One of the hottest new phrases in the security world is “converged security.” This set Bob Forsyth, Mitie, to pondering whether we really understand where these latest developments might take us as an industry.
What is clear is that converged security is driving cost savings by being able to fully integrate all of the platforms for voice, data, AV, security, and building management systems over the same network while also driving a modern working environment.
The term “convergence” is being used to cover a number of areas that cut across the traditionally separate areas of facilities management, IT, and security.
Security convergence covers the uniting of IT security and physical security under one umbrella, bringing significant benefits to the overall security of an organization as it harnesses the synergies that exist between the two areas.
It doesn’t necessarily mean having one department responsible for organizational security. What it does mean is formal cooperation between the two areas with one common goal of protecting the organization’s assets.
In security terms, convergence is the integration of logical security, information security, physical and personnel security, business continuity, disaster recovery, and safety risk management.
Logical security focuses on the tools in a network computing environment. Information security focuses on the flow of information across both the logical and physical environments.
Integrating these different areas in a conjoined approach contributes to the overall corporate security goals while driving cost efficiencies through the greater use of shared platforms. It brings together disparate teams of individuals to focus on effective security that protects all of the organization’s assets. Without this approach the silo mentality meant that there were weaknesses in an organization’s defense that could be easily exploited by individuals intent on causing harm.
On a broader front, convergence relates to the merging of the various technologies that are used in modern buildings.
This convergence is offering building owners major opportunity for cost efficiencies and, more importantly, the opportunity to gain benefit through the convergence of technology to deliver more “intelligent” buildings.
The continued development of smart buildings will further break down the divides between security, safety, and building automation technologies in relation to comfort, energy efficiency, life safety, and emergency response.
Another acronym that is gaining ground currently is PSIM, standing for Physical Security Information Management.
PSIM collects and correlates events from existing disparate security devices and information systems (video, access control, PIDS and IDS, analytics, networks, building systems, etc.) to allow personnel to identify and proactively resolve difficulties.
PSIM integration enables numerous organizational benefits, including increased control, improved situational awareness, and management reporting. Ultimately, these solutions allow organizations to reduce costs through improved efficiency and to improve security through increased intelligence.
One of the greatest benefits of PSIM, if established correctly, is that it solely presents information that needs to be acted on. Thus security personnel can focus on the job in hand and manage a situation, rather than actively monitor an array of information sources to determine if something is or isn’t a problem.
Perhaps the greatest challenge as convergence develops as a concept is ensuring that the end goal is always kept in sight and delivered.
It is very easy to get caught up in the glamor of developing technology and forget what is ultimately required: the protection of the organization’s assets. This is why a converged security approach is critical to ensure that the various technologies, processes, and systems all marry up and deliver effective security.
Bob. Nice post about convergence. At first I was concerned about your focus on cost savings, but then you got into discussing PSIM. With so many companies so heavily dependent on information assets these days, it’s great to see attention paid to the physical security aspects that go beyond guard dogs, unlocked doors and theft of physical products. The IT team can help the physical security team by bringing security video traffic onto the corporate network,etc., and the physical security team can help IT through initiatives like identifying unusual employee access activity or even noticing that a PC user never… Read more »
Really intriguing post, Bob… IT went through these sorts of convergence challenges 20+ years ago when organizations did the then-unthinkable and combined their voice and data networks (and associated personnel). It was several years of rocky relations and took big cultural shifts for these two to cohesively integrate. It’s not hard to foresee a similar trajectory for physical and IT security teams, as they figure out the best ways to protect company assets fromt he ground up.
Bob, thanks for the post. But by “uniting of IT security and physical security under one umbrella” wouldn’t this raise the risk that that failure of that umbrella would put all IT and physical security at risk? Networks do go down from time to time, and maintaining off-network systems seems like the logical backup. Is that part of the plan?
I echo that question, and I think the answer is yes. As Terry points out, we’ve done this before with IT, and when one thing goes down, it all goes down. However, when it comes to security, the risk of an entire network outage is more severe. So I’m curious about plans for redundancy as well.
I’m intereted in PSIM from a UI / UE perspective. It’s an interesting challenge to present information and alerts from so disparate a collection of services and assets in such a way that only the most critical information is brought forward.
Interesting point. The business working together is key. Security should be in the forefront of everyone’s mind. The best way to secure your business is to get everyone in the company sold on why it’s important. From reporting unusual activity, to not holding doors open for people who haven’t swiped their access card.
