The Problem with Security Silos
Most organisations treat security as three separate disciplines. The IT department handles cybersecurity. A facilities team or external contractor manages physical security: access badges, CCTV cameras, locks. And human resources, to the extent anyone does it at all, addresses what we might loosely call "people security": vetting, insider threats, social engineering awareness. These three domains almost never talk to each other.
This compartmentalisation is not a theoretical weakness. It is the most exploited gap in modern security. Attackers do not respect your organisational chart. A determined adversary will combine a phishing email with a physical tailgate entry, exploit a psychologically vulnerable employee, and move laterally through systems that no single security team was monitoring end-to-end.
ObsidianCorps was founded on a simple observation: the most devastating security failures we investigated always involved a failure at the intersection of cyber, physical, and human domains. The attack succeeded precisely because no single team had the complete picture.
Understanding the Three Domains
Cybersecurity: The Digital Perimeter
This is the domain most organisations invest in most heavily, and with good reason. It encompasses network security, endpoint protection, identity and access management, application security, data protection, and incident response. The tools are mature, the frameworks are well-established (ISO 27001, NIST CSF, CIS Controls), and the talent market, while tight, is at least recognised.
But cybersecurity alone has blind spots. It typically assumes that physical access is controlled and that users are who they claim to be. When those assumptions fail, even excellent cyber defences crumble.
Physical Security: The Material Perimeter
Physical security covers access control to buildings and sensitive areas, surveillance, environmental controls, and protection of physical assets. In Luxembourg, particularly in the financial sector, physical security standards are often high, driven by regulatory requirements from the CSSF and data centre standards like ISO 27001 Annex A.11.
The weakness of physical security in isolation is that it focuses on preventing unauthorised physical access but often does not consider how physical access can be leveraged for cyber attacks. A USB device left in a parking lot, a rogue device plugged into an unmonitored network port, a shoulder-surfed password at a hot desk: these are cyber attacks that originate in the physical domain.
Psychological Security: The Human Perimeter
This is the least mature and most underinvested domain, yet it is where most attacks begin. Psychological security encompasses understanding how people make decisions under pressure, how trust and authority are exploited through social engineering, how insider threats develop, and how organisational culture and stress levels affect security behaviour.
Social engineering is not a purely technical attack. It is a psychological manipulation that exploits cognitive biases: authority bias, urgency, reciprocity, social proof. Defending against it requires understanding human psychology, not just deploying email filters.
Attack Surface Convergence: How Threats Cross Domains
The concept of attack surface convergence describes what happens when attackers deliberately combine tactics across cyber, physical, and psychological domains to achieve objectives that would be impossible within any single domain.
Example 1: The Executive Compromise
An attacker researches a CFO on LinkedIn and social media (open-source intelligence, a cyber technique). They observe the executive's daily routine, including their preferred lunch restaurant (physical surveillance). At the restaurant, they strike up a casual conversation, building rapport (psychological manipulation). Over subsequent "chance" meetings, they learn about an upcoming acquisition. They then craft a highly targeted spear-phishing email referencing specific details from the conversation. The CFO clicks because the email feels authentic; it references real, private context.
No single security domain would have detected this. OSINT monitoring might have flagged the reconnaissance. Physical security awareness might have made the executive cautious about the "chance" encounter. Cyber defences might have caught the phishing email. But only an integrated approach connects these dots.
Example 2: The Insider Escalation
An employee is passed over for promotion and is visibly disgruntled (psychological indicator). They begin accessing files outside their normal scope (cyber indicator). They start coming into the office at unusual hours (physical indicator). They update their LinkedIn profile and begin connecting with competitors (OSINT indicator).
In a siloed organisation, HR sees a morale issue, IT security sees anomalous access patterns, and physical security sees unusual badge swipes. Nobody connects these signals into a coherent insider threat picture until data has been exfiltrated.
Example 3: The Supply Chain Physical-Cyber Bridge
An attacker compromises a cleaning company that services an office building (supply chain, physical access). A cleaner, either witting or with a compromised badge, plants a small network implant (a device resembling a phone charger) behind a desk after hours. The device provides persistent remote access to the internal network, bypassing all perimeter cyber defences. The initial breach vector was entirely physical; the exploitation was entirely cyber.
Why Integration Fails: Organisational Barriers
If the case for integration is so clear, why do organisations still operate in silos? Several structural barriers persist:
- Reporting lines: Cybersecurity reports to the CIO or CTO. Physical security reports to facilities or operations. HR reports to the CHRO. They have different budgets, different priorities, and different metrics.
