The European NIS (Network and Information Security) directive defines the measures helpful in achieving a high level of security of networks and information systems. This provision is destined to have a strong impact on logical security and physical security. The two aspects are, in fact, increasingly linked: if physical access to the infrastructure is not defended, it becomes, in fact, vulnerable despite all the protections to the information systems. Therefore, managing IT security without taking care of physical security makes no sense, and finding a balance that balances both aspects is essential.
To be able to defend its assets, the company must therefore consider and analyze a whole series of physical and logical situations that concern and involve all types of activities. By extension, this also applies to the vendor who, for example, is called upon to control the entire logistics chain, starting with the component suppliers to the moment a product leaves the plants and arrives at the final installation at the customer. In these transitional phases, the likelihood of suffering an attack often becomes higher.
Application scope
The NIS Directive is aimed at all companies providing essential services such as the production and distribution of energy, transport by road, rail, water, and air (including airports), and water management. , banks, data centers, and hospitals. In these vertical markets, the European directive requires the implementation of choices and assessments regarding safety in the management and use of all ICT infrastructures at all levels. Specifically, we are talking about software and hardware that are part of the network infrastructures but also of the people who manage, use, implement and maintain them. It is important to note that companies are required to adapt to the new security paradigms and that, at the same time, they must demand that their suppliers adopt similar systems, conforming to the new context. In cascade, then, the entire supply chain is called upon to react proactively in order to be able to move in a coordinated way, to reach a widely spread and shared level of awareness.
Are we ready?
The question at this point is: is the physical security sector ready? In truth, there is still a long way to go. Today, in fact, we observe that the physical security sector is not ready. In this area, those responsible for physical security are still a long way from possessing the necessary IT skills. Conversely, computer security experts do not know the key aspects of physical security. Work must ensure that the two approaches align and share best practices and know-how. In this phase, we are instead called to manage the two as a whole.
Involve key figures
It is not yet clear, or perhaps it is becoming so in recent months after all the successful attacks, how investments in security can have a huge impact in terms of protecting the brands reputation or the trust that customers place in a certain supplier. Therefore, it emerges that prudent choices and strategic investments in the security field, which guarantee to companies elements such as scalability, the use of non-proprietary protocols, and ease of integration, have become mandatory. In addition, the involvement of company figures who manage security issues at the tables where companies’ strategic choices are discussed is becoming increasingly important.
In the same way, we must look at the professional skills currently available: thinking of a one-man-band that can govern this level of complexity is unthinkable; on the contrary, it is necessary to look to the future by making all the actors involved talk to each other on tables that, in order to nature, they will be multidisciplinary. The distribution of responsibilities will be built on these tables, as required by the legislation, not in the sense of reducing the risk that one runs in person, but on the contrary, in the sense of everyone’s contribution towards ever higher levels of safety.
Also Read : Best 3 Video Games to Learn English for Kids
