Why the C-Suite Must End Security Convergence Turf Wars

Historically, physical security has been tasked with safeguarding tangible corporate assets, such as personnel, hard copy documents, equipment and the building itself, whereas logical security efforts focus on protecting the corporation by granting or denying access and defending the network against malicious attacks.

In most organizations, physical access systems and logical access systems have operated as two independent structures run by separate departments. Logical access, which grants admission to IT infrastructure – such as the intranet/internet, mail servers, web servers and database applications – was run by the IT department, which also handled cybersecurity. The facilities department controlled physical access systems, which includes the employee badging process, door access to the buildings, life support systems, HVAC, fire and CCTV.

For many, physical and logical security convergence means the interoperability and interdependency of two systems, rather than two departments. Ironically, missing this means missing the mark in improved efficiency, awareness and, ultimately, profitability. This has been a conundrum for the last 20 years.

The Changing Tide

Convergence has been a buzzword in the industry for years now, and in practicality, it is well on its way to becoming more and more of a reality. Security systems integrated with swipe card-based, user permissions systems, for example, have been around for some time. Today, it is common for physical security devices to be incorporated into the corporate IT network, with both risk and benefit.

The lines between physical and logical security are already blurred in many places, and that trend is set to continue. For example, in a general sense, IT security concerns the ability of online individuals to interact with information objects. It is difficult to talk about IT security without talking about the online identities of these individuals. Someone’s online identity is usually entered in the employee onboarding process and stored in an enterprise identity management system.

Over time, more and more physical access devices have begun operating on the network, with cameras, door readers and systems that record and store their data, and physical security has officially moved into the IT security world.

Opportunity for Success

For years, there was debate over whether this convergence should occur. Now, convergence is clearly a process that is occurring with the growth of automation in critical infrastructure networks, and the question is how it can best be managed and leveraged.

The C-suite has a huge opportunity to impact the success of this convergence.

While convergence is natural next step in the evolution of security, the process of converging is a lot more complex. Seeing the economic benefit and operational efficiencies to be gained, the temptation is for top level-executives to throw these two formerly autonomous departments together and tell them to figure it out. Doing this is short-sighted and will ultimately result in fewer gains than would otherwise be possible.

Gaining Perspective

Unfortunately, the traditionally autonomous organizational structure of these two departments means there has been a lack of overlap and communication, though their missions are tightly related and parallel. This involves people who until now had no reason to cross paths and have different jobs, cultures and philosophies. Department managers possess skills and background particular to departmental success and may lack knowledge key to their counterparts’ departments. Each side comes with a host of misconceptions about the other, and sometimes this leads to a mutual lack of respect. Understanding these issues gives executive leadership a key component in overcoming the challenge.

Even though not spoken, each side also brings its “fears” into the equation. Many times in the early days of convergence, one department just wanted the other to “go away.” Because of the growth of the IT universe, they gained more notoriety and boardroom sway, which put the physical security team at a disadvantage. This also often brought a level of animosity instead of a desire to work together diligently as a quality risk management team.

To minimize the risk and maximize the benefit, these two historically separate entities need to work together. Merging the cultures will not happen overnight, but starting the conversation is a step in the right direction.

Education Breaks Down Barriers

Convergence is more than the collaboration between physical and logical security teams or cooperating to get the desired result. It involves a mutual understanding and respect, in-depth knowledge of the other’s roles, shared knowledge of risks and a shared vision, which only be achieved when this philosophy is adopted, shared and encouraged by the C-suite through increased education.

There is no question that barriers exist, but increased education is key to facilitating an increasingly collaborative environment. The starting point is – and should be – recognizing the shared objectives and expertise each side brings to the table. Leadership must be acutely aware of these factors and the vulnerabilities that exist on both sides.

Disparate Weights in Convergence Projects

It is also important to recognize that management and executive leadership can also unwittingly play a role in creating barriers between the two disciplines. Budget is a common concern and source of contention for convergence projects. Most companies allow IT departments larger budgets than physical security departments, with the expectation that additional funds are necessary for constant updates to keep up with advances in technology and cyber threats. Physical security departments, on the other hand, may invest in cameras and card systems and may mistakenly believe that the life expectancy of such equipment extends beyond the functional lifespan of that technology. This philosophy is no longer practical as technology evolves and vulnerabilities are publicly revealed. Physical security equipment needs to be on a refresh rate closer to that of the IT industry. To solve this problem, many organizations are changing their organizational structures to merge the physical and logical groups themselves and setting budgets and policies to align with the new state of the industry.

The Changing Security Landscape

The threat landscape has also changed. Cybersecurity has become extremely important to protecting the IT infrastructure. The threat vectors in IT are typically unseen attackers. The facility personnel did not understand the challenges that their devices, which are often less secure, brought to the IT Infrastructure and the added risk involved. Conversely, the threats in physical security are typically “seen,” fueling the exponential growth in digital video.

Criminals are getting increasingly sophisticated right along with security technologies, and trends show an increase of blended attacks on both physical and cybersecurity. Facilities access makes compromising IT security easier. Anyone who gains unauthorized access can pose a threat to the safety of those within the facility, compromise network security and access confidential data. This new threat makes increased collaboration between these two disciplines even more important to overall security risk assessment and mitigation. Ultimately, as the threat landscape shifts and becomes more complex, so must our approach to security. See the rise in red teaming as an indicator of the threat landscape.

Building Stronger Relationships

Where egos have the potential to put the enterprise at risk, better relationships have the power to make it exponentially more secure. Fortunately, progress in building stronger relationships is growing, validated by a recent survey conducted by ASIS International and HID Global.

The survey results reported that “Most convergence projects – 54 percent, according to the ASIS survey – are shared in both the physical security and IT budgets, with 24 percent coming exclusively from the physical security budget and 22 percent from the IT budget.” Furthermore, the study found that “when physical security professionals were asked how they currently work with their IT departments, a resounding 60 percent said they collaborate to establish security best practices, with 55 percent indicating they look for new technologies together.” As the results state though, there is still a gap of 40 percent.

Better Strategies for Improved Results

It is true that better strategies yield better results, and it’s especially true when adopting a strategy that considers aspects of physical, logical and cybersecurity such as mitigating risk, attracting highly qualified personnel and differentiating a company from its competitors.

Recent high-profile hacks of prominent companies such as Anthem, Reckitt Benckiser and Equifax highlight the need for improved risk management and asset protection, and leadership is taking notice. These are very real situations that can happen to any organization of any size. Today, executive leadership is far more likely to consider a budget that covers convergence to avoid those threats and problems and stay current with risk mitigation best practices.

Reaping the Benefits of Convergence

Even with barriers and understanding the risks, the advantages of working toward a more holistic approach cannot be overstated. In addition to better using resources, convergence yields increased intelligence, improved defensive strategies and a swifter response to critical security events.

Separately, these two departments make what they do look easy, but it isn’t at all easy. Each side of the equation brings exceptional expertise that is imperative to a positive outcome. It is critical for leadership to understand the perspectives and challenges each one faces and provide and nurture an environment for cooperation, collaboration and communication. By doing so, success is almost assured. Working together can ensure the security risk assessment and mitigation of future risks can best be managed across the enterprise. This is the most desired outcome and environment.

The views and opinions expressed in guest posts and/or profiles are those of the authors or sources and do not necessarily reflect the official policy or position of the Security Industry Association (SIA).