Electronic Security and the Act on the Protection of Critical Infrastructures

The agencies managing different key infrastructures and sectors have been subject throughout the years to compliance with regulatory standards as regards security. The Act on the Protection of Critical Infrastructures (PCI) adds to this regulatory foundation for operators classified as critical, and, in many cases, is interpreted as a barrier holding back our business activity.

If we think of security in isolation from other business activities, and from the technological point of view, we can consider all activities as barriers or impediments to our internal processes, identifying security as a costing unit. However, from a business-oriented perspective, business objectives are behind all requirements to protect the company.

The PCI Act offers us tools to identify all the critical assets and essential services of an operator, which are the foundations of knowledge for its model of maturity in security management and business or service continuity, on which subsequent technological, process and organizational measures enabling the efficient conduct of daily operations will also be based. Once the state of maturity in infrastructure security has been analyzed, we are able to classify it into three different levels, in keeping with the optimization of the processes proper to security and their alignment with operations.

Three security levels for three maturity levels:

• The basic level of maturity is a reactive security model responding to incidents in an isolated manner. The different subsystems of video surveillance, access control or fire detection do not communicate with each other, present difficulties in expansion and respond slowly to incidents. We are dealing with systems that have been implanted in a disorderly way, without any integrated security policy.
• At the second level of maturity, the technological solutions in electronic security allow for the early detection of incidents, improving response times and obtaining control of security processes through predetermined procedures and policies. The result is a situational awareness and efficient security management that, in addition, enables improvement in production processes. A single security tool comprised of multiple subsystems, agnostic in hardware, which includes functional elements for the improvement of business operations; video analysis systems that improve the customer experience, automated access controls sharing data with specific systems in operations for their improvement, or the combination of security and safety are examples of how technology can help in developing the business.
• At the third level, we turn the security system into a strategic company asset, in which PSIM functions and the information crossed between the multiple subsystems (among them, software security) are positioned to drive the business, turning the data into useful information for the company. This implies a smart system that learns from itself in order to incorporate new prevention protocols or improve those existing, and automated action procedures that increase resilience and optimize security processes.

This approach to security strategy that applies a business orientation to PCI Act implementation, in which technology is a means for protecting and improving business processes, positions itself as the most advantageous option for the growth and improvement of business and organizational activity.