Australia’s physical-security specialists looking to take on information security

The increasing convergence of cybersecurity and physical infrastructure means Australian CISOs are likely to see more engagement from private security providers building expertise in consulting, R&D, and infrastructure and service provision as they work to create new opportunities in cybersecurity.

Prepared by the Australian Security Industry Association Limited (ASIAL) and the Australian Security Research Centre, the newly released Security 2025 report lays out a four-year vision for the industry—which employs 180,000 people across Australia, primarily focused on conventional security arrangements such as access control, building protection, guard services, crowd control, locksmithing, and the like.

Despite its legacy in the real world, cybercrime is seen as the most significant emerging threat by both security service providers (82.8% of respondents) and security service users (91.3%)—outranking insider fraud, property and asset crime, physical assaults, and terrorism.

Traditional security providers start to see the cybersecurity opportunity

Despite strong awareness, however, just 5.7% of respondents to a recent ASIAL industry survey said they were currently offering cybersecurity services. This is likely to increase significantly with the increasing digitisation of the industry and adoption of technologies like biometrics, IT security, facial recognition, and location-based security.

“Cyberthreats constitute a major risk exposure to persons, critical infrastructure, and a range of sectors. But these threats are counterbalanced by opportunities for the private security sector to explore,” the report said, noting “a real opportunity for the private security sector to expand into this evolving field. … The key is to use digitisation to augment and improve the capabilities of contemporary security officers trained in its application.”

Fully 37.9% of security service providers identified cybersecurity as a growth opportunity, and 17.6% said they intend to increase their provision of cybersecurity services within the next five years, with electronic security also becoming more widespread as the overall practice of security becomes increasingly digitised.

Customer demand for cybersecurity capabilities is surging, with 44.9% of customers currently using cybersecurity services. This figure expected to grow to 61.2% over the next five years, pushing demand for electronic and cybersecurity services past the security industry’s traditional protective and physical security services.

With government bodies increasingly exploring blended methods of physical and virtual security based on physical identity, vaccine status, and other indicators, ASIAL believes the private security industry’s push towards cybersecurity couldn’t be coming at a more opportune time. “The private security industry is in an ideal position to explore resultant opportunities,” the report noted, by not only further developing internal industry capabilities and facilitating compliance with these standards, but also working collaboratively with the ACSC [Australian Cyber Security Centre], critical infrastructure, and industry to develop multiple options.”

IT security providers may retain their edge with CISOs

Yet despite this surge, the Security 2025 report warned, security providers risk being outpaced by ICT providers that already have a strong base of cybersecurity experts. “The security industry arguably does not,” the report noted. “Although the differences between the industries are blurring, the professional demarcation between disciplines appears to continue, and what is a potential market share opportunity will subsequently remain a threat if this current gap in capability is not addressed.”

The relative lack of cybersecurity expertise within the security industry—identified as an issue by 74.6% of respondents—poses challenges for an industry where many contractors source “market disruptors” such as internet of things (IoT) security devices from retail outlets like Bunnings, installing them “without due consideration of the associated system interface and vulnerability issues”, the report said.

“The ability to keep intelligent systems secure from a cybersecurity standpoint is critical,” the report noted, advising security firms to train staff with certifications like ASIS and C3 (Cybersecurity Credentials Collaborative) to improve their cybersecurity. “The more powerful systems become, the more of a target they will be in terms of potential business disruption, or in terms of being used for illegal activity.”

Increased emphasis on security outside information security for CISOs

Increasing mobilisation of the security industry into cybersecurity will make waves for CISOs that have traditionally been focused primarily on information-security issues.

In today’s increasingly connected world, many CISOs have been morphing into a more hybrid role that combines physical and information security under the umbrella of enterprise security risk (ESR).

This convergence has been championed by seasoned security executives like NBN CSO Darren Kane, who has previously walked both sides of the fence and believes cybersecurity leaders and physical security leaders have a lot to learn from each other. “From an ESR perspective, management of the technology aspect of that risk is probably 75% of the job,” he said during an interview with industry publication Cyber Today. “But from the other side, there was a worry about the technology space not truly appreciating the life cycle of security risk.”

Critical security functions like background checking, reference checking, induction interviews, and the allocation of a job role “all give an employee access to the network and systems,” he said, “so at what stage does the one area hand off to the other? I believe it is seamless and one accountability.”

Analyst firm KPMG believes this converged approach to security will become more common as the conventional walls between information and physical security are increasingly blurred. “As cybersecurity matures, expect increasing technical security controls embedded into the CIO’s processes, with many CISOs taking on a more strategic role that fits less comfortably with their traditional reporting line to the CIO,” the firm noted in a recent report heralding the emergence of “a new corporate position that takes a holistic view of the organisation’s resilience to all forms of stress or disruption malicious or accidental.”

Some CISOs have pivoted into a new role called “chief resilience officer” (CRO) that proceduralises this wider view of corporate risk, spanning areas like business continuity, disaster recovery, and information and physical security, as well as incident and crisis management.

KPMG identifies seven key actions for CISOs that should, the firm argues, become “enablers and facilitators” that work with business leaders to boost stakeholder collaboration and “embed cybersecurity into the DNA of the organisation”. “In a marketplace where speed to market is essential and increasing Australian regulatory and legislative requirements have resulted in cyber [becoming] a top business risk,” said KPMG Australia cybersecurity services national lead Gordon Archibald, “cybersecurity teams are now responsible for building trust, [building] resilience, and forging a pragmatic security culture—and helping embed secure by design thinking into every aspect of digital infrastructure and data.”