​

A NEWLY RELEASED STUDY shows that having an enterprisewide view of risk rather than an asset-based view helps build a stronger security posture for an organization. The study shows that the convergence of functions that have security implications, whether they are in the IT department or elsewhere, also helps avoid any gaps that may exist when departments are not working together. As a result, the organization is more secure and can quickly resume operations in the event of a catastrophe.

The survey was conducted by Booz Allen Hamilton (BAH) for ASIS International, the Information Systems Security Association, and the Information Systems Audit and Control Association. Thirty-six global companies in a variety of industries, including financial services, pharmaceuticals, biotechnology, and healthcare, with revenues ranging from $1 billion to more than $100 billion, responded to the survey. In addition, BAH conducted follow-up interviews with 14 senior security professionals from responding companies.

What exactly is convergence?

For IT professionals and physical security professionals alike, the term is often used to mean simply the integration of physical and computer security assets, such as when an access control system runs across the company network. When that happens, it raises turf and responsibility questions, such as who should be involved with purchasing technology that affects assets traditionally under the purview of two different departments.

But that integration is only one aspect of convergence, which has much broader implications for all security professionals, as well as other executives and workers across an organization.

Timothy L. Williams, CPP, vice president of corporate and systems security with Nortel and treasurer of the ASIS Board of Directors, explains that convergence means having an enterprise security strategy that’s integrated across an organization; it’s not about organizational charts. “It doesn’t matter whether you report to somebody,” Williams says. “It’s how you functionally work together.”

How companies achieve convergence may vary. It could be through a chief security officer (CSO). But former ASIS secretary, Raymond T. O’Hara, CPP, senior managing director with Vance, says, “We’re not saying that every organization needs a CSO. It’s a nice model from an organizational standpoint, but if it doesn’t work with your organization, you can’t force that issue.”

In fact, the study found that this organizational option—putting all security under one chief—was the “common first choice” among organizations attempting convergence. But it was found to be a “flawed option” whose “rather predictable result” was a decline in the influence of some of the players.

An alternative that works better, according to the study, is a “council of leaders” approach in which “all stakeholders… use a common language: the language of business units.”

ASIS President Jeff M. Spivey, CPP, PSP, explains that this approach allows “security to have access to the decision makers in the C-suite. By having that approach, you’re also making sure that the voids that may be there in the silo approach don’t exist.”

The key is to adopt an enterprisewide view of risk rather than an asset-based view, says Spivey, who is head of Security Risk Management, Inc., in Charlotte, North Carolina. That approach makes it clear that representatives from safety, legal, contingency planning, disaster-recovery groups, and others who may not at first glance appear to have security-related functions need to be working together and sharing information to help the organization be prepared for, and respond to, a disaster.

So who leads this process? Spivey says there are two options: forward-thinking executives and grassroots efforts. “There’s an evolution going on in the C-suite,” he says of the first option, citing the rise in appointments of chief risk officers.

Grassroots efforts occur as a result of relationship building. For example, one of the study’s respondents says, “Go have a beer with your colleague,” and another tells the story of one organization that helps to build these internal relationships “by holding executive coffee events three times a week.” These coffee klatsches are now “a hugely successful part of the corporate DNA” and have helped to promote security convergence.

The study notes some concrete benefits to convergence, such as one company in which physical security was looking to standardize door-access badges while IT security was developing a virtual private network. “The two groups…worked together to conduct common risk analysis and return on investment (ROI) justification for combining projects,” and the resulting collaboration helped the projects achieve the best ROI.

Another company had its physical security investigative team working with its computer forensics team to reduce computer abuse, “which resulted in a 25 percent increase in available bandwidth.”

One company created a “security professional” career path in which members rotate through “physical, information, business unit, and corporate functions to attain a comprehensive ability to understand and operate across all domains,” while a federal agency cross-trains those employees tasked with business continuity and IT recovery planning.

These anecdotes underline one of the study’s conclusions: “Security personnel who understand physical and information security can evaluate a wider spectrum of risks and vulnerabilities and determine the most effective (and cost effective) method with other options, both information or security related.” Williams adds that security professionals need to see themselves as enablers, not power brokers, to help “bring these disparate groups together.”

The study notes that convergence is “a business trend with a great deal of momentum,” and security experts agree that the survey provides hard evidence that convergence is not only a growing trend but also a corporate necessity.

The convergence survey “presents a grand opportunity now that we have more empirical evidence rather than just a hunch that this is the right way to go,” says Williams. It shows that “this is what the organization needs.”

Spivey adds that the results of the survey show just how important the issue of convergence is. “It brings clarity to a trend,” he says.

“You have a trend toward the enterprisewide risk model, and for security to be relevant five to seven years from now, professionals need to understand the shift in the sands, to make sure that they’re part of it.” This will ensure that years from now, Spivey says, “we as a profession are relevant.”