Security Convergence: Moving Towards Organisational Collaboration

Steven Webb

Steven Webb

In last month’s blog about digitalisation and cyber risk, the subject of convergence was touched on to explain a trend towards increasing organisational collaboration and merged management responsibilities to improve security. This is one example of convergence, a term that’s used widely, but which often has different meanings. Here, Steven Webb and Anthony Leather put forward a proposed definition of security convergence, why it matters and what risks today’s security professionals should be considering.

Westlands Advisory defines security convergence as “the increasing interdependency between technology, systems and processes that results in improved functionality, efficiency and security effectiveness.”

The word convergence is defined as “the process or state of converging” leading to the eventual meeting of different forces at a converged point. For tangibles or intangibles to be converging there needs to be a destination. For example, multi-factor authentication could be described as the destination for a converged solution, combining PIN codes and biometrics to improve security effectiveness.

Security convergence is the result of improvements in information technology. Increasing computing power and the digitisation of businesses has resulted in security innovation, especially related to technological convergence which describes the merging of different technologies into a unified system or platform.

The integration of navigation, camera and music platforms into a single mobile phone is one of the clearest examples of technological convergence, combining multiple functionalities into one device. It also provides an insight into its disruptive effect on ecosystems, business models, operational uses (ie the smart phone as a payment device) and processes (ie learning and development).

Technological convergence doesn’t happen in isolation. It’s enabled by technological improvements and in response to challenges. The mobile phone as a platform for communication, entertainment and media has allowed users to reduce the number, size and weight of devices carried and enabled them to access information and services anytime, anywhere. Applications have provided additional value, combining functionalities to deliver new services.

Security convergence is similar and describes how interaction between technologies, systems and processes improves performance. The impact of the mobile phone example on policing operations has been, and will continue to be, transformative to those operations. While convergence provides benefits to users, it also benefits the CSO who needs to view the performance of security systems, intelligence and risk profiles through a single pane of glass.

Described by three categories

Westlands Advisory suggests that examples of security convergence can be described by three categories: security technology convergence, security systems convergence and security process and organisational convergence. Common to all of these categories is a shared platform that delivers increased performance to the security operator and host organisation.

Security technology convergence describes a set of closely related products that are integrated into a single product to deliver a solution greater than the sum of its parts. The solution is provided by a single vendor.

At the early stage of market development there are often a range of products that meet slightly different requirements. Customers need to procure each product which can lead to a complex and layered security system resulting in inefficiencies and poor user experience. The cyber security market is an example of this, with security analysts often struggling to investigate a threat due to the wide range of products and tools required.

As the market matures, there will continue to be security technology convergence with new platforms combining functionalities to provide customers with a more effective solution. The increasing use of endpoint protection platforms is one example that allows security teams to deploy a solution with protection, detection, investigation and remediation capabilities.

Security systems convergence is the integration of various security systems into a single platform that delivers improved insight to the security operator. Often, the platform combines the technologies of multiple vendors.

Security officers no longer rely solely on video surveillance to gain better situational awareness. Multiple sensor feeds and systems can be integrated into a platform to improve functionality, effectiveness and efficiency. Combining video, audio, social media, analytics and other databases provides operators with greater insight and decision-making tools. In addition to the operational tools, increasingly cyber analytics are incorporated into the products to ensure that the physical system is secure.

Similarly, the emergence of security orchestration, automation and response solutions in cyber security combines a variety of technologies from different vendors into a single platform to improve the value of the products to an IT security analyst. The business case for investing includes improved detection rates and less time spent on investigation and remediation. It also tackles the problem of managing multiple vendor products.

Security process and organisational convergence

Security process and organisational convergence is the increased integration and improved collaboration between departments through shared platforms, systems and processes. Through improving collaboration and uniting operational teams under shared leadership, the goal is to develop a more resilient and responsive organisation, eliminating conflicting plans and processes and uniting under one organisational approach to security.

From an enterprise perspective, ongoing digital transformation has delivered significant benefits to organisations, improving customer relationships, productivity and employee engagement. This has also resulted in an over-reliance on IT systems and increased exposure to cyber attacks which means organisations need to improve collaboration between previously independent teams. To take an obvious example, it would have been rare for the IT network security manager to ever meet with the physical security officer. However, as physical systems have become digital, and are often connected to the enterprise network, there’s now a possible threat to network security from vulnerabilities in the video surveillance system.

Equally so, the risk associated with the insider threat posed to the IT network requires physical security teams to ensure staff are restricted to certain areas and are only able to access approved terminals.

Going further still, as operating technology is increasingly connected to the Internet, the risk of a cyber-physical event will increase. Understanding the organisational threat in an increasingly connected and interdependent organisation has led to approaches such as Enterprise Security Risk Management, which is strongly advocated by ASIS International, as well as collaborative business continuity platforms to log risks and share operational plans.

The convergence of management structures, processes and plans is designed to reduce risk and facilitate effective response and disaster recovery.

Measuring the value of security convergence

Anthony Leather

Anthony Leather

The theory is that a converged solutions and operations backbone will increase value, reduce risk and improve security. However, just because technologies have been combined, or systems merged, doesn’t necessarily mean that security operators will receive a better service. In fact, there are well documented cases where an over-engineered, converged security solution has failed to improve the status quo. Nevertheless, generally converged solutions should provide a better service and return on investment for the organisation.

Beyond considering the lifetime cost and compliance, decision-makers should test a new solution against a series of benchmarks as follows:

*Performance – Is the solution reliable and scaleable?

*Risk reduction – Will the solution improve detection and response?

*Productivity – Will the solution save analyst’s time, improve the user experience and provide reporting tools?

*Operational – Will the solution improve collaboration, facilitate data sharing and simplify processes?

*Implementation – Is the solution implementable and will it gain trust within the organisation?

It’s also important for organisations to understand the training requirement. A new technology solution may not require much training compared to systems convergence which can create an overload of information and technical processes that overwhelms the skill sets of security operators. Organisations need to consider whether staff have the requisite skills or capacity to learn, and the impact that this will have on both the cost and value of the solution.

When evaluating the benefits of security convergence, it’s important that organisations think beyond the technology and consider the organisational impact of new solutions on people and operations.

Security convergence is a continuing trend and one that’s unlikely to disappear as a topic of conversation. Digital and technology innovation will deliver new capability and opportunities, while threats will continue to change in response to innovation.

Security and risk management-focused professionals should frequently evaluate the benefits of security convergence in relation to business goals and objectives, while at the same time monitoring the risks associated with shared systems and networks.

Steven Webb and Anthony Leather are Directors of Westlands Advisory (www.westlandsadvisory.com)

*Westlands Advisory is happy to provide more information to interested organisations on the subject of security convergence. Send an e-mail to info@westlandsadvisory.com or contact Steven Webb at steven.webb@westlandsadvisory.com

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts