Dive Brief:

• Organizations are allocating more money for security against physical threats but the money is coming with more board oversight, and confusion remains over who has the lead role in physical security and how to blend physical security with cybersecurity, an EY survey finds.
• Almost 80% of organizations say they increased the allocation for physical security over their last budget cycle, in some cases by as much as 50%, according to the EY Forensic & Integrity Pulse, based on responses from 250 executives and board members to a March survey.  
• “Leaders are beginning to recognize gaps in crisis management and physical security preparedness as threats and risk evolve,” EY says in the report, released May 5.

Dive Insight:

Many organizations have a security chief that oversees both physical security and cybersecurity, but as many as 27% put the responsibility in the hands of the chief information security officer, or CISO, EY says.  

That might make sense for the third of organizations that put most of their security funding in cybersecurity, the report says. But for others, that “potentially [leaves] the physical space under-resourced,” it says. “CISOs are being asked to lead broader security operations, covering not just IT and operational technology security but, in some cases, people and plant management, product safety and crisis planning for weather emergencies.”

Organizations need a way to integrate security across all functions and to create paths for holding those responsible for security accountable.  

“Fragmented ownership delays escalation, blurs accountability and weakens crisis response when minutes matter,” the report says. 

Meanwhile, organizations’ boards are getting more involved: 90% of survey respondents say their board of directors has increased its focus on security. “Most respondents say directors understand the return on investment for security,” the report says.  

Almost 60% say they pressure-test their security scenarios but for many of the organizations, the testing doesn’t extend to cyber-physical infrastructure and the systems that run them. For example, only 46% have pressure-tested sabotage to building systems and 9% say they feel their building systems are their most exposed area. 

Based on the findings, organizations should clarify who owns security as a function and centralize case management and communication, EY says. That should be followed up with development of a threat intelligence center and protocols for triage and realistic exercises run. 

“Expand simulations beyond tabletop and cyber-only scenarios to include executive travel, corporate events and active assailant scenarios,” EY says. “Having a well-equipped threat intelligence center staffed by experienced intelligence professionals enables organizations to identify and respond to physical security threats earlier, reducing crisis impact.”