The word “convergence” ushered itself into the security industry more than 10 years ago, but it wasn’t until the early Aughts that every industry manufacturer, magazine and communiqué began bandying the term about like a puck on a hockey rink. Is anyone else tired of it?
This is certainly not to say that the concepts that make up “convergence” aren’t wise and shouldn’t be incorporated in some way into every security program. But I’m convinced that the way that we talk about those concepts is helping to hamper their growth and adoption. Let’s start with three reasons to strike “convergence” out of our vocabulary.
1. Because even we don’t know what it means. “Convergence” is no longer a new term. The fact that it has to be constantly defined, even in writings and seminars within our own industry, is not a good sign. “We used ‘convergence’ early on,” says Dave Kent, vice president of global risk and business resources for Genzyme and a member of the Board of Advisors of the Security Executive Council.
“We started bringing together physical and IT security in the late 90s, when ‘convergence’ was the leading edge,” he says. “There seems to be less clarity around it now than there was back then. It has gone from this grand idea of tying together risk-related functions to ‘Do your physical systems reside on the IT backbone?’ at the lowest level.”
Language exists to communicate meaning. If we can’t decide on a meaning for a word after all this time, maybe we should pack it up and retire the word. There are other terms that more narrowly and, perhaps, more accurately describe the various elements that different people equate with convergence. For instance, Terry Neely, President of PlaSec Inc., finds “systems interoperability” and “systems collaboration” helpful phrases to describe physical security systems’ cooperation with the other systems on the IT apparatus. Dave Kent refers to the organizational side of “convergence” – that is, the merging of the physical and information security business functions, as well as other functions in many cases, under common leadership – as a “unified model” of management.
Yes, these terms may need to be defined on occasion as well, but at least you know right away whether you’re talking about technology or business structure. Surely that’s a step up.
2. Because it implies a singular “rightness.” Industry bloggers, experts and watchers have been known to deride some security programs or technology implementations as employing less than “true convergence.” The word’s abstractness (see #1) appears to lend it a sense of superiority; the idea is that “convergence” is a very hard-won thing, like the Holy Grail of security, and if you don’t do it just so, then it isn’t really “convergence.” However, due to the inherent differences in security programs and the businesses they protect, there is no such thing as “true convergence,” and neither should there be.
2. Because it implies a singular “rightness.” Industry bloggers, experts and watchers have been known to deride some security programs or technology implementations as employing less than “true convergence.” The word’s abstractness (see #1) appears to lend it a sense of superiority; the idea is that “convergence” is a very hard-won thing, like the Holy Grail of security, and if you don’t do it just so, then it isn’t really “convergence.” However, due to the inherent differences in security programs and the businesses they protect, there is no such thing as “true convergence,” and neither should there be.
What works well in one company or with one set of systems or infrastructure, may not work at all in another, says John McClurg, vice president of Honeywell Global Security and a member of the Board of Advisors of the Security Executive Council. “Converged organizations come in all shapes and sizes and with varying degrees of seamlessness,” he says. Rather than one correct “converged” model, he says, “it’s more of a spectrum across which various organizations can distribute themselves in a converged world. Notwithstanding the temptation we often struggle with to see something as an exact science, this truly is an art. And art is that about which rational minds can and do differ.”
3. Because it doesn’t speak to management. “Here’s what best describes our program,” says Genzyme’s Dave Kent: “It’s a business security program, with an emphasis on risk as it relates to people, information, and products that are brought in contact with risk through global operations.” “Risk” is what corporate management and the Board of Directors are interested in.
In most cases, “convergence” doesn’t convey that focus. When it is defined for management (see #1), here’s what they’ll hear: “We want to combine business units (friction, tension, change) and our IT and physical security technology (expense, interruption, hassle).” “Convergence” puts the focus on change, cost, discomfort, on pushing two things together. And since you have to define it before you can talk about its benefits, all those negative connotations will be right up front to block the view of any business value you go on to propose.
It’s hard to win talking about “convergence.” It’s more effective to talk about risk. You want to reduce a duplication of effort and cost among various business units. You want to ensure greater protection of intellectual property and physical assets by managing risk in a holistic manner, combining physical and logical security technology and staff to accomplish better security. You want to improve information sharing between functions to better enable the identification of untapped efficiencies. That’s what speaks to management.
The thrust of all this is that “convergence” has become an ineffective word that unintentionally slanders some truly game-changing ideas. Bringing business units and technologies together to better address and manage risk is not only smart but necessary, and it’s a move from which many organizations have gleaned spectacular results.
Interlinked Threats Are Not Best Addressed in Silos
In Honeywell’s 2007 benchmarking study “Enterprise Threat Management and Security Convergence” only 30 percent of respondents claimed to have seen an interlinked breach – a physical security breach causing an IT security threat, or vice versa. However, nearly 73 percent of respondents believe vulnerability to such breaches exists. Honeywell’s McClurg easily relates examples of interlinked threats.“In the early days when hacking and phreaking were just emerging as threats that the IT community was concerned with, I had occasion to go up against a phreaker who, with a rather unsophisticated pick set, had breached the 30-year-old locks on the doors of central offices of the phone company,” says McClurg, who ran security for a major communications company prior to joining Honeywell. “With that set he opened up the door into a realm in which he gathered passwords, equipment, and other things that enabled him to go back to his apartment, study them up, and advance a cyber attack that was far more sophisticated than he’d ever been able to conduct before.”
