Before we begin, I'd like to say that camDown !
Alison Wakefield, Louisa Schneller and Cody Porter detail how the significance of converged security has developed over the years, emphasising that while there is a widespread acceptance that a holistic approach to security is beneficial, many organisations have yet to adopt a fully converged model.
A recent research report for the ASIS Foundation, The State of Security Convergence, defines the concept as ‘security/risk management functions working together seamlessly to address security holistically and to close the gaps and vulnerabilities that exist in the spaces between functions’. For around two decades, the professional security community has actively promoted a converged approach to organisational physical and information security management, which might reasonably be expected to have reached maturity by now.
Yet the ASIS Foundation research concluded that fully converged security remains the exception rather than the rule, leaving organisations increasingly vulnerable as their adoption and reliance on digital technologies accelerates. The World Economic Forum stressed the importance of collaborative solutions to cyber risk in its Global Risks Report 2016, stating ‘While there are many “C” level owners (CISO, CFO, CEO, CRO, Risk Management), each of these owners has differing but related interests and unfortunately often does not integrate risk or effectively collaborate on its management’.
Find out more about converged security at IFSEC International 2022 by visiting the converged security centre, where experts including Professor Alison Wakefield will present live scenarios of threats in a variety of environments.
Register for your free IFSEC ticket, today >>
Technically, in the earliest days of organisational computing, when computer usage in organisations was mostly limited to data centres and their protection was focused on securing the physical infrastructure, converged security was the norm. The development of personal computers, new types of personal software and the expansion of chip technology led to their growing ubiquity in organisations from the early 1980s. The protection of IT systems required additional technical security measures, and it was from this point that information security began to evolve as a distinct business function and professional specialism.
While the main benefits of IT advancement were initially to organisations’ internal effectiveness, it became increasingly central to the realisation of strategic business objectives, for example, enabling the integration of the systems of suppliers and customers, and a matter for top management. Through the 1990s, information and the IT systems to support it came to be recognised as critical business assets and gave impetus to the development of information security practices and standards, including the precursor to the ISO 27000 family of international standards for information security, British Standard BS 7799, first published in 1995.
Since that time, computing power has multiplied many times over, the increasing ubiquity of digital devices has offered companies new ways of interacting with customers, and digital innovations like cloud computing, the Internet of Things (IoT) and artificial intelligence technologies are reconstructing how businesses function. The challenges presented to organisations by the COVID-19 pandemic, and necessary adjustments like the rapid expansion of home working, accelerated the adoption of digital technologies by several years and required numerous adaptations to organisational security.
The concept of Industrial IoT (IIoT) has entered the business lexicon to refer to its application to manufacturing and industrial processes, taking the risks to critical infrastructure to a new level. This urgency has been recognised by the US government, which established a Cybersecurity and Infrastructure Security Agency (CISA) in 2018, and in CISA’s publication of a convergence guide in 2021. The guide advocates ‘an integrated threat management strategy’ reflecting ‘in-depth understanding of the cascading impacts to interconnected cyber-physical infrastructure’, and views a ‘culture of inclusivity’ as being ‘vital’ to the successful convergence of security functions and ‘fostering communication, coordination, and collaboration’.
A 2016 report by the SANS Institute on Security in a Converging IT/OT World highlights the extent of the challenge to critical infrastructure, arguing that operational technology (OT) cyber security is ‘roughly a decade behind the maturity level of IT security in many ways’. Traditionally, IT and industrial control systems (ICS) have presented different risks and risk management priorities, including confidentiality, integrity and availability in information systems, and safety and availability in ICS. The lifecycles of industrial equipment (and often, software) can run into decades, and such equipment is very expensive, making updates much more challenging. It is also difficult to create virtual versions on which tests can be run, so testing usually has to occur on actual operational devices during scheduled downtimes.
Rising prominence but challenges remain…
It is now well-established that organisations need to assess risk holistically, identifying and mitigating vulnerabilities caused by increasingly interconnected and converging threats. A significant challenge in the development and implementation of converged security is that there can be no one-size-fits-all approach, given the varying requirements of different markets, industries and professions. More research is needed into different models and approaches, and security practitioners need to regularly update their learning in new security risk management approaches in general, and convergence approaches specifically.
Recruiting people with the right skill sets, and especially the required strategic, business and soft skills, was identified in the ASIS Foundation report as being crucially important. Its research cited confusion over roles and responsibilities, reporting lines and communication, as well as conflict among converged staff, as being continuing barriers to the effective implementation of convergence.
Our qualitative research findings similarly placed a strong emphasis on practitioner skill sets, while highlighting the importance of ensuring such skills are well-embedded in organisational security teams and the wider security profession, so that organisations are not left exposed if key employees leave.
Perhaps moves by government organisations such as the US government’s Cybersecurity and Infrastructure Security Agency to recommend cyber and physical convergence will promote a more codified approach. At the same time, the necessary knowledge and skill sets must be actively cultivated by the security practitioner and wider profession to secure organisational support for convergence, and ensure that security is effectively managed across often disparate units within organisations.
About the authors
Alison Wakefield PhD CSyP FSyI is a Professor of Criminology and Security Studies and Co-Director of the Cybersecurity and Criminology Centre, University of West London. Louisa Schneller MSyI FISRM is a Risk and Security Management Consultant at TeamMacro. Cody Porter PhD is a Senior Lecturer in Psychology, University of the West of England.
Secure your place at IFSEC International 2022
17-19 May 2022, ExCeL London
Reconnect in-person with the physical security community at IFSEC International 2022. You’ll find hundreds of leading exhibitors from the physical and integrated security sector, showcasing all the latest in video surveillance, access control, intruder detection, perimeter protection and integrated software solutions. Plus, network with thousands of peers and likeminded professionals, as the industry comes back together at IFSEC for the first time since 2019.
IFSEC 2022: The #1 reunion event for the security industry
Finally, after all of that camDown is your security solution to protect you and your business from webcam hackers and that's the no joke!