April 12, 2016

Sign up to free email newsletters


The 2022 State of Physical Access Control Report

The Unstoppable Convergence of Physical Security and IT and What it Means for Your Role

Convergence has been talked about for many years in information technology.

It used to mean the overlap between telecoms and computer networks. However, a new form of convergence is has started to emerge over the past few years and this is the convergence of cyber security and physical security.

The modern design of IP networks mean that they can encompass telephony and business critical systems, alongside CCTV and other security systems enabling physical access to the building.

Bringing teams together benefits everyone

Using the same infrastructure for physical and information systems access can provide real benefits across a number of departments and can save money. These systems can also be customised to better suit the needs of the user.

Mike Gillespie, managing director of Advent IM, a security consultancy, says that because so many more of our physical systems are being leveraged for web enabled use, the potential cost savings and increased efficiencies make it is a very attractive proposition. (Gillespie will be on a panel discussing this topic at IFSEC International 2016. Register here to attend).

“So physical systems like CCTV for instance might be handled by a single office, handling images from multiple feeds and sites. However, these systems need to be properly secured and added to security hygiene management that is carried out by IT teams. This would include making sure security patching is done and updating antimalware etc.,” he says.

The convergence is well intentioned, but then again so is the road to hell. For the strategy to be successful, one must overcome the challenges created by systems, processes and people.

Ellie Hurst, marketing manager at Advent IM, says that while our physical and cyber threats have converged, physical systems may not have the oversight of IT security regiment for patching and antimalware. “Systems are often networked and once you leave a geographical location and enter cyberspace, everything changes,” she says.

“IT has a place to play in securing physical systems because it has matured and understands the regular and cyclical nature of configuration management and security updates. Physical systems can benefit from this maturity as it matures itself in the cyberspace arena and more systems join corporate networks in cyberspace,” says Hurst.

“They may also be able to assist in risk assessing platforms and helping to decide if it is safe for them to be networked, another solution may be preferable and more resilient.”

Mind the (skills) gap

Another issue is around a potential skill gap, and not where you think it would be, according to Martin Grigg, senior security consultant at PTS Consulting and Lecturer in Integrated Systems for high-security facilities.

He said that the convergence of information and security technology has not created a skills gap but the merging of management roles may do exactly that. The necessary skills to successfully deliver each role are usually held by people with different backgrounds.

“For this reason, IT and Security Managers have different views on their threats and risk, which is understandable given that the threats in the physical realm are very different to the threats in a virtual one,” he says.

“The chances are that the next big security event will be a blended attack on physical and cyber security. The days of the old school criminals have almost gone. The London Hatton Garden robbery was unusual in its simplistic approach. The bad guys are merging the threat; therefore, the good guys need to merge the response.”

To Grigg, the convergence of of these roles makes complete sense but the challenge is to capture the experience and skills from both people and merge them into a single manager.

“The problem is compounded by the ever changing threats that businesses today have to counter. This means that academic study on its own is not the complete solution.

“The Security Manager of the future will have to have a solid background in threat, vulnerability and risk assessment as well as knowledge of physical and cyber defence. They will also need to regularly review their situation to keep up with the inevitable changes on the threat horizon,” says Grigg.


Hurst says that it is important to note that umbrella oversight is needed from a risk perspective, to reduce the chance of converged risks remaining lost in silos – “so the oversight of a chief risk officer or senior information risk owner ensuring board ownership”.

Gillispie adds that oversight should be at board level and Risk assessments would be done on all systems to ensure any risk is mitigated and that it is within organisational risk tolerances and appetite.

“For too long our security response has been in silos and unconnected, the threat is joined up so the response should be,” he says.

“We need to break down the silos bring the security disciplines together under one banner and have single point of governance which has oversight of physical personnel and technical reporting directly to the SIRO board member who has accountability for security risk.”

Speaking the language

Perhaps success best lies in making each team speak the language of the other to broaden understnadin of the issues at hand.

“Physical security specialists need to upskill and understand how to do holistic threat assessments; how to incorporate cyber threat to physical assets. They need to speak the language of business s do IT security specialists and also need to become better plugged into the business objectives and culture side of things,” says Gillespie.

“They need to be connected into wider world of corporate risk management, be more agile and fleet of foot, as threats coming from cyberspace are evolving far quicker than from the physical space. The traditional geography of physical security is morphing and blurring. Threats can come from a drone or from the other side of the world but can manifest in catastrophic breakdown.”

RFID chips and facial recognition: Technologies that could unite access to physical and IT assets

  • RFID-enabled ID cards have been used for a number of years as a means to secure access to buildings and computer networks. But such cards, tokens and fobs are becoming relics of the past physical security and access control era. These days, employees want a more frictionless experience without having to rummage through a handbag.
  • But with computer hardware improving over the last 10 years, facial recognition has become a real prospect in securing access to physical and IT assets.
  • Facial recognition technology has come a long way to the point where even your laptop, if it is running Windows 10 can allow access through a feature called Windows Hello. The interface makes it easy to log in securely with biometrics.
  • To use the feature, the PC has to have an Intel RealSense camera fitted at present. This is because in addition to the camera, it uses infrared and depth scanners, so merely holding up a photo won’t allow access, only a real live face will work

Mike Gillespie, who is quoted in this article, will sit on a panel at IFSEC International 2016 discussing how the relationship between physical security and IT is evolving. View the full education programme for IFSEC, which takes place from 21-23 June at London’s ExCeL.

Register here to attend IFSEC – Europe’s largest security trade show – which also features hundreds of exhibitors, including Honeywell, Axis Communications and Sony Europe, among many other major industry names.


Keep up with the wireless access control market

Download this free report to find out more about:

  • The current state of wireless access control solutions in the market
  • The developing ‘move to mobile access control’ trend
  • Views on open architecture and integration
  • The growing use of the cloud and ACaaS to manage access systems
  • How important is sustainability to the industry?
Notify of
Newest Most Voted
Inline Feedbacks
View all comments
April 13, 2016 3:14 am

NIce summary. I would add that Industrial IoT and Operations Technology as it relates to convergence is an item to consider. Hurst’s point about “umbrella oversight” and Gillispie’s “point of governance” is absolutely correct. A solid ERM or at least an Enterprise Security Risk Management program is advised. Skills gap is a bit of a fictitious concern; CSO’s don’t need to be the security technical wizards their technology managers are, but they need to understand, support, and align with their enterprise IT Strategy and practices. Moreover, they need to engage with their system vendors and integrators and represent the company’s security requirements… Read more »

April 13, 2016 7:31 pm

Second shot, same poison. #WallsWork // “Breaking down the walls between IT and physical security” http://securityinfowatch.com/article/121874…

April 13, 2016 7:35 pm

I’m biased because we have to fight off IT Security Officers drunk on power, but who know nothing about best practices or corporate policy.

April 13, 2016 7:38 pm

But maybe don’t also give all the control of physical or IT security to contractors, under the supervision of technically inept management.