Read an Excerpt

SECURITY CONVERGENCE

Butterworth-Heinemann

Chapter One

If one accepts the premise that security is a weakest-link discipline, then no organization can truly approach being "secure" unless it considers all of its security risks when crafting overall security strategy and formulating risk mitigation decisions.

For many years, organizations have approached risk mitigation in an essentially siloed format where physical security is managed separately from information technology (IT) security, and separately again from internal audit, privacy, risk and emergency management, and other risk-oriented functions. The gulf between these silos inevitably increases duplication, bureaucracy, and cost.

Over the past few years, business drivers—a global economy and the rate of technical advancement—have compelled these previously independent business functions to become more integrated, to remain cost-competitive, to meet the burdens of new legislation, and to reap operational benefits available from new technologies. This evolution has been termed "security convergence."

A few discrete definitions of security convergence have evolved in recent writings on the topic. A couple examples by writers on the CSO online Web site are:

[T]he integration of logical, information, physical and personnel security; business continuity; disaster recovery; and safety risk management.

and

Integrating historically stovepiped functions of operational risk management to achieve better security, oversight of enterprise-wide risk and cost efficiencies.

ASIS International defines convergence as:

The identification of security risks and interdependencies between business functions and processes within the enterprise and the development of managed business solutions to address those interdependencies.

Although there is probably no one definition suitable for all uses of security convergence, my definition would be:

Security convergence is the integration, in a formal, collaborative, and strategic manner, of the cumulative security resources of an organization in order to deliver enterprise-wide benefits through enhanced risk mitigation, increased operational effectiveness and efficiency, and cost savings.

Now, with that said, this definition may be a bit overstated only because security convergence can be as much or as little as is useful to an organization.

In practical terms, this activity is about bringing together likeminded people with similar or identical responsibilities for organizational asset protection, and getting them to talk and compare challenges. It has been said that this may initially be best accomplished by informally approaching your colleagues and taking them for a beer or a meal away from the work location. This bottom-up approach will work for many types of organizations whose culture allows for organic growth of ideas. In other organizations, where a top-down style is prevalent, this may be approached through a corporate directive to reduce costs, rationalize resources, or meet legislative responsibilities; either way, convergence can work. To be successful, convergence needs people with the right motivation, the willingness to explore the issues, and then a good plan. All around the world, security professionals have begun to study convergence in more depth and to continue to explore education or training in the sector of security to which they had not previously been exposed. Although still in its infancy, this cross-certification is becoming a reality.

A few writers on convergence have opined that true convergence or integration between security resources in an organization is not advisable or even possible. This seems a safe position to take for consultants or professionals who have not been in the trenches and seen the benefits of true convergence. For those who have converged their business groups and whose organizations are now experiencing the benefits, there is strong evidence that convergence is the future for the security function, whether implemented as a strategic choice by forward-looking security professionals or an action imposed by the organization to meet a business need or changing business environment.

KEY CONCEPTS OF SECURITY CONVERGENCE

Consider some basic, fundamental key concepts to start the discussion:

1. Both functions bring strengths to the new relationship.

2. The groups must learn to speak a common language.

3. The progress of security convergence needs to be slow and measured.

Both functions (IT security and physical security) bring strengths to the new relationship, and those strengths must be capitalized upon in order to address the inherent challenges in the broader business context. IT security requires technical expertise but not large numbers of staff, whereas physical security generally has the opposite; however, both groups can benefit by uniting their efforts. When these groups work together, the assets of each group can aid in threat mitigation, cost reduction, and improved efficiency throughout the organization.

It is safe to say that, in most organizations, convergence needs to be slow and measured. Introducing any organizational and culture change can be challenging, to say the least; changes with such far-reaching potential impact must be approached methodically. This process must battle historically different hierarchies, dissimilar cultures, and a language gap. Only after the groups begin to speak the common language of risk and begin to work together to improve security can the positive effects can be measured. Once understood and measured, the value of integration must be evangelized throughout the organization to promote continued convergence.

