• Advertise
  • Subscribe
  • Forums
  • Buyer's Guide
  • Contact Us
  • Connect on LinkedIn
    1. Access & Identity
    2. Access Control

    Convergence Q&A: The Scope of Security Convergence

    Aug. 10, 2018
    Write to Ray about this column at ConvergenceQA@go-rbcs.com. Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Ray is an active contributor to the educational activities ASIS IT Security and Physical Security councils. In 2018 IFSEC Global listed Ray as #12 in the world’s top 20 Security Thought Leaders. For more information about Ray and RBCS go to www.go-rbcs.com or call 949-831-6788. Ray is also a member of the Content Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com). Follow Ray on Twitter: @RayBernardRBCS.
    Write to Ray about this column at [email protected]. Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Ray is an active contributor to the educational activities ASIS IT Security and Physical Security councils. In 2018 IFSEC Global listed Ray as #12 in the world’s top 20 Security Thought Leaders. For more information about Ray and RBCS go to www.go-rbcs.com or call 949-831-6788. Ray is also a member of the Content Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com). Follow Ray on Twitter: @RayBernardRBCS.

    Convergence is when two things that are separate come together. You could have a convergence of multiple perspectives into a unified view, a convergence of water currents into a single ocean current, or a convergence of vehicle traffic from two lanes into one. This column’s question is from a security manager who needs to determine the scope of security convergence within his responsibilities.

    Q:    Our company is establishing an organizational resilience council as a corporate risk management function, and I was asked to report on the state of our security convergence. What exactly should I be reporting on?

    A:    You should only be asked to report within the scope of your own responsibilities, which may include your collaborations with other functions.

    There are several aspects of security convergence to consider.  

    Enterprise Security Management

    In the mid-2000’s, the term “security convergence” was used to describe a convergence of the management of physical and IT security, or physical and logical security as it is also called. Soon security leaders realized that the converged perspective should be broader, and the term Enterprise Security Management came into use. This is a convergence of the top management perspectives that brings together security and other business functions to obtain a unified view of the organization’s security risks. Risk categories can include, for example, Information, Information Systems, Personnel, Legal, Finance, IT Infrastructure, Product, Brand, Business Continuity, Environmental, Supply Chain, and Physical Premises.

    Responsibilities for many security risks have often been delegated to specialized risk functions that implement and maintain risk control measures, such as corporate security, facility security and IT security. However, siloed risk management – without a converged or unified risk management perspective – leads to risk mitigation gaps and inefficiencies.

    Thus, over time, security can become both weaker and costlier than it should be. The first book on this topic, published in 2007, is titled, Physical and Logical Security Convergence: Powered By Enterprise Security Management. A few months later a second book arrived titled, Security Convergence: Managing Enterprise Security Risk. This book includes both security management and security operations convergence.   

    Security Technology Convergence

    Today, all industries have experienced their own versions of technology convergence, which refers to the incorporation of information technology into their industry. For example, the automobile industry’s first convergence conference was held in 1974, when solid state circuitry started becoming part of automobile systems. Today, of course, the result of automotive technology convergence includes a wide variety of autonomous and semi-autonomous vehicles. Dentistry dropped the film-based X-ray technology over a decade ago, in favor of digital equipment that can capture and display the dental images almost instantly.

    Security’s technology convergence is the incorporation of information technology into physical security systems, most of which are now IT-based and networked, with some residing in the cloud. This has resulted in corporate IT departments gaining responsibilities for the IT aspects of physical security systems and collaborating on physical security system deployments. There are many points of security/IT collaboration involved, including on cybersecurity for physical security systems.

    See my own recent book titled, Security Technology Convergence Insights, available on Amazon (http://bit.ly/security-tech-convergence-insights) and elsewhere.

    Business Use of Physical Security Systems

    The use of physical security systems for business operations value has been growing for more than a decade – basically, once security systems started being networked. Today, there are cloud-based systems that provide authorized users access to security system functions from anywhere at any time. One example of significant business value is the use of security video analytics for retail store operations. In this instance, video analytics are used to measure and map customer traffic in retail stores, with the data providing insights on the effect that marketing campaigns and store displays have on customer traffic and sales. Another example is the use of security video cameras to monitor critical business operations, such as in food and pharmaceutical manufacturing. Discovering the exact point in time where an unacceptable manufacturing line condition first occurred can avoid the needless discard of an entire shift’s worth of product – avoiding a dollar loss in the tens or hundreds of thousands.

    Evaluating Security Convergence

    Security managers can assess the state of their security convergence, per their responsibilities, by reviewing to what extent they have engaged security stakeholders as described in the article titled, “The State of Converged Security Operations”, available here: http://bit.ly/convergence-touch-points. Consider who the stakeholders are and what the appropriate consultation/collaboration topics could be in the three aspects of convergence listed above. These will vary depending upon the type and size of the organization. Remember that facility physical security assessments – those that touch base with the facility’s functional area stakeholders concerning security risks in their areas – is a common aspect of collaboration and but are often forgotten when the topic of convergence comes up.  

    Each convergence touch point can be rated from one or more perspectives, for example:

    • Planning: Pre-Planning, Planned, or In Effect
    • Status: Started, In Progress, Completed and Up-to-Date
    • Collaboration: Yearly, Quarterly, Monthly, Ongoing

    Undoubtedly there will already be some degree of stakeholder engagement. Often in such a review, additional ideas come to mind for future such collaboration and consultation. A report on the state of security convergence can contain as much or as little information as desired – depending upon what has been asked for and the status of convergence activities. It never hurts to develop such a report before it is asked for, as that invariably leads to ideas for risk discovery and mitigation. It’s usually better to have a proactive stance than a reactive one.

    Bernard, Ray