4 minute read
The State of Security Convergence
An ASIS Foundation study cites the biggest barrier to the convergence of security functions in organisations as differences in culture and skillset between physical and cybersecurity. And the biggest driver?: aligning security strategy with corporate goals.
A 2019 ASIS Foundation study titled “The State of Security Convergence in the United States, Europe, and India” has investigated the extent to which organisations have converged their physical security, cybersecurity, and business continuity management (BCM) functions.
According to its executive summary, the survey of more than 1,000 senior physical security, cybersecurity, disaster management, and business continuity professionals found that despite “years of predictions about the inevitability of security convergence, just 24 percent of respondents have converged their physical and cybersecurity functions.”
“When business continuity is included, a total of 52 percent have converged two or all of the three functions. Of the 48 percent who have not converged at all, 70 percent have no current plans to converge.”
Interestingly, two-thirds of respondents reported that their physical security, cybersecurity, and/or business continuity functions are working closely together either through convergence, partial integration, or collaboration.
Data and follow-up interviews show that companies are organising their security and BCM functions in a variety of different ways depending upon business needs. The results indicated that a range of convergence models – from partial through to complete convergence – can be effective. But one size doesn’t fit all.
The report defines convergence as “getting security/risk management functions to work together seamlessly, closing the gaps and vulnerabilities that exist in the space between functions.”
“Fully converged functions are generally unified and interconnected, reporting to one security leader,” it states. “They often have shared practices and processes, as well as shared responsibility for security strategy. Converged functions work together to provide an integrated enterprise defence.”
Strong leadership
Regardless of how security functions are organised, “strong leadership and a clear security strategy” were cited by respondents as important factors for effective security.
Most organisations surveyed (67 percent of converged and 57 percent of non-converged) report having an enterpriselevel security leader. Of those, 79 percent agree that having an enterprise security leader “enhances the effectiveness of corporate security.”
According to the report, the most successful security operations share the following characteristics:
• Physical security, cybersecurity, and BCM functions are aligned around one security strategy.
• The functions maintain open communication and share information with one another.
• Security has a voice in the C-suite and senior leaders provide strong leadership and engagement for the functions.
BCM leads converged charge
BCM was reported as being converged with either cyber or physical security in 47 percent of the organisations surveyed, compared to just 24 percent having achieved converged physical and cybersecurity functions. An overwhelming majority of business continuity managers were of the opinion that convergence strengthened the BCM function.
Convergence produces benefits
96 percent of those organisations that had converged two or more functions reported positive results from convergence, with 72 percent reporting that convergence strengthened their overall security.
Overall, 78 percent of those surveyed believed that convergence would strengthen their overall security function.
It’s not about the money
Only seven percent of converged respondents saw “reduction in security costs” as a primary benefit of convergence. 20 percent of non-converged respondents cited “potential cost savings” as a reason to look at converging.
Non-converged organisations are more likely to have increasing security budgets than converged organisations, whether physical or cyber.
58 percent of non-converged organisations reported increasing cybersecurity budgets as opposed to 49 percent for converged organisations. 28 percent of non-converged organisations reported increasing physical security budgets compared to 24 percent for converged organisations.
Bucking this pattern, 26 percent of converged organisations are seeing budget increases compared to 19 percent of nonconverged.
Aligning security strategy with corporate goals
The number one reason for converging (38 percent) among those who had not yet converged was “better alignment of security/risk management strategy with corporate goals.” This was also considered the key benefit by 40 percent of alreadyconverged respondents.
Hurdle to convergence
The biggest barrier to convergence (36 percent) was reported as differences in culture and skillset between physical and cybersecurity. “Turf and silo operating tradition” followed at 24 percent, and the “belief that cyber security requires its own operation” came in at 21 percent).
22 percent of respondents reported no challenges to convergence.
The talent challenge
The report cites a vice president at a US technology company as explaining, “there is no single skill set for all. The industry has not evolved where we can now have a single security practitioner who can do physical security, digital transformation, and product management. Until the industry evolves towards that, we will operate with three independent roles.”
Convergence needs to be customised
Convergence takes many forms depending on the industry sector and organisation. In some sectors, physical security and fire protection are heavily converged, while in others not so much.
In some sectors, cyber is managed centrally while physical is managed locally. In other sectors, the dichotomy between centralised and decentralised is either absent or less pronounced.
In the case of many airports and hospitals, states the report’s executive summary, “cybersecurity is run as a shared service across the enterprise while physical security is run by staff at each location. For those industries, cybersecurity is centralised while physical security is decentralised.”
For more details, visit www.asis.org, and read the report “The State of Security Convergence in the United States, Europe, and India”.
