Here are six steps to approaching convergence in your organization:
1. Get the book. Get Tyson’s Security Convergence book referenced above.
2. Identify Potential Convergence Contacts – Part one. Begin reading, and make a note by page reference as you come across material that relates to a part of your organization. If you do not have a contact in that area, look them up in your organization’s directory or org chart, or ask someone a little higher up in the organization to suggest a contact.
3. Identify Potential Convergence Contacts – Part two. After finishing the book, go back to the Enterprise Convergence Points chart on page 91 (or use the chart above) to help you identify convergence points in your organization. Technology convergence points are those points where physical security systems and processes interact with IT or IT security. Organizational convergence points are those where physical and IT security risks connect or cross over in the organization.
4. Share the Book with Your Key Organizational Contacts. This is an important step, as it will help facilitate collaboration with others in your organization, and keep you from having to explain your convergence ideas at length over and over again. Eventually your convergence contacts should all have a copy as a reference, or access one from your organization’s in-house library if you get a few copies placed there.
5. Proceed with a Plan or Outline. As Tyson says in the book, “It is safe to say that, in most organizations, convergence needs to be slow and measured. Introducing any organizational and cultural change can be challenging, to say the least; changes with such far-reaching potential impact must be approached methodically.” Once you have had initial discussions and found common interests in the convergence landscape, work together to outline an initial plan — even if it is exploratory in nature — and proceed methodically.
6. Prioritize Based on Risk and Organizational Alignment. Especially with technology convergence, there can be a tendency to want to jump right to the ideal state immediately. Be sure to understand the organizational impacts, and realize that you must keep your eyes and ears open for unintended consequences and organizational misalignment. Some things may have to wait until the next budget cycle or until a project or initiative is completed, in order for the right resources to become available. Educational steps are also important, and when action is not a readily available course, continued education often is. When immediate action is warranted because of risk concerns, then education about the risk factors and security options should be the first part of any request for action or resources.
I’ve saved one of Tyson’s important points for last: “Convergence is about optimizing the risk profile so that all risks are identified, considered and either mitigated or accepted — ideally with some form of compensating control.
I urge you to truly ponder this thought in detail: Identify and mitigate ALL RISKS in the environment. This is what the convergence security practitioner, or group of practitioners, must do. Senior management should not be accepting any more risk than they are aware of, and if all the risks are well understood in the new and increasingly complex environment, then the first part of the job is done.”
Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. For his full bio, please see page 18 of this issue.