- Professional cultures: Cybersecurity professionals speak a different language from physical security professionals. They attend different conferences, hold different certifications, and often have different risk tolerances.
- Tooling gaps: Cyber SIEM platforms do not ingest physical access logs. Physical security systems do not correlate with identity management platforms. There is no unified dashboard.
- Budget competition: Security budgets are finite. Cyber, physical, and training teams compete for the same funds rather than investing in integrated capabilities.
- Regulatory fragmentation: Different regulations emphasise different domains. CSSF circulars focus on IT risk. Fire safety regulations focus on physical security. GDPR focuses on data protection. Compliance teams address each in isolation.
The ObsidianCorps Holistic Security Assessment Framework
We developed a practical framework for assessing and improving integrated security posture. It evaluates five dimensions across all three security domains:
Dimension 1: Governance and Leadership
Is there a single point of accountability for security across all three domains? Does the board receive an integrated security briefing, or do they get separate cyber and physical reports? Is there a unified security strategy?
Dimension 2: Risk Assessment
Does the risk assessment consider cross-domain attack scenarios? Are threat models limited to cyber threats, or do they include physical and psychological attack vectors? Are scenarios like those described above part of the threat landscape analysis?
Dimension 3: Detection and Monitoring
Can you correlate events across domains? If an employee badges into the building at 3 AM and simultaneously logs into the VPN from a foreign IP, does anyone notice the contradiction? Are physical access logs, cyber event logs, and HR flags feeding into a common analysis process?
Dimension 4: Response and Recovery
Does the incident response plan cover physical security incidents? Social engineering incidents? Insider threats? Or is it purely a cyber incident playbook? Are crisis simulations multi-domain, or do they only test IT capabilities?
Dimension 5: Culture and Awareness
Does security awareness training cover physical security (tailgating, clean desk) and psychological manipulation (social engineering, pretexting) alongside phishing? Is reporting encouraged across all domains? Can an employee report a suspicious physical observation as easily as a suspicious email?
We score each dimension on a maturity scale from 1 (ad hoc) to 5 (optimised), generating a radar chart that visually highlights integration gaps. Most organisations score well on individual domain capabilities but poorly on cross-domain integration.
Practical Steps Toward Integration
Full integration is a multi-year journey, but meaningful progress is achievable in months. Here is where we recommend starting:
Step 1: Unified Reporting
Establish a single security briefing for leadership that covers all three domains. This does not require a reorganisation. It requires a monthly meeting where the CISO, physical security lead, and HR security representative present together and discuss intersections.
Step 2: Cross-Domain Threat Scenarios
Add at least three cross-domain scenarios to your risk register. Model the attack paths described in this article and assess your current ability to detect and respond. Use these scenarios in your next crisis simulation exercise.
Step 3: Log Correlation
Feed physical access control logs into your SIEM alongside cyber event data. Most modern access control systems can export syslog or CSV data. Even basic correlation rules, such as alerting on VPN access from outside the country while the user's badge shows them in the building, provide significant value.
Step 4: Integrated Awareness Training
Restructure your security awareness programme to address all three domains in every session, rather than treating physical security and social engineering as separate topics. People encounter these threats in an integrated way; training should reflect that reality.
Step 5: Joint Exercises
Run at least one crisis simulation per year that includes physical and psychological elements alongside the cyber scenario. Have the exercise include a physical intrusion attempt, a social engineering call, or a media inquiry, not just network alerts.
The Luxembourg Advantage
Luxembourg is uniquely positioned for holistic security adoption. The country's small size means that cyber, physical, and human security communities overlap significantly. Organisations like CIRCL provide excellent cyber threat intelligence. The financial sector's regulatory maturity under CSSF supervision means that governance structures are already in place. And Luxembourg's multilingual, multicultural environment creates natural awareness of social engineering vectors that exploit language and cultural assumptions.
The challenge is connecting these strengths into a unified approach. The organisations that do so will have a genuine competitive advantage, particularly in the financial services and fund administration sectors where trust and resilience are differentiators.
The Future Is Integrated
The trend is unmistakable. NIS2 requires "an all-hazards approach" to security. DORA mandates "digital operational resilience" that encompasses ICT risk management, incident management, and resilience testing. Insurance underwriters are increasingly asking about physical security and insider threat programmes alongside cyber controls.
Organisations that continue to treat cyber, physical, and psychological security as separate disciplines will find themselves increasingly vulnerable to attackers who do not share that compartmentalised worldview. The case for holistic security is not theoretical. It is operational, regulatory, and financial. The only question is whether you integrate proactively, on your own terms, or reactively, after an incident that exploited the gaps between your silos.
