Historically many organizations have managed physical security and cybersecurity functions independently, without the recognition of the interdependencies and, are therefore not leveraging the efficiencies that exist between the two realms.
The emergence of the Internet of Things (IoT) in the field of building automation to monitor and control the systems in a building has advanced rapidly over the course of the past few years. Like other information systems, IoT physical building systems can exhibit vulnerabilities, either through misconfigurations or unpatched software, and may be susceptible to being exploited by hackers. Therefore, its SPP’s position that the physical and cybersecurity functions should be managed together and, when combined, offer better management of risk for the organization.
We often hear from our clients that their security program structure is separated between these two security functions with not much cross communication or collaboration. It is often common to find clients who’s cyber and physical security functions are totally isolated to the point where one side is unaware of the other’s activities and events. This is an obvious enterprise risk management challenge, and there are many organizations that continue to function in this manner. However, more and more companies recognize the benefits of security convergence, similar to the benefits derived over a decade earlier with convergence of voice with data.
The idea of security convergence is not new. Use of the same infrastructure for information and physical access control is now common and can result in real savings, improved risk mitigation and increased business and security efficiencies.
Converged security and risk management offers a more holistic approach and there are several benefits organizations are now taking advantage of. The first benefit from convergence is the cost savings that can be realized. The re-alignment of teams may allow for better utilization of personnel resources. This could mean the re-allocation of resources to fill gaps and cross training team members to perform multiple duties in either discipline, etc. Leveraging teams in a more efficient manner makes good business sense and builds continuity across all your security related functions. Additionally, convergence will illuminate duplicate roles and allow for the opportunity to better address resource allocation.
Think about the technology tools used in physical security today. IoT systems such as centralized security systems for CCTV, access (physical) control, alarm monitoring, and the associated systems. Bringing all of that together in a security operations center (SOC) provides a single collection point for security professionals analysis. This enables the sharing of all relevant security events for total threat and risk awareness. Furthermore, having security analysts from both disciplines in the same SOC increases the likelihood and speed of information sharing across the teams. Bringing teams together is to everyone’s benefit.
Finally, security convergence can provide a single “hand to shake” for an organization. Alignment of all security functions under a single security organization led at the C-level (i.e.: CISO ) would shorten the timeline of relevant information provided to senior leadership and decision makers. Furthermore, it should reduce instances of inaccurate or erroneous information making its way to the executive suite. Depending on the structure and culture of the organization, the CISO could report into the Chief Risk Officer, the Chief Information Officer or even the Chief Executive Officer.
Most important note to make is that in today’s world, security risk is a board level conversation and should be sponsored and owned at that level.