Security Needs a Seat at the Table

Too many organizations see insider threat management as a human resources thing.  After all, insider threats are just people, right?  Too many organizations see cybersecurity as an IT thing.  After all, it's just software monitoring network traffic, right?  Too many organizations see physical security as a facilities thing.  After all, it's just guarding the premises, right?  

Each of these areas are typically seen as silos, operating independently and raising red flags when their own particular alarms are triggered.  What they don't see is they can often be informing each other, and providing vital information that could help create a more complete picture of a potential attack (or threat).  Let's use an example.  

Your network monitoring software identifies multiple outside attempts to access a particular server that contains the specs for your company's secret new medical device.  This gets shut down by your intrusion software.  Several days later, Tom (VP of Operations) who happens to be trying to put 2 kids through college is overheard by another employee at a local restaurant discussing the new device and how it's going to change the market.  The employee informs HR about the conversation, who sees it as normal behavior since Tom is an executive.  A week after that Tom is discovered through monitoring software copying the device spec files from the server to a USB drive.  When confronted, Tom becomes agitated and verbally threatens the HR manager.  The HR manager fires Tom that day.  Two days after being fired Tom returns with the intent to harm people in the organization.

This scenario encompasses cybersecurity detection, insider threat management, and physical security of the premises.  All of these functions exist to protect the intellectual property and human life in an organization (its most important assets), and all of them need to be working together.  Perhaps a better way to organize these functions is to put them into a single functional group, and give them a "seat at the executive table" where they can deliver the business case for security from a single voice.