New research out from Honeywell Labs looks at the convergence of security operations, and the lesson for firms is that converged security can create business benefits.
In the research, titled "Enterprise Threat Management and Security Convergence: A Benchmarking Study," researchers surveyed more than 50 CIOs, CSOs and CISOs from U.S.-based global companies that have revenues of between $1 billion and $100 billion.
The respondents were high-level employees at the types of companies where you would expect to see a fairly strong element of convergence, said Honeywell's Marketing Manager Peter Fehl, who was one of the drivers of the research. However, Fehl said he was somewhat surprised by the numbers, which indicated that only 63 percent of the companies had some sort of "formal convergence mechanism".
And although not every company at this level had convergence mechanisms in place, some of the companies had gone so far as to fully integrate the information security and physical security concerns. According to the Honeywell research, 10 percent of the firms ran the two functions "as one entity" within the company.
Ivan Hurtt, the product marketing manager for Identity and Security Solutions at Novell, said that regulations like HIPAA and Sarbanes-Oxley had made many companies very aware of the importance of converged security.
"Take for example, an employee who was a CFO, but who is now working in a different aspect in the organization," said Hurtt, whose company has worked with Honeywell to deliver converged, role-based access control for network and physical facility users. "You may need to now restrict what data he or she has access to, and maybe even restrict what rooms or offices that person can access now."
Hurtt added that converging security could tell a company if global rules were being broken, such as if a company employee badged into a building in Texas and then logged onto a company computer located at the Michigan office. Converging at that level, said Hurtt, was about bring together a comprehensive security plan and coordinated identity management. Those two tasks, said Fehl and Hurtt, are a relatively new task at companies, and yet are tasks that are vital to convergence.
From the research, Honeywell also found that convergence was dramatically affecting compliance/audit issues. Some 52 percent of the companies surveyed had a formal relationship between IT and physical security when it came to compliance and audits, and 11 percent combined those functions directly.
And while convergence and audits maybe be getting the converged attention, said Fehl, many companies are also starting to recognize that acceptance of risk has to be converged. In the study, when asked about response to coordinated physical and network attacks, 14 percent of respondents said that they had a crisis management group established, and another 14 percent said there was a single Chief Security Officer (CSO) ready to take the helm. Another 27 percent said that coordinated network and physical attacks fell on the shoulder of the Director of Security. Only 34 percent said there wasn't a coordinated, single internal contact to assume risk and response operations for a converged physical and IT security attack.
Additionally, the study found barriers to convergence such as turf battles and an overall lack of the business skills needed for convergence. Fehl said he personally felt that the turf battles were starting to disappear as businesses realized the financial values and competitive advantages from converged operations. However, both Fehl and Hurtt agreed that it was a challenge to find staff with the skills to managed converged security.
Fehl noted that it became a challenge to find someone who can manage all the different players and factors -- IT, business strategy, investigations, physical security technologies, human resources, and more - that need to be a part of a converged security operation.
"Anecdotally, one of the thing we've found is that it's actually a lot easier sometimes for smaller firms to converge security because they don't face those organizational challenges and barriers," noted Fehl.
By the numbers
Salient highlights from "Enterprise Threat Management and Security Convergence: A Benchmarking Study"
-- 42 percent said "having physical security systems on IT backbones is a security risk" -- 33 percent said they envision convergence happening within their organizations in the next two to five years -- 33 percent said that convergence will never happen -- 73 percent said that vulnerabilities in either the physical security system or in IT security could potentially lead to a breach in the other system -- 91 percent of respondents said their companies planned to increase investment in security