Function Vs. Faction

Why are security silos dying, and what can you do to converge functions in your organization?

If one accepts the premise that security is a “weakest link” discipline, then no organization can truly approach being secure unless they consider all of their security risks when crafting an overall security strategy and making risk mitigation decisions.

For many years, organizations have approached risk mitigation in an essentially siloed format, where physical security, IT security, audit, risk management and other risk-oriented functions operated independently. The gulf between these divisions inevitably increased duplication, bureaucracy and cost.

Over the past few years, a variety of business drivers has led these independent business functions to come together. This trend has been called security convergence: the formal, collaborative and strategic integration of the cumulative security resources of an organization in order to deliver enterprise-wide benefits through enhanced risk mitigation, increased operational effectiveness, and cost savings.


Study Finds Convergence Drivers

In a recent study commissioned by ASIS International, the Information Systems Security Association and ISACA (Information Systems Audit and Control Association) and conducted by Booz Allen Hamilton research, 36 global organizations were surveyed about the business drivers motivating security convergence in their organizations. The top five business drivers were:


1. The rapid expansion of the enterprise ecosystem. Organizations' network environments continue to expand, introducing new risks to the enterprise. Just a few factors extending the perimeters of organizations: global enterprises connecting disparate systems across countries and continents, connections with third parties, business partners, remote access, wireless, and the promotion of legacy systems to the outside world through the Internet. This push to expand technology borders is driving the risk equation to new heights.


2. Value migration from physical assets to information-based and intangible assets . For many years organizations were primarily concerned with protecting assets in the physical realm—inside filing cabinets and desks. In recent years we have seen a number of assets transition to almost entirely electronic form. Records often exist only in electronic format; orthophotos are stored in GIS databases, and CAD drawings are available online. The skill sets required to protect these assets have had to evolve in parallel with the migration of the assets themselves.


3. New protective technologies blurring functional boundaries. Historically, the tools of the physical security department included the standalone access control system, alarm system and CCTV system. Many of these systems now operate solely in the network environment, and all the while many physical security professionals are becoming less knowledgeable about the systems they rely on to conduct their operation.

One of the more frightening realities is that often physical security equipment is proprietary and can be left unsupported, ending up un-patched, insecure and vulnerable to attack.


4. New compliance and regulatory regimes. New regulations are enhancing due diligence requirements all over the world. Organizations are required to certify, with a high level of assurance, that data and financial records are accurate and personal information is protected. Legislation like PIPEDA in Canada and Sarbanes Oxley and Gramm-Leach-Bliley in the United States are all escalating the pressure on organizations to efficiently address enterprise security issues.


5. Continuing pressure to reduce costs. There has been no relief worldwide from the pressure on organizations to do more with less. In both the public and private sectors there are always more projects and more initiatives than can be delivered. So the cost reductions and projected cost savings arising from convergence activities make them especially attractive to all organizations.


This content continues onto the next page...