Nicole. Good question about redundancy. At some point in the past year I saw a presentation from a company that had converged its networks (not just IT and security but facilities and other nets as well). They found it was more redundant because by running everything through the same infrastructure (with separate cables where appropriate) it was easier to identify what equipment and cabling was wasted, and they were better able to manage failover.
Great article, Bob. Of course, convergence and PSIM are two topics that have really grabbed the attention of security managers and business leaders in the last couple of years. In terms of convergence, the debate has broadened still further in recent times (primarily across mainland Europe) to include disciplines such as HR and the Legal Department. Two extremely knowledgeable industry professionals on the subject of convergence are James Willison and Sarb Sembhi, who’ve spoken on (and written about) this subject numerous times. I would advise anyone reviewing the subject to speak with James and Sarb, as well as Dr David… Read more »
Thank you Bob for a great article and to you Brian for your kind words. You both highlight some of the key issues in this area. The growing relevance of convergence and Enterprise Security Risk Management is clear. Many of us in Europe have been promoting this approach to ensuring all security risks are effectively managed in a wide variety of ways. ASIS International has led the way and other Information Security associations have supported us. As technology develops the importance of PSIM and other smart systems will require senior managers to work together to ensure security can respond to physical, cyber and… Read more »
Thanks for introducing a new concept — and acronym — to me: PSIM.
I expect all that surveillance and sensor data is going to generate ferocious amounts of data, creating storage and Big Data management problems. Are systems in place to address those?
Count me in on the redundancy question. Also, I’m curious about the use of cloud services for smart buildings.
With all the clever solutions made available by IT, its easy to forget that none of this functionality is possible without a constant power supply, surely how to maintain the supply and keep it secure should be factored into the pros and cons as this is crictical to the systems success.
Great article as always Bob! I have worked with integrated IDS/EAC/CCTV security systems for more than 20 years mainly as a customer but also as a supplier. In latter years, the move towards also integrating Building Management Systems is great to see as it gives much more relevant information to those responding to an incident and ultimately saves cash in the long run! Linking in logical security is more challenging but even knowing that an individual is actually in the building where his/her laptop is attempting to connect to the network has to help! There are 2 crucial elements to… Read more »
James. This comment interested me: ‘As technology develops the importance of PSIM and other smart systems will require senior managers to work together to ensure security can respond to physical, cyber and blended attack.’
Does this mean that we’ll need MORE people to interpret data and response in the future? Surely the principle of PSIM is it’s ability to simlify the decision-making process?
Rob Thank you for raising this point. The issues are of course of great importance to securing the business. The great advantage, as you indicate of PSIM is the ability it gives to simplify the processs of response especially in crisis/emergency situations. So what does the security officer do in these critical events? We should be promoting these new technologies together with SIEM from the IT side so that the business can identify cross functional security risks. In August last year the CPNI published a significant document which outlines the need for HR, Physical and IT security to work with… Read more »
James… You touch on the subject of employee fraud here, and you were right to do so. It’s a significant issue and one that must be continually addressed. An analysis of frauds recorded on the CIFAS Staff Fraud Database reveals a significant increase in the level of fraud being committed by employees during 2012 when compared with 2011. Just look at the figures: – A 43% overall increase in the number of staff frauds recorded in 2012 when compared with 2011, with increases identified in all major types of fraud. – Attempts to obtain employment fraudulently (eg by withholding or… Read more »
Brian Thank you for this significant evidence which should in fact help security managers build a business case for implementing technologies that can enable effective identity management. I hope the security community can be more proactive in engaging with other functions such as HR, Legal and IT (including our colleagues in the Information security arena). It is noteworthy that the CPNI document called, Holistic Management of Employee Risk indicates that currently these areas are often siloed and so the risk is not identified. It discusses the technologies which can be used to monitor this and of course PSIM/PIAM solutions can… Read more »
Hi James. Agreed 100%. One of the biggest issues facing companies today is reputational risk/brand damage. As we’ve seen on several occasions these last few years across the general business landscape, if incidents aren’t handled in the appropriate manner then negative publicity can bring an organisation down. Surely it must be the case that joined-up working in a converged structure would go a long way towards preventing such situations from arising?
