Combined Mitigation for Cyber and Physical Attacks: Lessons from a Security Veteran
In today’s interconnected world, the line between digital and physical threats has blurred. Security professionals now face a daunting challenge: how to defend against combined mitigation strategies that target both realms simultaneously. At the (ISC)² Congress EMEA in Dublin, Barrie Millett, a seasoned expert with military and corporate resilience experience, shared invaluable insights on this pressing issue.
Why Combined Mitigation Matters for Modern Security
Millett, who has advised boards at E.ON and General Electric, now leads Cyber Rescue Alliance, focusing on critical national infrastructures. His core message is clear: organizations cannot treat cyber and physical security as separate entities. “You can’t be effective in silos,” he emphasized, stressing the need for a unified team approach.
This perspective is rooted in his physical security background. The same principles—constant testing, imaginative threat modeling, and cross-team collaboration—apply equally to cybersecurity. By adopting a combined mitigation framework, businesses can better anticipate and respond to hybrid attacks that exploit both digital vulnerabilities and physical weaknesses.
Learning from the Physical World to Strengthen Cyber Defense
Millett drew a direct parallel between natural disaster preparedness and cyber incident response. He cited Hurricane Sandy as a prime example of effective combined mitigation: teams worked together, moved people out of harm’s way, and tested their plans relentlessly. “Awful lessons will always be learned along the way,” he noted, “but the best possible chance for success is by working together.”
The Power of Testing and Imagination
One of Millett’s key recommendations is to “always think the unthinkable.” Security leaders must imagine how threats can morph and evolve. He warned that many CEOs are shocked to discover their networks have been compromised, often because they lack a clear understanding of what’s critical, what’s outsourced, and how to access vital information during a crisis.
To address this, Millett advocates for rigorous testing of all security plans. “Test, test, and test,” he insisted, noting that incomplete planning severely limits response capabilities and drives up costs. This approach ensures that combined mitigation strategies are not just theoretical but actionable under pressure.
The Convergence of State Actors, Criminals, and Terrorists
Perhaps Millett’s most alarming observation was the potential for threat actors to merge their methodologies. “My biggest concern is when the methodologies used by state actors and criminals morph into terrorist organizations,” he said. This convergence means that fiction is now reality—yet many organizations continue to ignore the signs.
He urged security teams to work closely with law enforcement, speak their language, and understand their command structures. By bridging the gap between private and public sectors, organizations can create a unified front against sophisticated adversaries. This collaborative spirit is essential for effective combined mitigation of cyber and physical attacks.
Building a Resilient Organization from the Ground Up
Millett emphasized that resilience is not a one-time project but an ongoing process. Leaders must engage their teams as individuals, understand their challenges, and empower them to contribute. “Our people are bright, and we don’t utilize their capabilities enough,” he remarked.
He also stressed the importance of connecting government and industry thinking, resources, and activities. “The physical and cyber worlds are connected—that’s a reality,” he concluded. “The price of failing to connect them is too great.” By embracing a holistic approach to security, organizations can not only survive but thrive in an increasingly volatile threat landscape.
For more insights on building security resilience, explore our guide on cyber-physical security strategies. Additionally, learn how to protect critical infrastructure from emerging threats.
