New Compliance Challenges in Security (S2:E59)

May 11, 2023

The evolution of technology permeates nearly every facet of the modern industrialized world, and the traditional security community is not immune. Our guest today, Tom Dymacek, Director of Federal Sales at Identiv, joins us to discuss the newest compliance challenges in security.

Full Transcript

Voiceover: You're listening to Humans In Tech. Our podcast explores today's most transformative technology and the trends of tomorrow, bringing together the brightest minds in and outside of our industry. We unpack what's new in physical access, identity verification, cybersecurity and IoT ecosystems. We reach beyond the physical world, discuss our digital transformation as a species, and dive into the emerging digital [00:00:30] experience. Join us on our journey as we discover just how connected the future will be and how we will fit into that picture.

Host: Thanks for tuning in. The evolution of technology really permeates every facet of our modern, industrialized world. The traditional security community is not immune to that influence. Our guest today is Tom Dymacek. He's the director of federal sales at Identiv. Tom, thank you so much for being our guest on this episode to talk about the new challenges [00:01:00] of compliance and security. First of all, tell us a little bit about how you got into the security industry.

Tom Dymacek: Yeah, thanks, Leigh. I got involved in the early 90s working with Honeywell. My primary focus was initially securing classified spaces such as skiffs and closed areas. And then I moved into the more of the systems integration world, at another, not only working with physical security systems such as packs, our physical access control systems, surveillance systems [00:01:30] and IDS systems, intrude and detection systems, but also building control systems, fire alarm systems and PLCs as well. So the total industrial control system package, if you will. And I got some experience working with the IT infrastructure specifically with hyper-converged solutions. And then spent some time recently in the cybersecurity world working with company that did a lot of pen testing for DOD and the civilian agencies within [00:02:00] the federal government. So a broad spectrum of experience that has brought me to where I'm at today.

Host: I always forget that we have that Honeywell commonality in our backgrounds.

Tom Dymacek: Yeah. Yes, great company.

Host: In today's cybersecurity world, threats are really a result of hybrid attacks that target both physical and cyber assets. And while each can be targeted separately or simultaneously to result in compromised systems, why do you think that physical and cybersecurity divisions are often still treated [00:02:30] as separate entities and separate leadership structures?

Tom Dymacek: Yeah. For a few reasons. I mean, one, the technology is moving very quickly. Right. So entities are having to adapt their infrastructures to accommodate and move everything into a unified platform. And not everybody is moving as quickly. And also the threats are changing so rapidly as well. Understanding those threats is complicated. There's also a lack of [00:03:00] personnel on the workforce that has the skillsets to meet these demands. So I think the adaption, it depends upon which entity you're working with and the federal government, which agency on how quickly they can move and large organizations have a hard time adapting, right, because of the size. Also, the risk levels play a factor. So if the risk levels are perceived lower because of what they do or what the mission is, then they're not as likely to adapt as quickly. So there's many factors [00:03:30] that contribute to those challenges.

Host: How have the adoption and integration of the internet of things and the industrial internet of things devices led to an increasingly interconnected mesh of cybersecurity systems or cyber physical systems?

Tom Dymacek: Yeah, sure. So there's a lot of good reasons for this. I mean, there's a lot more data out there that's being put on the network and for good reasons, because they need that data in order to improve efficiencies and meet mission. [00:04:00] That data's also getting much bigger. So as the data comes on the network because of the need and that data changes because of the size and the analytics associated with that data is also changing, that has led to the increase in the space and which also created some challenges as well.

Host: How can efforts to build cyber resilience accelerate the adoption of advanced technologies with introduced security risks [00:04:30] in such an involving threat landscape? How does all that work together?

Tom Dymacek: Well, there's been a history of lack of interdepartmental collaboration, and I think that's the biggest challenge right now. For example, you had the facilities departments, the physical security departments and the IT departments were much more siloed. Right. And now you're asking them [00:05:00] to work together. So the technology has the capabilities to do it, but you got to get the people wanting to do that. And so I think that helps increase the risk by the lack of adoption. So I think the collaboration efforts obviously need to be improved. Some of the workflows need to be shared within the different elements of the organizational structure in order to mitigate those risks.

Host: How can a successful [00:05:30] cyber or physical attack on connected industrial control systems and networks disrupt operations or even deny critical services to our everyday society?

Tom Dymacek: Well, you say the word deny. I mean, a denial of service or DOS is a cybersecurity person's worst nightmare because that means they can shut things down. But there's many levels on which this can affect us. Certainly from an industrial control systems, if you're looking at physical access control systems, they can gain unauthorized access [00:06:00] or deny access. You can shut down, for example, building control systems that affect the heating and cooling of environments, which can affect the networks that require the cooling in order to function properly. Or in the case of the medical world, affect medicines or treatment centers as well as the data environments that I've mentioned. Also, you can gain access [00:06:30] and introduce chemical agents. We had this concern back in my Honeywell days where the ability to gain access, you could introduce some type of chemical agent to damage personnel.