Hi Brian
Absolutely. Regular cross departmental meetings, common risk reporting processes and closer collaboration can help an organisation identify the threat or at least respond faster and be able to make a meaningful public statement. We can learn from each other and as you say prevent these situations.
Be careful using cloud services for security applications. It will be one of the easiest hacks, and will result in security breaches werever something valuable is secured that way.
Security should be stand-alone and well protected.
Augmented reality? I understand the idea, but not sure it’s the right way to characterise PSIM, personally. It’s a phrase that’s already entered into consumer tech parlance to mean something a bit more specific – ie. Google Glass.
Interesting, the 5 key questions directors should be asking:
1. Who is accountable for all elements of people risk in your organisation? 2. When did your organisation last undertake a people risk assessment?3. Does your organisation have integrated measures in place to identify and manage people risk?4. How confident are you that your organisation would be protected against the likelihood of a major incident due to an accidental or deliberate action on the part of its people?5. Does your organisation understand the impact that an incident would have on it and on the board’s reputation?
Interesting, Terry, thanks. I suppose right now I find it hard to see how security and IT teams could ever be one. When they are merged at the moment some IT experts I’ve seen focus a bit too much on the cybersecurity element. I guess we need to upskill both groups.
Yeah, just a bit! I suspect there must have been an element of cloud services here: Hacking Surveillance Cameras in Casinos.
Saying that Richard Moulds from Thales pointed out in an article yesterday that in many cases cloud-based services may well be safer than internally managed networks. I stress may.
I think in many ways PSIM is physical security’s big data. The question for me is whether it’s a bit over-hyped, and if so, when will the hype drop out?
Security of power, critical national infrastructure generally, are all of course vital. Frankly, is someone’s willing to go to the effort of taking out power sources, you’re probably not going to be able to stop or catch them anyway, so fair play to them.
No idea who first coined it. Couldn’t find anything about it out there on the web. Whether it was one that formed organically, or what, I wonder if we’ll ever know. It wouldn’t surprise me if one of the key vendors like CNL Software, IBM, or NICE Systems coined it. If not, they certainly popularised it. Great definition from IMS Research on it. I might try summarising these points in a video to put the what is PSIM debate to bed for good. Maybe.
I’ve done the Ask Jeeves bit and an article reckons that VidSys CTO James Chong maintains that his company coined the tag in 2006. Do we agree/disagree?!
http://www.securitysystemsnews.com/article/psim-potential
How about on-site generators for critical power and distributed UPS battery back-up units for absolutely vital systems just in case the generator is compromised or they need to keep power going from when the juice is turned off to when the generator is up to speed? Make sure your power rooms are protected as highly as your crown jewels though! My training in security surveying has always been to regard power from the grid as uncontrollable and easily compromised by the determined felon as its an off-site feed. Same goes for comms, always have a back-up plan especially for security… Read more »
Sounds plausible to me. I’ll see if I can get in touch with James Chong for an interview perhaps!
Good advice tony. Definitely worth prioritising those elements! And the IT server rooms I’d suggest. Thanks
Siloed working, siloed information etc. etc. I’m sure is something that all of us have to deal with. How many times has someone said, after an incident, ‘Oh yeah, I saw so and so doing such and such. Makes sense now.’ If they could have collated ‘such and such’ centrally, that information could have prevented the incident occurring. (Not sure if that made sense. It’s Friday!)
I think all it takes is a little time for people to familiarize the technology and really figure out how it works. Once people have experienced it, they’ll judge whether or not it really lives up to the hype or not.
I agree with Rob, these are good tips. These should be integrated into every security and emergency plan to control damage or at least minimize it.
I agree. There’s still a lot about the Cloud that people haven’t figured out yet. Not that it’s necessarily fill of security holes, but I reckon IT people need time to work with it and really ‘get to know’ it before trusting it to run security applications.
There’ll always be the odd hole, but we’ve been talking about (and using) cloud solutions for years now, haven’t we?
Excellent article and follow up discussion thread. I’ll be interested to understand commercial solution that integrates physical security and logical security events.
yes, Rob, you are right, but only now cloud started getting more and more ground… becoming household thing… so to say
I think only some parts of this solution is available for now… but with time we would see total solution…
Indeed, I think we’ll get to the point in the next 2-03 years where we stop talking about and explaining ‘the cloud’. We’re getting there already with the normalisation of consumer cloud services.
yes, Rob, thank you, for now we are geting things in place, just before big jump… so to say