNs, and network firewalls to be security. The truth is, they are all correct and all these security measures are directly related.
When posed with the challenge of securing their organization, people can tend to focus on the single type of security measures that suit their understanding of what an organization might need. This approach can be a bit narrow-minded, leaving the organization vulnerable to threats that the business owner or manager might not have even considered.
In the words of the 90s pop group, En Vogue,”free your mind and the rest will follow”. For the security professional, there are literally thousands of unique security controls that can be implemented to help protect an organization. All of these protective measures fall into three basic categories: operational, technical, and physical. For holistic security, it is necessary to consider all three.
Operational security can also be called administrative security. Its primary focus in protecting the organization from loss through the actions of its own employees. These security measures are managerial in nature. They consist of policies, standards, and procedures designed to establish leadership support for security as well as how the organization expects its personnel to conduct business, how their systems are to be configured and used, and how the organization intends to respond to security incidents.
Technical security, as the name suggests, is the set of security controls implemented through the use of information technology. They can sometimes also be referred to as logical controls in that some security measures are simply how an IT device is configured. Technical security controls are primarily focused on supporting the confidentiality, availability, and integrity of information and related IT systems. These are measures such as anti-malware software, firewalls, web proxies, data backups, and user account control.
Physical security describes the protection of physical property. This includes both physical assets, such as computers and furniture, as well as the actual facility that the business resides in. The obvious physical security controls are things like break-proof glass, door locks, and security alarm systems. Things that are not often considered security measures that also fall under this category are environmental measures, such as air filtration and humidity control systems, fire suppression systems, and even the design of the facility itself, if it is intentionally built to withstand natural disasters like earthquakes and tornadoes.
It may be true that having some security is better than noting. Though it could be argued that without complete security, you might as well leave your front door open after closing time and save yourself the expense. What good is a locked door if an intruder can enter your organization through malicious software? Alternatively, what good is an expensive and advanced technological security system if there is no standard or policy that addresses how it is to be configured and maintained? Security cameras will do little to stop an employee from using their computer to steal from your organization.
In reality, true security does not exist. No organization can actually make themselves completely immune to any and all possible threats. The best security can be realized with a holistic approach. By implementing all three types of security, the organization will benefit from having a security program that enables a high level of durability against all types of threats. These families of security controls are directly related to each other and become more effective when implemented together.