02 Apr The convergence conundrum!
We may have figured out how to get our physical security and our IT security systems to talk to each other but what good is it if the people that run these departments still don’t know how to converse? Philip Ingram MBE makes the case for blended security teams
The measurement of security success is that nothing happens, whether that nothing is because a physical threat or a cyber threat has been mitigated, matters not, the key is the threat has been dealt with. However, when it comes to integrating security requirements and needs of wider business, nothing happening is not always the best result when asking for or justifying security capability.
Talking to Ellie Hurst the Head of Marcomms and Media with a leading UK based holistic security consultancy, Advent IM, she says of companies she has to deal with, “some get it absolutely brilliantly, some are nailing it and are building blended multi-skilled security teams that can work across a variety of disciplines across infosec and physical security. There are others that want to do everything from arm’s length, they don’t really want to engage with their security professionals, if they can buy a piece of kit rather than engaging with their security teams then they will do that.”
The bringing together the two historically separate security disciplines of physical security and cyber security is talked about as convergence and this is becoming essential as integrated security solutions form the backbone to smart cities, smart complexes and smart buildings. Devices traditionally considered as physical security devices are increasingly connected to a network and form data heavy endpoints that have in the past been exploited to get into networks.
The explosion of IP enabled security devises as part of the global Internet of Things growth is creating an Internet of Security Things, making the need to integrate the physical and cyber security disciplines more apparent.
Going one step further, many traditional manufacturers of physical security devices, now see themselves first and foremost as software houses.Paul Dodds with the forward-thinking technology provider Genetec, said “We may have certain hardware components within our portfolio but first and foremost we are a software house. Our focus is the provision of clever technology to provide real outcomes to our end users.
Some feel that that is not going far enough, Marshall Sanders, vice president of corporate security and CSO with Level3 Communications said in an article in CSO magazine that, “convergence is the integration of logical security, information security, physical and personnel security; business continuity; disaster recovery; and safety risk management.”
That is taking the nothing happens is success requirements to the next level, but it is what every company, what every employer should strive for. However, Ellie Hurst remined me of the old Chinese saying, “A fish rots from the head down,” and she added “[Responsibility and understanding] starts at the top, a casual disinterest in security can have disastrous results further down,”as she alluded to the culture set by some CEOs and MDs.
However, “security needs to up its game in the way it communicates with its business colleagues,” she went on to say. “Being really lucky looks too like being really good from a business perspective and unfortunately, sometimes it takes a serious incident to occur before security is taken seriously,” she added. Talking business is critical.
This opens up a debate as to whether the Chief Security Officer should first and foremost be a security professional or a business professional, and where the focus should lie. As with ‘luck’ and ‘being good’ on the same spectrum it is critical that the lead for security in any organisation has the ability to demonstrate a return on any security investment. In the UK there are currently no laws mandating security standards or requirements, but this is where some Middle East regions have an advantage.
For example, in 2015 Dubai Municipality’s Department of Buildings said that a blueprint of the CCTV security system must be submitted along with the final licence application for multi-storey and commercial buildings. These blueprints must be designed by companies that have been approved by Dubai Police’s Department of Protective Systems. A level of oversight that will mandate standards, but not everyone is that lucky. Many countries do not have mandated requirements or yet have security standards in primary legislation which would force standards or solutions on boards.
There are signs however that the culture is changing. An indicator is the skills recruiters are looking for in the security professionals they are recruiting. Hurst said, “the workforce survey of 2018, a global survey, looked at what employers were looking for in terms of security technical and business skills.” It basically said, technical skills should be a given, but we need people who can communicate with businesses, and this indicates that maybe security professionals are good at communicating with themselves and those who understand the business side, are in fact a rare breed.
What in essence we are seeing now in our CSO’s is a need not just a convergence between physical and cyber, but a convergence between physical, cyber and business capabilities.