This month’s column is prompted by some questions, discussions and comments at recent security conferences — all focused on establishing the correct definition for security convergence. I do not think there is one. I think there are many, all having specific value.
However, we must keep in mind that our use of the word convergence will fade away, as has already happened to a large extent in the IT industry with regard to technology convergence (See the September 2008 column, “Convergence Disappearing in IT Domain”, available online at:). That does not mean that convergence definitions are of no value. It means that they have value only for a limited time, until our perspectives change and we no longer need them to orient our thinking.
Any definition of security convergence is of value if it helps you in your security role. The practitioners that I heard heartily disagreeing were not helping each other, but they could have been — if they had focused on a specific security topic. Below are some answers that I have heard to the questioning of what convergence means. I have put my own comments in italics after them.
Q: What is the “true definition” of convergence?
“It’s not true convergence unless the IT and physical security departments merge.”
Does this mean that if you do not have a separate security department (like many small- and medium-sized organizations), that you cannot benefit from convergence? Certainly the real estate or facilities departments are not going to merge with IT departments.
“Physical security and IT working together is not convergence. That’s collaboration.” What good is converging if you do not collaborate? Can’t you converge around specific topics, responsibilities, projects or initiatives without having to converge other things that are not related?
“True convergence means that separate things merge to become one.”
In the IT domain, voice, video and data converge to travel over a single wire using common protocols at various points. But in the end, my voice does not become my face or my document. They are still separate but related things.
So what good is the term convergence?
Thinking About Convergence
I believe the definition of convergence that comes from the field of Ophthalmology (the branch of medicine concerned with the eye) is worth examining. Convergence is the simultaneous inward movement of both eyes toward each other, usually in an effort to maintain single binocular vision when viewing an object. “Single binocular vision” simply means that the vision of both is combined so that instead of “seeing double,” we see a single object — but from a three-dimensional perspective.
The two eyes do not merge to become one — but their vision does. The result is a three-dimensional perspective, which results in additional benefits that you ca not get with a single eye, such as depth perception and estimation of speed of objects approaching or receding.
The concept of a unified vision applies to practitioners — whether security professionals or technology specialists. With regard to security management, the Security Executive Council (SecurityExecutiveCouncil.com) has a term for it: Unified Risk Oversight. A Unified Risk Oversight Team works to develop a shared multi-dimensional vision for managing risks. Many companies have reported that using such a team (council, or committee) to be the single most effective convergence strategy for improving the organizational risk picture.
The right convergence perspective is just as important for technologists, and I will take a close look at that in the next issue’s column.
What books have helped improve your understanding of convergence?
If you have experience that relates to this question, or have other convergence experience you want to share, e-mail your answer to me at ConvergenceQA@go-rbcs.com or call me at 949-831-6788. If you have a question you would like answered, I’d like to see it. We do not need to reveal your name or company name in the column. I look forward to hearing from you!