Convergence: Physical Security and Business Continuity Meet their Moment
Seventeen years ago, two security professional organizations began promoting the philosophy of security convergence. ASIS International and the Information Systems Audit and Control Association (ISACA) banded together in 2005 to create the Alliance for Enterprise Security Risk Management (AESRM) to promote the concept of security convergence.
To them, security convergence consisted not only of physical and cybersecurity combined, but also security responsibility within human resources, crisis management, and operational lines of responsibility, according to a 2007 Deloitte whitepaper on the concept. But just 24 percent of surveyed respondents’ organizations had some form of convergence in place.
“How security is perceived may also be an obstacle to convergence. At present, physical and information security are viewed as separate functions with major differences,” wrote Adel Melek, partner, global leader, Security and Privacy Services, Deloitte, and Ray O’Hara, CPP, then chairman of AESRM, in the whitepaper. “There is little doubt that perceptions will have to change before the convergence of physical and information security functions becomes an accepted way of managing security risk. Convergence is intuitive and logical—but it has not yet arrived.”
The specialization for cybersecurity and physical security makes it difficult to find someone who excels in both arenas.
But the post-9/11 wars, the rapid advancement of technology, the explosion of Internet of Things devices, extreme stress on the supply chain, a lasting security workforce shortage, and the COVID-19 pandemic may have led to a change in perception that will usher in the moment for security convergence. That seems to be the finding in the most recent research on the topic, Security Convergence and Business Continuity: Reflecting on the Pandemic Experience, published in September 2022.
The ASIS Foundation sponsored research conducted by Justice & Security Strategies, Inc. (JSS), and DTE Consulting, which surveyed and analyzed responses from 1,092 individuals from 89 countries and regions about their convergence status and views. The researchers also conducted 21 interviews to explore the survey responses further, following separate research conducted by the foundation in 2019 on convergence.
More than 60 percent of those respondents indicated that their organizations had now fully or partially converged their security functions (29.3 percent complete, 31.2 partially, and 39.5 percent not converged). Similar to the 2007 report, the foundation convergence research focused on the melding of cyber and physical security with business continuity planning.
“Most companies that reported partial convergence merged their physical security and business continuity practices,” according to the report. “One of the reasons that convergence with cybersecurity appears to be lagging behind physical security and business continuity convergence may be due to differences in the skill sets required for oversight of each function.”
In a follow-up interview to the survey, for instance, one respondent said that the specialization for cybersecurity and physical security makes it difficult to find someone who excels in both arenas—slowing the organization’s ability to converge these functions.
Martin Gill, managing director of Perpetuity Research and Consultancy International and vice chair of the ASIS Foundation, says one reason for this discrepancy might be that the historical backgrounds of the physical security profession and the cybersecurity profession—which evolved from the IT world—could attract different types of individuals.
And these individuals may possess vastly diverse skill sets, with cyber practitioners having a more robust knowledge of cybersecurity threats and tactics, hardware, and software, versus a physical security professional who is more familiar with security guards, technology to support access control measures, and facility management.
“Over time, that’s beginning to wear away with the modern thinking and approach to enterprise security—to treat all your risks as risk,” Gill says. “If there are risks, there’s a process on how they should be managed. In theory, this brings cyber and physical together.”
For converged organizations, most survey respondents said a CSO—or equivalent position—was responsible for the enterprise security risk management function, and all aspects of the organization responsible for critical asset protection reported to that person.
Within that organizational structure, approaches to convergence varied, with some taking functional approaches while others took procedural approaches. A functional approach could consist of structural changes, holding security trainings and awareness courses, developing policies, and making other real-world changes.
More than 60 percent of those respondents indicated that their organizations had now fully or partially converged their security functions.
“An international security company with converged business continuity planning and physical security implemented a training program that temporarily placed physical security personnel in business continuity planning-related positions, while also putting internal business continuity planning personnel staff out in the field,” the report explained. “The idea of this program was to allow personnel from both sides to gain a better understanding of security procedures with a holistic view. This assisted the organization in obtaining better adherence to policy while individuals gained a broader perspective of security.”
On the flip side, procedural approaches to convergence focused on the organization’s missions and adopting a holistic framework for security functions.
