Convergence Drivers: Conditions Point to Increased Physical and Cybersecurity Integration
After nearly two decades of talking about it, businesses may finally have reached the tipping point where more and more physical security departments will converge with IT security and business continuity into a single security function.
In an ASIS International webinar last week, Brian Allen, CPP, CISSP, CFE, CISM, who works in EY’s National Cyber Security Advisory Practice and is the chair of the ASIS Foundation, and Michael Gips, CPP, CSyP, CAE, a long-time executive of ASIS International and currently the principal of Global Insights In Professional Security, examined how the environment has shifted in ways that lead to a converged security function.
The webinar was the second of two webinars delving into the results of the ASIS Foundation study, The State of Security Convergence in the United States, Europe, and India. The study is free to ASIS members and the webinars (overview webinar free to all and the deeper dive free to ASIS members) are sponsored by Alert Enterprises.
Approximately one quarter of organizations have converged physical and IT security departments according to the study. That number may increase significantly in the next couple of years as Allen cites the following conditions he calls “convergence drivers.”
There is no zero-risk environment for organizations today. The expectations top executives have of their security departments, including business continuity, physical security, and cyber security, is to enable them to manage the business through a security risk conversation. “They’re not satisfied with what they’re receiving today from the security departments, which are not geared to helping them make strategic risk decisions.”
The regulatory landscape is changing. Governments are increasingly looking at the risks businesses face and asking if they have proper executive oversight. Are executives able to articulate and defend a business’s risk tolerances? Do they have a security strategy? And increasingly, the tone of regulators is switching from the carrot of incentives to the stick of fines and penalties.
Security’s role in post-event response is growing in importance. Security functions have focused on pre-incident matters: establishing controls and safeguards, emergency preparedness, and mitigation planning. There is new emphasis on the post-incident conversation. “Because there is no zero-risk environments, many C-suite conversations are starting to look at what happens [after] there is an incident. It’s not always a technical response. It’s ‘How would we recover as a business?’ Whether it’s physical or cyber or information, it’s not a siloed conversation. It’s ‘Are we prepared to respond?’”
The risks are converging. Cybersecurity always had a risk-based posture, but executives are starting to see all security functions as risk functions. “Because of digitalization, cyber is clearly a focus, but why only build a cyber posture when you can build a security posture. These silos have to start breaking down. Not because there’s a goal of convergence, …but because the risks are converging [around] the impacts on business resiliency and business disruption. Companies need to be prepared to move forward with response. As these risks converge, it’s starting to demand that solutions converge with them.”
The tactical emphasis of security is giving way to the strategic importance of security as technology across security functions is integrating. The siloed nature of separate security departments arose because security was defined tactically: setting a physical perimeter and controlling access and hardening digital defenses. Security as a risk practice, however, means taking a strategic approach, which means developing a security posture where all security functions work together. And the digitalization of physical security functions, from access controls to investigations, points to the need for technical integration. “There is a need for shared practices. Take security operations centers: I’m not sure why you need one for cyber and information and need another for physical security. They do similar things: situation awareness, communicate out when there is an issue, situational response. Tactically they’re different, but their purpose points to a shared practice.”