Security Convergence: We’ve Adapted Well But Are We Ready for Tomorrow’s Threats?

The author will form part of a panel discussing convergence at the ASIS European Security Conference on Wednesday at 11:25am at the Hague’ World Forum. He is also speaking about smart buildings at IFSEC International, taking place at London ExCel on 17-19 June 2014 – register here

Security convergence and enterprise security risk management have preoccupied security professionals for more than a decade.

But what exactly do we mean by these terms? What have these disciplines achieved and what can we expect to see in the future?

Security convergence essentially unites all areas of security and helps the business to perform better and achieve its aims without suffering a significant incident. If it is unfortunate enough to experience an attack then it should be better positioned to minimise impact.

It can be argued that organisations that succeed in implementing a converged security strategy will have a clearer idea of potential threats and a faster response to crisis.

Of course, this depends on the company’s size and character, the management, security managers and staff.

Enterprise security risk management, meanwhile, is a more general term that focuses on the process of identifying and managing all security risks across an organisation and does not require formal collaboration.

Three layers

There are many aspects to the outworking and practice of these strategies. Three key layers should be considered.

Many readers will be aware of the impact of integrated technologies on the security industry and how systems are increasingly convergent.

Whether CCTV, access control or HVAC systems, technologies are also often networked and therefore affect corporate IT infrastructure. Security systems are the bottom layer and managed by the middle layer – perhaps the building management team – who work with other business functions such as engineering and IT on a day-to-day basis.

The top layer will be the CSO and CISO who together develop an overall strategy with the Board or senior executive.

Look at what has been achieved since 2000 it’s fair to surmise that significant progress has been made.

Events like 9/11 have heightened media interest in security issues during this period of increasing convergence. However, the most rapidly growing threat has come via the computer networks with which security systems are increasingly integrated, driving security professionals to work more closely with another, related area.

Now we have what is called the ‘internet of things’, which describes the billions of devices, from various utilities to smartphones and televisions, now connected to the internet. In response our industry has, at conferences and through articles, striven to raise awareness of the vulnerabilities of this widening array of devices.

So there’s a considerable level of awareness of the threats posed. UBM, ASIS International, ISACA, ISSA, the SyI and ISC (2) have all made notable contributions to this effort.

Blended threats, physical sites

The greatest achievement in terms of standards on security convergence and ESRM has been the ANSI ASIS PAP 2012 Standard, which outlines how to develop cross-functional teams to identify blended threats to physical sites – the most difficult to defend against and certain to be deployed by tomorrow’s criminals.

This standard was developed to support the ISO 27000 series of standards on information security, which are crucially significant in this space. Together these standards will continue to enhance organisations that implement the recommended strategies and controls.

In the practical realm of technological solutions much has been achieved in the fields of CCTV, physical and logical access control, PSIM, SIEM, intrusion detection and scanning – pretty much in all areas of security.

But if a doctor gives you a prescription, do you necessarily take the medicine? Some organisations are aligning their security strategy with the standards and using new technologies, but others aren’t even aware of the issues. How about you?

So what of the future? In my next article – to be published in April – we’ll look in more detail at emerging issues like smart buildings and the blended threats that could render them inoperable.

But we have so much to be thankful for. The last decade has seen fantastic advances in multiple fields and most people in our industry strive diligently to protect people, information and assets.

IFSEC International, taking place in June at London’s ExCel, will be a great opportunity to see how far we’ve progressed both in our technological response and managerial approach. I hope to see some of you there.