McClurg has also seen interlinked threats that run in the other direction, using cyber vulnerabilities to attack physical entities. “Supervisory control data acquisition systems can be remotely accessed in order to control physical systems which, if not properly secured, can be compromised to undermine the physical wellbeing of the systems those SCDAs control,” he says.
Well, you may think, certainly these types of threats exist, but if physical and information security are excellent, it shouldn’t matter if they’re separate technologically or organizationally. The lock pick wouldn’t make it into the data room if physical security was done right, and the hacker couldn’t reach the SCDA if information security is doing its job. To that, McClurg replies with a name: “Harold James Nicholson.
One of the highest-ranking spies ever arrested in the CIA. There are few places that have cyber security or physical security as good as that agency’s. There’s always the possibility of a trusted insider looking for ways to slip through.”
Interlinked threats are best addressed through an interlinked response. A unified model of management in which different units share information and alerts can help raise flags. Similarly, security systems that monitor and log both physical and cyber events, and may even respond to them in a coordinated fashion, provide a crucial extra layer of protection against interlinked threats.
Collaborative Models Provide Business Value
Both a unified structure of security management and a judicious use of interoperable systems technology truly can provide significant business value.The unified structure under which Honeywell Global Security operates allowed McClurg to find efficiencies in risk assessment, for one. “With our business hat on, we’re looking for ways to deliver security services in the most economically efficient manner possible. An example in the business world would be combining IT and physical security risk assessments. Traditionally, you knock on the door of a business unit one week saying ‘We need to do an IT security review’ – you disrupt business, engage the employees in trying to extract the information necessary, and produce a report that you want them to read and digest. Then two weeks later, you knock on the door and the physical security guys do the same thing all over again. Convergence in that realm means doing your risk assessments in a converged way as well, so you knock only once, and you deliver one final product that provides full-spectrum visibility to your customers as to what the issues are and what action they should take. Less time, less money, more comprehensive, more enlightening. And you’re more likely to be engaged and viewed as a true partner in the business environment rather than a cost of doing business.”
On the technology side, Terry Neely of PlaSec Inc. describes how interoperable access control systems can provide benefits. “Once you’re able to authenticate a person’s identity, you’re able to correlate it to his physical location, and you can start writing all kinds of very nice authentication rules as to what he’s allowed to do where and when. It can be anything from financial institution regulations and governance, to setting different access provisions if you’re out of the country and you want to transmit intellectual property information from your hotel room, for example,” says Neely. “One of the things I see happening is physical access control becoming accessible to IT tools and practices, so that if there’s a change in the security posture on the network it can also put my doors into two-factor authentication or lock my data center doors.”
Dave Kent has used interoperable systems to both centrally monitor global operations and to keep watch on his company’s supply chain. “We have a centralized program for product security, and the tools that are at work in that system notifies us when we have supply chain problems, even just operational supply chain problems, or products that haven’t arrived on time or have been stolen. There’s no better example of a business driver than being able to deliver product to your customers, and this investigative process, the security of the product, the network aspect or control system for monitoring the product in the supply chain, are all interlinked and come back into one central system.”
“Our service center is another good example,” continues Kent. “We have 14 manufacturing plants and more than 100 locations, and we have one point of control with one access card all around the world, with four staff members handling it. And they’re not only doing physical security, they’re monitoring travelers around the world; they monitor the wireless intrusion system for the wireless networks; they have all sorts of intelligence coming in. The world is really just a virtual campus based on technology. You get the efficiencies of thinking like you’re one location.”
Words Matter
A 2007 study developed by Deloitte for the Alliance for Enterprise Security Risk Management concluded that “convergence” was developing at a slow pace, and that visionaries were leading the way. Clearly, many factors play into this delay. Dave Kent notes that it’s one thing to implement a unified management structure when your model can grow along with a growing company, and it’s quite another to go to the management of an 80-year-old organization and say, “I’m going to tear down what you’ve built and put in this because it’s a better idea.” This is the situation in which many leaders find themselves. PlaSec’s Neely claims that end users want what interoperable systems have to offer, but in many cases they don’t have the desire, money or expertise to do the programming required to make systems communicate. In this sense, closed, proprietary systems continue to take a toll on what can and can’t be done.So yes, it is simplistic to blame the slow growth of interoperability and structural unification on the word we use to describe them. Yes, other factors are at play. Yes, if you use the word carefully and specifically in your program, you and your colleagues can share a clear understanding of its meaning. But how we speak impacts how we think as well as how we’re viewed by others. If “convergence” lacks meaning, both within our industry and in the eyes of the businesspeople you need to influence, maybe it’s time to leave it behind.
Watch Your Language
Instead of using convergence, consider these other terms:For the combining or collaboration of functional roles and management structure:
Unified Risk Oversight™
Unified model of management
For the ability of physical access control systems (and others) to collaborate with the rest of the IT security apparatus:
Systems interoperability
Systems collaboration
While these terms may also need defining now and again, they are clearer than “convergence” and they shift the focus from change and cost to risk and opportunity.