These groups must first learn to communicate in a common language. IT people know very little about patrolling buildings and arresting criminals, whereas physical security people are often equally baffled by firewalls, servers, and viruses. The common language between them is the language of risk. Both groups inform their reporting chain about risk situations that threaten or put at risk the organization's assets, regardless of whether those assets are people, information, or property.

Once this common language has been established, these groups can begin to discuss strategic and tactical issues that plague or threaten the organization, in terms of how they can be mitigated. Only then—once these teams are working together—can convergence begin to occur and its benefits be measured. A good example of this is to consider a proprietary guard force managing the security of a multi-building environment with thousands of employees. The guard force has many small but useful strengths, which can be leveraged to the benefit of the organization. The guards are constantly patrolling the facilities, which gives them an excellent level of knowledge about the normal conditions of the buildings.

Many groups are beginning to engage in security convergence through security industry associations, the vendor community, and formal alliances. Security industry associations have come together to educate members and develop strategic relationships moving forward. Guidelines have been developed for the Chief Security Officer (CSO) position in an attempt to advocate and benchmark the role of the senior security leader in an organization. A separate project exists to define the Chief Information Security Officer (CISO) position. These actions have been taken to educate industry professionals, human resource professionals, and senior management, and to mainstream these relatively new titles and positions.

Industry vendors have developed strategic partnerships similar to the Open Security Exchange Convergence Council, to develop technology to bridge the gap between physical and cyber technology environments. The following quote from the ComputerAssociates Web site highlights a 2003 study by Pinkerton Consulting and Investigations about collaboration between IT and physical security departments:

According to a recent research report by Pinkerton Consulting and Investigations, only 36% of all companies surveyed have formal procedures in place for the collaboration between the physical and cyber security departments. The lack of security management results in increased exposure, limited situational awareness, poor accountability and higher operating costs. The Open Security Exchange believes that the interoperability resulting from the use of its specifications will allow organizations to develop formal collaboration between different security functions and will enhance organizational security and operational efficiency.

Convergence engineering, a term recently coined by Shayne Bates of Koffel Associates, refers to the technical issues associated with the integration of logical and physical security. Not so long ago, information security (infosec) vendors protected networks and physical security vendors protected bricks and mortar, and the twain never met. Now that a growing roster of security companies operate in both spaces, as well as in other risk-related areas, we are likely to see an accelerated proliferation of products and security platforms which enable organizations to manage both physical and IT security risks with one product. For example, Brink's Armored Car now offers managed network security services. Unisys, the former mainframe purveyor, has a consulting business in supply chain security. Software giant Computer Associates is collaborating with smart-card vendors such as HID Global Corp. in the Open Security Exchange consortium to develop a network and building access standard called Physbits. Kroll, historically a physical security services provider, now owns Ontrack Data Recovery. Although these are the initial entrants into this new business sector, the market for these products will undoubtedly continue to grow, attracting more and larger manufacturers to the sector.

Probably the most prolific effort to define security convergence mounted to date is the organization created by the International Systems Security Association (ISSA), the Information Systems Audit and Control Association (ISACA), and ASIS International: The Alliance for Enterprise Security Risk Management (AESRM). Created in 2005 to address the management of risks and emerging regulations that require a more thorough, enterprise-wide approach to security, AESRM's purpose going forward is to address issues surrounding the convergence of physical and logical security. AESRM has jointly funded security research on convergence and the effects of convergence on an organization's infrastructure.

Chapter Two

Free trade, the amazingly imprecise mechanism of eliminating or lowering barriers to cross-border trade, has accelerated businesses down the path of expanding the business reach of their organizations. These decisions were often made in a vacuum, with little input from operational departments such as corporate security. Because serious IT security was still a gleam in the eye of a few technology people at that time, global connectivity and supply chain management were developed with functionality, yet limited security, in mind. It was only when the true global businesses started to emerge that security began to be included in discussions such as protecting the supply chain, executive protection while traveling, and intellectual property protection.

(Continues...)

---

Excerpted from SECURITY CONVERGENCE by Dave Tyson Copyright © 2007 by Elsevier Inc.. Excerpted by permission of Butterworth-Heinemann. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---