On the PLC side, this is another factor. So we've seen this, probably one of the most famous cyber attacks was the Stuxnext virus, which attacked the Siemens PLCs and that shut down the controls of the nuclear power facility in Iran. So [00:07:00] many, many levels this can affect us negatively. We've seen it recently with some of our gas availability issues a few years ago. And finally I think and one that doesn't get as much of attention is PII data or personal identifiable information. So even though there's some organizations that are perceived low risk, because if they're shut down doesn't necessarily affect our infrastructure, but the values and the data [00:07:30] of that personal information. So that affects us certainly individually.

Host: What is the Interagency Security Committee and what is its purpose? That's one I'm not familiar with.

Tom Dymacek: So they're part of, they're kind of quietly in the background doing some really great things. I mean, they're part of CISA, which is the Cybersecurity and Infrastructure Security Agency under DHS, the Department of Homeland Security. They were basically created right after the Oklahoma City bombing [00:08:00] through executive order by President Clinton at the time. And their primary function, still their primary function is to address the security needs of protecting people and facilities and government facilities. So how can we do that and how can we do it better? So it's very collaborative and cross-functional within, there's many working groups that have many, many agencies within the government are part of this. And so they govern policy and put out recommendations [00:08:30] on how do we continually address all these threats, including the cyber threats and how do we help protect our people in our facilities within the federal government.

Host: That's really interesting. Like I said, I wasn't familiar with that one. That was a new one for me. So what about some of the new requirements and guidelines that have become so challenging being that there are responsibilities both at the federal and contractual levels?

Tom Dymacek: Yeah. So the challenging part is [00:09:00] as we're converging the data, right, i.e. converging the technology, there's old compliance that we've had to deal with in the different siloed work areas. And now you're converging those and now that also creates new compliance. So that creates complexity. And because it's moving so quick trying to adapt is even harder. And so especially if you're a manufacturer and you have to change how [00:09:30] you engineer or design things in order to meet that compliance. So that creates a lot of the complexity. And again, as you move all of this data into different types of infrastructures, a converged infrastructure or unified infrastructures to include cloud environments, even that creates even more layers of compliance and issues. And then when you add, finally you add the supply chain security issues, the DOD [00:10:00] is addressing this with their CMC or cybersecurity matriculation model. How do we secure the supply chain that's associated with all of this new conversions? So it's out of many layers of complexity, and I think that those are the challenges that we're struggling with daily.

Host: What recommendations do you make in those situations or in many of these situations? How are we addressing new challenges in the compliance insecurity?

Tom Dymacek: Yeah, I mean, I think the key [00:10:30] here is awareness and education. I mean, again, depending upon who you work with or talk to, there's just not enough people who have, they may know different areas of expertise, certainly within their areas of subject matter expertise, but looking at holistically is not something that's done because of how we were set up organizationally in the past. So education, collaboration is really the key. Working together. [00:11:00] There's a few, CISA for example, has what they call, they have their own vulnerability disclosure program where, and you're seeing more of this within private companies where vulnerabilities are publicly shared, so we can help each other out. The DOD also has their Defense Cyber Crime Center or DC3, which also has their own vulnerability disclosure programs. So the more we share and communicate with each [00:11:30] other and share the risks associated with what we're finding out there, the better we can help each other and protect our people and assets.

Host: Is there anything else you want to mention? I think it's a really interesting topic, especially when you see that like what we talked about early on, which is the physical and cybersecurity divisions often still being treated as separate entities when in fact physical and cyber security are really converging in the IT community.

Tom Dymacek: Yeah, I think [00:12:00] if you look at why we're converging, it's really important. I mean, the need to do that has always kind of been there. When we were working in those siloed spaces in the past, yeah, it worked fine then kind of, but it doesn't work now. And especially, again, going back to if you look at the data as this is a data centric model with all the data we have, the size and scale of it, in order to use that efficiently and help with mission, then we have to pull together, [00:12:30] so. But again, with that opens up different risks and challenges.

And so in my opinion, it's a very exciting time for a lot of those reasons. It's also can be a very scary time. But again, I think it's not going away. It's moving quickly, but there is a great opportunity for us, again if we work together and collaborate and educate each other. That's really the key. And this definitely needs to happen with the younger folks out there as they come out of [00:13:00] schools, and make sure that our educational system is making those folks aware and the opportunities that are created by this both good and bad and how they can help as well.

Host: Tom, thank you for joining Humans In Tech today. We really appreciate you taking the time to discuss these important challenges.

Tom Dymacek: Oh, thank you. It was great.

Host: And for our audience, please like and subscribe. If you enjoyed this podcast,

Voiceover: The problem isn't security, it's awareness. Velocity Vision is the future of [00:13:30] visual surveillance, an intelligent video management solution that delivers realtime situational awareness in an open security platform. Integrate with your existing systems, verify your environment in one pane of glass, and increase the efficiency of your security operation. Get full control of your environment when and where you need it. Learn more at Get access control anywhere, anytime for less money out of pocket. [00:14:00] Highly secure Freedom Cloud is a cloud-based access control as a service offered through a cost-effective subscription model, allowing users to control, manage, and maintain their physical access control systems via Freedom's intuitive, always up to date, browser-based web administration. Learn more at Physical security, identity verification, the IoT. The hyper connectivity of our lives will only grow more [00:14:30] pervasive as technology becomes more automated and experiences more augmented. It's up to us to preserve our humanity and use new tools and trends for good. The only question is, are we up for the challenge.