How Converged Are Corporate Security Functions?

For well over a decade, corporate security leaders have been talking about idea of converging the physical security, cybersecurity, and business continuity functions into a centralized department responsible for protecting the organization from all types of security threats. Despite the talk, the general consensus in the security sector is that few organizations actually went through the idea to create a converged security department.

Earlier this year, the ASIS Foundation initiated a groundbreaking, in-depth study to examine how prevalent convergence really is; how converged companies organized their security functions and what, if any, benefits they derived; and why other companies have chosen not to converge. The research led to the recent release of The State of Security Convergence in the United States, Europe, and India, which is sponsored by Alert Enterprise. The Executive Summary is available to anyone, and the full report is free for ASIS members.

Michael Gips, CPP, is the former ASIS chief global knowledge officer and currently leads GIPS, a security consulting firm, and he is one of the coauthors of the report. “The thinking behind [the study] is that everybody’s been talking about convergence and how it really makes sense to do it because it’s a more efficient use of resources, it will save organizations money, it will simplify practices and policies and procedures,” Gips said in a recent Security Management podcast. “But what we found was that with all the articles out there and all the presentations at conferences [saying convergence] was inevitable, no one’s every done any research on this. Is it really happening?”

Despite the talk, almost half of all respondents said there was no convergence at all of the physical security, cybersecurity, or business continuity departments. Approximately one in five have converged all three functions, and another five percent have converged physical and cyber. Still, even that relatively low level of convergence surprised the researchers.

“We found that there was about 25 percent convergence,” Gips said. “That surprised me and it surprised a lot of folks on the research committee because we thought it would be much lower. Some of the other folks who are CSOs or were CSOs or who work for big consulting firms haven’t seen many true converged cases at all.”

Among the benefits reported by those organizations that have converged, the hoped-for efficiencies are not the compelling case, at least not efficiencies that lead to cost savings: only seven percent of converged organizations report “reduction in security costs” as a primary benefit. Alignment of security strategy with corporate goals (40 percent) and enhanced communication and cooperation top the list (39 percent).