On the Road to Security Convergence
By Dan Burgoyne
This constant buzzing around the industry is reminiscent of a long summer drive with a car full of kids droning the same question: “Are we there yet?” Convergence. When are we going to get there? And what on-ramps, roadblocks, and fast-lanes can security professionals expect along the way?
Operational technology (OT) and information technology (IT) were historically developed in siloed environments. The physical environment was typically the domain of OT while IT professionals concerned themselves with the interconnected world of data storage and transfers in cyberspace. That’s not to say the two didn’t share common security concerns and strategies.
We can point to three distinct phases in the evolution of convergence:
According to a study published by ASIS International, “The State of Security Convergence in the United States, Europe, and India,” for the past two decades, companies have been exploring, and some implementing, a holistic approach to security by blending physical, cyber, and business continuity together. Yet after years of the predicted inevitability of security convergence, the survey reported just 24 percent of respondents had combined physical and cybersecurity functions. When business continuity was thrown into the mix, that number climbs to 52 percent who had converged two or all three of the functions. For the remaining 48 percent who had not converged operations, 70 percent reported they have no current plans to do so.
Signs pointing to eventual convergence, however, continue year after year. Three main reasons continue to spark the interest of security professionals and business executives alike:
According to the ASIS survey, the biggest obstacle slowing organizations to adapt to combined systems revolve around people issues. Physical security departments are often set in a history of siloed traditions and functions. Personnel are often hesitant to give up or share control of what they consider to be core competencies including people management, intelligence, and investigations. IT professionals can be equally rooted in their own routines built around the latest technology, system innovations, and cyberthreats. Loss of authority, status, control, or staff are equally feared by both groups.
On the flip side to apprehension about this possible loss of control is the hesitancy there may be to take financial responsibility. When systems begin to merge there can be disagreements about which budget is hit.
The size of the organization also seems to be a factor. Larger companies are slower to adapt, taking more time to study the impact of convergence to make sure it aligns with business goals and culture. Smaller organizations with lean staffs and more modest cybersecurity and physical security requirements are quicker to combine responsibilities.
Finally, complacency can be a major impediment to security convergence. Organizations are often content with the status quo until an incident occurs or a mandate for change is declared by senior leadership. According to the ASIS study, 44 percent of firms surveyed have no form of convergence while many more are only partially converged. The report indicates that, for whatever reason, a disconnect between a good idea and a corporate imperative persists in many organizations.
The need to expand to meet the needs of customers ushered in the era of Enterprise-class systems providing a single unified database, system redundancy as well as centralized, regional, or even local autonomous control. Local Area Networks (LAN) and Wide Area Networks (WAN) connecting LANs over a large geographic area across the country and around the globe provide even more avenues to infiltrate the once non-existent physical security network. To account for this logical and physical growth, a number of cybersecurity measures have been added to the mix: Virtual Private Networks (VPNs), multi-factor authentication, and file encryption to shield data speeding back and forth across the world. Firewalls are the first lines of defense to protect environments from external threats.
Manufacturers, integrators, and building management companies alike are realizing the potential of convergence. They are combining HVAC, lighting, and other smart building controls into the same bucket. Grouping these together with the rapid growth of both physical security and cybersecurity brings to light the age-old question. Capital expenditures can be offset with a move to the cloud, which can lessen the infrastructure and personnel required to manage and maintain these systems. Owning the evidence versus owning the system can make a lot of sense to those who have the freedom to trust security to a third party.
Additionally, there is greater need to securely house all this new data. Today, data is being centrally gathered from much more than just the security world. This cyber escalation was not the first to require a physical security reciprocation, but it may be the most substantial. Facilities are now following the principles of Crime Prevention Through Environmental Design (CPTED). Properties are designed with increasingly sophisticated and connected perimeter fences, barbed-wire, bollards, all types of exterior detection devices, as well as a variety of interior layered security features.
Bottom line, the physical security realm seems to be catching up with the rest of the digital world. Now the same people wondering why anyone would ever want a computer in their home now want to wear one on their wrist. The internet of things (IoT) and all the wonderful edge devices in demand are adding to the ever-growing web of data access points needed for data. End user devices are now delivered with security measures such as bit locker and two-factor authentication tools including biometrics, and features to additionally authenticate when accessing files and other directories within a company.
And then – BOOM! – COVID-19 hits and the world shut down with a global pandemic. The need for even safer, healthier, and more secure buildings explodes. Physical security again is forced to grow to meet a new demand for screening technologies, density control, no touch access, environmental monitoring, and more.
The short answer is no. Although we have hit quite a few forks in the road, nobody is threatening to turn this car around just yet. Security convergence continues to be on the horizon for some very important reasons:
Convergence seems to offer many more benefits than drawbacks, a fact that will continue to grow increasingly clearer to key stakeholders and decision makers. And as noted throughout this article, advances in technology continue to permeate physical security spaces. It is all but inevitable IT and OT security functions will eventually merge to develop proactive solutions to potential problems and strengthen systems from the inside out rather than being reactive.
This article was subsequently posted by leading industry publication Consulting-Specifying Engineer (CSE) magazine.
As a senior security systems consultant, Dan Burgoyne freely shares his knowledge and observations to actively support ESD’s mission to improve society through the built environment.
An ASIS International webinar convened earlier this year focused on the risks associated with the increasingly complex and interconnected systems of modern smart building. (Learn more about Wolf’s presentation.)
As buildings get smarter with the addition of automated systems, cybercriminals are getting smarter as well, finding new ways to gain access and control of sensitive information. Three ESD experts will be examining the risks at the upcoming IFMA World Marketplace conference. (Learn more about IFMA World Workplace.)