“These methods were less concerned with action items or check boxes, and more concerned with the organization’s problem-solving approach,” the report explained.
Additionally, smaller organizations were more likely to be further along in their convergence journey than large organizations. The report revealed that nearly 74 percent of respondents from small and “micro” companies were fully or partially converged, compared to 52.5 percent of large companies and 64.4 percent of medium-sized companies.
Darrell Darnell, president of DTE Consulting and a lead author of the report, says he was surprised to find that smaller organizations were leading the way on convergence.
“I would have thought that larger agencies would have converged at a higher rate because of their reputations and the potential for more government oversight if a major incident occurred on their watch,” he explains.
Despite their convergence status, 80 percent of respondents said that convergence strengthens various business functions: 83 percent said it was good for business continuity, 81 percent said it strengthened physical security, and 86 percent said it enhanced overall security.
There was an outlier, though—the enthusiasm for cyber convergence was markedly lower. Just 73 percent of respondents said convergence strengthened cybersecurity at their organization, with 23.7 percent saying it would make no change in the overall security posture.
This might be because the cyber function is often siloed within companies and there is a lack of understanding of how the cyber function integrates and impacts physical security and business continuity, until an incident occurs—such as the Colonial Pipeline ransomware attack in 2021.
“Colonial Pipeline was thinking like that—that we’re a pipeline and not really understanding how a separate physical, cyber, and business continuity approach affects them,” Darnell says. “Now they’re fighting to merge that physical security with them.”
While this might be the response for now, many respondents who said their organizations were not converged noted that they would be taking steps to do so in the future. Nearly 44 percent said they anticipated converging two or more security functions in the future, compared to previous ASIS Foundation research in 2019 that found that just 30 percent of respondents were prepared to take similar steps.
One of the reasons behind this move could be that more security practitioners are expected to place an emphasis on business continuity in the wake of the COVID-19 pandemic.
“Clearly organizations understand the importance of having business continuity planning for all types of contingencies,” says Craig Uchida, president and co-owner of JSS and another lead author of the report. “I also think they are starting to reassess exactly what business continuity planning means to their organizations, as it will look different depending on your organization, industry, size, and other factors.”
Respondents also said that demonstrations and social unrest were affecting how their organizations viewed security measures, and they were changing their approach to business continuity planning and convergence in response.
One respondent said, “these events forced us to be prepared to identify and respond to events globally 24/7/365 and be able to understand the impact on our assets; escalate issues to appropriate response teams quickly; reach out and account for our employees and their safety; and assure we can have a resilient supply chain in the face of disruptive events,” according to the report.
To assist security practitioners who may work for an organization that is not converged, the report’s authors made six recommendations: clearly define convergence and its benefits to the organization; assess the need and determine if convergence is practical; create and develop a convergence strategy that fits the organization’s goals; recognize the inherent difficulties in merging different personalities and processes; implement evidence-based best practices and strategies aligned with the overall goals of the organization; and conduct and provide convergence training and educational opportunities for staff.
The owner of a security company out of South Africa, for instance, has a firm that provides physical security to clients. But to ensure that the firm was considering cybersecurity risks as part of a converged approach, security officers were required to work with the IT team to understand the work it was doing.
“And he would have the IT folks do a tour with the physical security folks, so they could understand how the equipment was being used,” Darnell says, adding that it was a way to educate the entire organization about various risks and habits that might play into its overall security posture.
The report’s authors also emphasized that leadership—from the CEO to the president and other executives—is extremely important for organizations considering converging their security functions.
“There are people, places, and technology that are intertwined with these functions,” they wrote. “A strategic plan has to be developed. There has to be communication and transparency, and a good explanation for why convergence is taking place and the benefits for employees and the organization. Employees at all levels must be given an opportunity to play a part in the convergence process, including opportunities for re-training if necessary.”
This requires a recognition that while convergence will impact how the organization functions from an operational perspective, it also has ramifications for employees.
“The CEO needs to be involved to say how it’s going to affect the workforce. ‘How is this going to affect me? When we converge, am I going to lose my job or be retrained? Will I have more responsibility but my pay stay the same?’” Darnell says, adding that executives will need to clearly communicate with their employees to successfully converge.