IFSECInsider-Logo-Square-23

Author Bio ▼

IFSEC Insider, formerly IFSEC Global, is the leading online community and news platform for security and fire safety professionals.
May 11, 2022

Download

Whitepaper: Enhancing security, resilience and efficiency across a range of industries

Converged security

The history and development of converged security

Alison Wakefield, Louisa Schneller and Cody Porter detail how the significance of converged security has developed over the years, emphasising that while there is a widespread acceptance that a holistic approach to security is beneficial, many organisations have yet to adopt a fully converged model.

A recent research report for the ASIS Foundation, The State of Security Convergence, defines the concept as ‘security/risk management functions working together seamlessly to address security holistically and to close the gaps and vulnerabilities that exist in the spaces between functions’. For around two decades, the professional security community has actively promoted a converged approach to organisational physical and information security management, which might reasonably be expected to have reached maturity by now.

Yet the ASIS Foundation research concluded that fully converged security remains the exception rather than the rule, leaving organisations increasingly vulnerable as their adoption and reliance on digital technologies accelerates. The World Economic Forum stressed the importance of collaborative solutions to cyber risk in its Global Risks Report 2016, stating ‘While there are many “C” level owners (CISO, CFO, CEO, CRO, Risk Management), each of these owners has differing but related interests and unfortunately often does not integrate risk or effectively collaborate on its management’.

 

Technically, in the earliest days of organisational computing, when computer usage in organisations was mostly limited to data centres and their protection was focused on securing the physical infrastructure, converged security was the norm. The development of personal computers, new types of personal software and the expansion of chip technology led to their growing ubiquity in organisations from the early 1980s. The protection of IT systems required additional technical security measures, and it was from this point that information security began to evolve as a distinct business function and professional specialism.

ConvergedSecurity-AlekseyFuntap-AlamyStock

While the main benefits of IT advancement were initially to organisations’ internal effectiveness, it became increasingly central to the realisation of strategic business objectives, for example, enabling the integration of the systems of suppliers and customers, and a matter for top management. Through the 1990s, information and the IT systems to support it came to be recognised as critical business assets and gave impetus to the development of information security practices and standards, including the precursor to the ISO 27000 family of international standards for information security, British Standard BS 7799, first published in 1995.

Since that time, computing power has multiplied many times over, the increasing ubiquity of digital devices has offered companies new ways of interacting with customers, and digital innovations like cloud computing, the Internet of Things (IoT) and artificial intelligence technologies are reconstructing how businesses function. The challenges presented to organisations by the COVID-19 pandemic, and necessary adjustments like the rapid expansion of home working, accelerated the adoption of digital technologies by several years and required numerous adaptations to organisational security.

The concept of Industrial IoT (IIoT) has entered the business lexicon to refer to its application to manufacturing and industrial processes, taking the risks to critical infrastructure to a new level. This urgency has been recognised by the US government, which established a Cybersecurity and Infrastructure Security Agency (CISA) in 2018, and in CISA’s publication of a convergence guide in 2021. The guide advocates ‘an integrated threat management strategy’ reflecting ‘in-depth understanding of the cascading impacts to interconnected cyber-physical infrastructure’, and views a ‘culture of inclusivity’ as being ‘vital’ to the successful convergence of security functions and ‘fostering communication, coordination, and collaboration’.

A 2016 report by the SANS Institute on Security in a Converging IT/OT World highlights the extent of the challenge to critical infrastructure, arguing that operational technology (OT) cyber security is ‘roughly a decade behind the maturity level of IT security in many ways’. Traditionally, IT and industrial control systems (ICS) have presented different risks and risk management priorities, including confidentiality, integrity and availability in information systems, and safety and availability in ICS. The lifecycles of industrial equipment (and often, software) can run into decades, and such equipment is very expensive, making updates much more challenging. It is also difficult to create virtual versions on which tests can be run, so testing usually has to occur on actual operational devices during scheduled downtimes.

Rising prominence but challenges remain…

It is now well-established that organisations need to assess risk holistically, identifying and mitigating vulnerabilities caused by increasingly interconnected and converging threats. A significant challenge in the development and implementation of converged security is that there can be no one-size-fits-all approach, given the varying requirements of different markets, industries and professions. More research is needed into different models and approaches, and security practitioners need to regularly update their learning in new security risk management approaches in general, and convergence approaches specifically.

Recruiting people with the right skill sets, and especially the required strategic, business and soft skills, was identified in the ASIS Foundation report as being crucially important. Its research cited confusion over roles and responsibilities, reporting lines and communication, as well as conflict among converged staff, as being continuing barriers to the effective implementation of convergence.

Our qualitative research findings similarly placed a strong emphasis on practitioner skill sets, while highlighting the importance of ensuring such skills are well-embedded in organisational security teams and the wider security profession, so that organisations are not left exposed if key employees leave.

Perhaps moves by government organisations such as the US government’s Cybersecurity and Infrastructure Security Agency to recommend cyber and physical convergence will promote a more codified approach. At the same time, the necessary knowledge and skill sets must be actively cultivated by the security practitioner and wider profession to secure organisational support for convergence, and ensure that security is effectively managed across often disparate units within organisations.


About the authors

Alison Wakefield PhD CSyP FSyI is a Professor of Criminology and Security Studies and Co-Director of the Cybersecurity and Criminology Centre, University of West London. Louisa Schneller MSyI FISRM is a Risk and Security Management Consultant at TeamMacro. Cody Porter PhD is a Senior Lecturer in Psychology, University of the West of England.

 

Subscribe to the IFSEC Insider weekly newsletters

Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.

Sign up now!

man reading a tablet, probably the IFSEC Global newsletter

Related Topics

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments