The history and development of converged security
Alison Wakefield, Louisa Schneller, and Cody Porter detail how the importance of converged security has grown over the years, pointing out that while it’s widely accepted that a holistic approach to security is beneficial, many organizations don’t haven’t yet adopted a fully converged model.
A recent research report for the ASIS Foundation, The state of security convergence, defines the concept as “security/risk management functions working together seamlessly to address security holistically and to close the gaps and vulnerabilities that exist in the spaces between functions.” For about two decades, the professional security community has actively promoted a convergent approach to physical security and organizational information management, which can reasonably be expected to have now come of age.
Yet ASIS Foundation research has concluded that fully converged security remains the exception rather than the rule, leaving organizations increasingly vulnerable as their adoption and reliance on digital technologies accelerates. The World Economic Forum has highlighted the importance of collaborative solutions to cyber risk in its Global Risks Report 2016stating “While there are many “C” level owners (CISO, CFO, CEO, CRO, Risk Management), each of these owners has different but related interests and, unfortunately, often does not integrate risk or does not collaborate effectively in its management”.
Learn more about converged security at IFSEC International 2022 by visiting the Converged Security Center, where experts including Professor Alison Wakefield will present live threat scenarios in various environments.
Register for your free IFSEC ticket, today >>
Technically, in the early days of organizational computing, when the use of computers in organizations was mostly limited to data centers and their protection focused on securing the physical infrastructure, converged security was the norm. The development of personal computers, new types of personal software, and the expansion of chip technology led to their increasing ubiquity in organizations beginning in the early 1980s. Protecting computer systems required additional technical security measures , and it was from this point that information security began to evolve as a distinct business function and professional specialty.
While the primary benefits of IT advancement initially concerned the internal efficiency of organizations, they have become increasingly critical to achieving strategic business objectives, for example, enabling the integration of vendor systems and customers, and a question for senior management. During the 1990s, information and the computer systems that support it were recognized as critical business assets and provided impetus for the development of information security practices and standards, including the precursor to the family ISO 27000 international standards for information security, British Standard BS 7799, first published in 1995.
Since then, computing power has multiplied many times over, the growing ubiquity of digital devices has given businesses new ways to interact with customers, and digital innovations like cloud computing, the Internet of Things ( IoT) and artificial intelligence technologies are rebuilding the way businesses function. The challenges posed to organizations by the COVID-19 pandemic and necessary adjustments like the rapid expansion of working from home have accelerated the adoption of digital technologies by years and required many adaptations to organizational security.
The concept of Industrial IoT (IIoT) has entered the business lexicon to denote its application to manufacturing and industrial processes, taking the risks to critical infrastructure to a new level. This urgency has been recognized by the US government, which created a Cybersecurity and Infrastructure Security Agency (CISA) in 2018, and in CISA’s publication of a convergence guide in 2021. The guide advocates “an integrated management strategy of threats” reflecting “understanding of the cascading impacts on interconnected cyber-physical infrastructures”, and considers that a “culture of inclusiveness” is “vital” to achieve the convergence of security functions and “to foster communication, coordination and co-operation”.
A 2016 report from the SANS Institute on Security in a converged IT/OT world highlights the scale of the challenge to critical infrastructure, saying that operational technology (OT) cybersecurity is “about a decade behind the maturity level of IT security in many respects.” Traditionally, computer and industrial control systems (ICS) have presented different risks and risk management priorities, including confidentiality, integrity and availability in information systems, and security and availability in ICS . The life cycles of industrial equipment (and often software) can last for decades, and this equipment is very expensive, which makes updates much more difficult. It’s also difficult to create virtual builds on which tests can be run, so testing usually has to take place on real working devices during scheduled downtime.
Growing importance but challenges remain…
It is now well established that organizations need to assess risk holistically, identifying and mitigating vulnerabilities caused by increasingly interconnected and converging threats. A significant challenge in developing and implementing converged security is that there can be no one-size-fits-all approach, given the varying requirements of different markets, industries, and professions. More research is needed on different models and approaches, and security practitioners should regularly update their knowledge of new security risk management approaches in general, and convergence approaches in particular.
Recruiting people with the right skills, and in particular the required strategic, business and soft skills, was identified in the ASIS Foundation report as critically important. His research cited confusion over roles and responsibilities, reporting lines and communication, and conflict among converged staff, as ongoing barriers to effectively implementing convergence.
Findings from our qualitative research also focused on the skills of practitioners, while underscoring the importance of ensuring these skills are well-embedded in organizational security teams and in the wider security profession, so that organizations are not exposed if key employees leave.
Perhaps the steps taken by government organizations such as the US government’s Cybersecurity and Infrastructure Security Agency to recommend cyber and physical convergence will foster a more codified approach. At the same time, the necessary knowledge and skills must be actively cultivated by the security practitioner and the wider profession to ensure organizational support for convergence and to ensure that security is managed effectively across often disparate units within organizations. organizations.
About the authors
Alison Wakefield PhD CSyP FSyI is Professor of Criminology and Security Studies and Co-Director of the Center for Cybersecurity and Criminology at the University of West London. Louisa Schneller MSyI FISRM, is a consultant in risk and security management at TeamMacro. Cody Porter PhD, is a lecturer in psychology at the University of the West of England.
Secure your place at IFSEC International 2022
May 17-19, 2022, ExCeL London
Reconnect in person with the physical security community at IFSEC International 2022. You’ll find hundreds of leading exhibitors from across the physical and integrated security industry, showcasing all the latest in CCTV, security access, intrusion detection, perimeter protection and integrated software solutions. . Plus, network with thousands of like-minded peers and professionals as the industry comes together at IFSEC for the first time since 2019.
IFSEC 2022: The #1 meeting event for the security industry