Converging Risks, Converging Solutions

Brian Allen, Board of Directors, Global Security Risk Management Alliance

Author Brian Allen serves on the Board of Directors for the Global Security Risk Management Alliance (GSRMA).

The security world is changing.  Physical and cybersecurity risks are converging.  They’re maturing at different paces. In the security world, we’re always playing a bit of catch-up to business, but this feels a bit different. It’s not the typical cat and mouse game. There’s a speed and complexity to business needs, organizational structures and technology uses that challenge what we thought we knew and how we have operated.  Solutions must address the speed and complexity of these changes and risks while keeping pace at the same speed and complexity. Here we’ll discuss how leading solution providers can be significant influencers in how a converged physical/cyber world operates.

The New Model of Risk Management vs. Siloed Physical/Cyber Lenses

In an effort to adapt to these converging risks, the security industry is embracing the concepts of enterprise security risk management (ESRM). ESRM is the management of any security risk using generally established risk principles. There are five core risk principle elements: Identify your assets, identify risks associated with those assets, mitigate those risks, respond to incidents and continue learning from incidents by being situationally aware: for instance, in the ESRM practice, using guards and ways to monitor and mitigate risks includes placing cameras, monitoring networks and using passwords or access controls.

Yet we continue to look at physical and cybersecurity efforts through siloed lenses, selling to different stakeholders and buyers within the same company. Why is this? It’s fairly simple: cyber and physical security appear to be two distinct practices without a core philosophy around which to work. In the old world, someone is managing passwords and someone is managing access control cards. And yet, in essence, they’re both fundamentally doing the same thing. ESRM views the two functions as a common set of practices, such as the below.

  • Access, Monitoring and Intrusion Prevention: They’re both identifying a party and providing access, keeping records, allowing for monitoring and preventing intrusion.
  • Security Operations Centers (SOCs): Often, a company will have two security operations centers: one technical and one for the physical security. These centers also do the same thing. They’re monitoring for risks, providing a single point of contact for employees and outside constituents and communicating outward for a variety of common reasons.
  • Investigations and Technical Forensics: An investigation team and a technical forensic team also do the same thing. They’re fact finding, looking for risks, documenting their efforts and reporting out.

These commonalities acknowledge the fact that individual tasks and skill sets may be very different. That’s understood.  So, is it that we’re functionally siloed because we haven’t looked at this as a consistent practice?  A converged physical-cyber world will demand that we rethink roles, job descriptions, reporting lines and the tools they use.  If risks and functions converge, shouldn’t the tools follow?

The Role of Manufacturers and Integrators

Manufacturers and integrators have influencing, leadership roles to play in the inevitable converged ESRM environment. Forward-thinking customers in security departments that embrace ESRM are pressing on more effective ways to collaborate, share information and automate via smarter, even more mobile tools. This rethinking is driving change in their organizational structures, roles and budgets. While security practitioners and enterprises work through these issues over time, manufacturers and integrators can look at adapting to the inevitability of converging risks and converging solutions. Here are some top areas to consider:

  • Combining logical and physical monitoring indubitably provides better collective protection against intrusion.
  • Managing a common security operations center with combined and even hybrid roles results in higher efficiencies and profitability.
  • Sharing information among investigators and forensic investigators that now work under the same reporting line enables interdependence and collaboration, which is coming more into play.
  • Integrating tools and data intelligently, contextually and automatically helps virtual security teams anywhere stand up quickly to collaborate and more effectively perform their duties.

Looking Ahead

Where to start?  Here are the top areas in which manufacturers and integrators could add immediate, significant value.

  1. Conversancy in ESRM and Security Functions: There is a fundamental shift afoot:
    • from talking about physical security to mitigation planning
    • from discrete investigations to collective incident response
    • from building independent security operations centers to understanding what functions a converged SOC actually supports.

Sales and product development staff would be well served to understand and become comfortable with ESRM principles, so the conversations we all have are common and understood. Solution vendors can set themselves apart from the competition by elevating conversations for the executive, board, and stakeholder level using ESRM’s business-centric and enterprise risk mitigation terms.

Essential to this process is sales and product teams’ understanding of the roles of the physical, cyber and hybrid security practitioner in mitigating risks – independently and together. Those who are comfortable probing customers on how these roles operate currently, and in the future, can progress quickly through business value and implementation discussions.

  1. Converged Solution Features & Benefits in ESRM: As the practice of managing cyber and physical risks mature in a converged environment, intelligent tools are going to have to converge as well. There will be an expectation in ESRM organizations that will lead to a new focus on how to predict, collaborate in real time and manage risks. As a result, new buyers will emerge who have a common philosophy in practice, a single budget and a focus on simplifying their tools so that hybrid roles can work effectively together anytime, anywhere. Solution providers can stand out by showing how easily their products and services can impact ESRM, the customer’s bottom line and adjacent lines of business (for example, independent camera/biometric and network login systems once used as point solutions for loss prevention are also now providing data that improve product placements and retail traffic to increase sales). Manufacturers and integrators who are able to align features and benefits to the business-impact buyer will stand out from the pack.

Leading Change

The security industry is massive, and the number of solutions is extraordinary.  Organizations buying security solutions know that  In the converged space, there is no doubt that there will be winners and losers.

There will be influencers, too. It’s a topic lacking enough attention these days. When tools are progressive, solution providers can be extremely influential. Manufacturers and integrators embracing the converged way of thinking can help change this industry in significant ways: how the converged security practice is viewed as value-add; how boards and executives support and perceive security’s and ESRM’s roles; laws and regulations around privacy and information sharing; the way risks are predicted and mitigated or eliminated earlier; how fluid teams of the right experts anywhere handle major incidents together; addressing nuances among industry needs and more.

As discussed earlier, the risks are moving fast and becoming more complex. Solutions need to keep pace. We’re in for an interesting ride that’s picking up speed. It’s one where progressive and ESRM-conversant solution providers can and should influence both buyers and the industry.

The views and opinions expressed in guest posts and/or profiles are those of the authors or sources and do not necessarily reflect the official policy or position of the Security Industry Association (SIA).