I just read Dan Dunkel’s article in Today’s Systems
Integrator, a newsletter directed toward security integrators. The
discussion this month was on the CSO Executive Council’s Bob Hayes’ dislike of
the term “convergence” when applied to security.
Bob’s complaint is that it “misses the mark from the
executive and management perspectives.”
I think that convergence is nothing but goodness, especially
when you think of it as collaboration, communication, alignment, understanding,
and the other characteristics of truly “coming together.” The physical security industry – and frankly,
the IT security industry that Bob Hayes’ group is mostly focused on – are not typically
the most collaborative business units in an organization. Although, in my experience, the IT folks are
infinitely more collaborative with business units than the physical security
folks. But still…neither is great at it.
The CSO Executive Council is an organization of security executives - mostly with IT backgrounds - but also many with awareness of or new oversight of physical security. The organziation publishes best practices for senior security managers, mostly with an IT flavor. But in fact, many more IT managers are tapped to lead "convergence" initiatives than their counterparts in physical security. So the CSO Executive Council serves an important role. Frankly, no other organization (ASIS, Open Security Exchange, ISSA, the Alliance) has stepped up to provide CSO leadership like the CSO Executive Council has.
But I digress - Convergence, which forces communication and understanding, can only improve these troubled disciplines.
I think what Bob and CSO Executive Council probably balk at
is the draconian approach to convergence – the sometimes foolish and often
misinformed crunching together of IT security and physical security personnel
into one management group. 9 times out of 10, that’s a train wreck. But working together toward a common goal on
projects that highlight the skills and experience of various parties – that’s a
management best practice.
Security convergence is a market force already generating
billions in revenue and new organizational value. And security convergence is making both IT security and physical
security better.
We believe there are two forms of convergence: convergence between physical security and data (IT) security systems, and convergence between physical security and the IT infrastructure. Both require collaboration between the physical security and IT departments, but don't necessarily mean the systems are truly integrated.
Take FIPS-201 from the federal government. This requires interaction between the two groups, but does not necessarily mean the physical and data security systems are actually "converged"; only that they use the same card, which may have multiple technologies embedded.
"Covergence" is a broad term, and must be broken down further before physical security and IT people understand and accept it.
Posted by: Brandon Reich | February 27, 2007 at 05:50 AM
I believe what Bob and CSO Executive Council are saying is that for True Convergence to work there has to be higher business goals or as OSE (www.opensecurityexchange.com) calls it “Business Drivers”. Unless the “executive and management perspectives” is aligned with an Organization’s Objectives – IT & Physical Security Convergence (or for that matter any other kind like Phone & Network Convergence for VoIP, etc) will remain a distant dream. Watch out for soon-to-be-released OSE Convergence Roadmap(sm) that drives this point home for helping Security Managers think about Convergence w.r.t an Organization’s Business Drivers and provides a detailed roadmap (w/ examples and case studies) on how to achieve it.
So Steve’s approach of “convergence goodness, thinking of it as collaboration, communication, alignment, understanding, and the other characteristics of truly coming together” – is sharp – though it should yield to a higher organizational goal that makes Board Member/ CxO’s heads turn.
Posted by: Vik Ghai | February 27, 2007 at 11:30 PM
I've been eagerly awaiting the Convergence Roadmap from OSE - we all have different ways of defining convergence, and applying it towards business drivers within an organization. However, the OSE will help legitimize these plans, and provide more formal definition and consistency to the term "convergence". When can we expect to see it?
Posted by: Brandon Reich | February 28, 2007 at 10:40 AM
I just saw a preview of the OSE Roadmap at TechSec. Frankly, it looked surprisingly similar to a paper I wrote at Forrester a couple years ago... Anyway, I think it's coming out soon.
Posted by: Steve Hunt | February 28, 2007 at 09:51 PM
Regarding the two types of convergence, I generally describe convergence as a hierarchy of three levels.
Highest level is the convergence of physical security with IT (computers software and networking, policies, processes)
Next level down is also technical:
The convergence of phyiscal security with IT security.
Third (and last, from my point of view)
The convergence of physical security people with IT people
Posted by: Steve Hunt | February 28, 2007 at 09:55 PM
Your third point - convergence of the people - is probably the biggest challenge. We're talking about two completely different cultures, skills, mindsets, processes and many others. This may be the most limiting factor of convergence.
Posted by: Brandon Reich | March 01, 2007 at 08:31 AM