In last month’s blog about digitalisation and cyber risk, the subject of convergence was touched on to explain a trend towards increasing organisational collaboration and merged management responsibilities to improve security. This is one example of convergence, a term that’s used widely, but which often has different meanings. Here, Steven Webb and Anthony Leather put forward a proposed definition of security convergence, why it matters and what risks today’s security professionals should be considering.
Westlands Advisory defines security convergence as “the increasing interdependency between technology, systems and processes that results in improved functionality, efficiency and security effectiveness.”
The word convergence is defined as “the process or state of converging” leading to the eventual meeting of different forces at a converged point. For tangibles or intangibles to be converging there needs to be a destination. For example, multi-factor authentication could be described as the destination for a converged solution, combining PIN codes and biometrics to improve security effectiveness.
Security convergence is the result of improvements in information technology. Increasing computing power and the digitisation of businesses has resulted in security innovation, especially related to technological convergence which describes the merging of different technologies into a unified system or platform.
The integration of navigation, camera and music platforms into a single mobile phone is one of the clearest examples of technological convergence, combining multiple functionalities into one device. It also provides an insight into its disruptive effect on ecosystems, business models, operational uses (ie the smart phone as a payment device) and processes (ie learning and development).
Technological convergence doesn’t happen in isolation. It’s enabled by technological improvements and in response to challenges. The mobile phone as a platform for communication, entertainment and media has allowed users to reduce the number, size and weight of devices carried and enabled them to access information and services anytime, anywhere. Applications have provided additional value, combining functionalities to deliver new services.
Security convergence is similar and describes how interaction between technologies, systems and processes improves performance. The impact of the mobile phone example on policing operations has been, and will continue to be, transformative to those operations. While convergence provides benefits to users, it also benefits the CSO who needs to view the performance of security systems, intelligence and risk profiles through a single pane of glass.
Described by three categories
Westlands Advisory suggests that examples of security convergence can be described by three categories: security technology convergence, security systems convergence and security process and organisational convergence. Common to all of these categories is a shared platform that delivers increased performance to the security operator and host organisation.
Security technology convergence describes a set of closely related products that are integrated into a single product to deliver a solution greater than the sum of its parts. The solution is provided by a single vendor.
At the early stage of market development there are often a range of products that meet slightly different requirements. Customers need to procure each product which can lead to a complex and layered security system resulting in inefficiencies and poor user experience. The cyber security market is an example of this, with security analysts often struggling to investigate a threat due to the wide range of products and tools required.
As the market matures, there will continue to be security technology convergence with new platforms combining functionalities to provide customers with a more effective solution. The increasing use of endpoint protection platforms is one example that allows security teams to deploy a solution with protection, detection, investigation and remediation capabilities.
Security systems convergence is the integration of various security systems into a single platform that delivers improved insight to the security operator. Often, the platform combines the technologies of multiple vendors.
Security officers no longer rely solely on video surveillance to gain better situational awareness. Multiple sensor feeds and systems can be integrated into a platform to improve functionality, effectiveness and efficiency. Combining video, audio, social media, analytics and other databases provides operators with greater insight and decision-making tools. In addition to the operational tools, increasingly cyber analytics are incorporated into the products to ensure that the physical system is secure.
Similarly, the emergence of security orchestration, automation and response solutions in cyber security combines a variety of technologies from different vendors into a single platform to improve the value of the products to an IT security analyst. The business case for investing includes improved detection rates and less time spent on investigation and remediation. It also tackles the problem of managing multiple vendor products.
Security process and organisational convergence
Security process and organisational convergence is the increased integration and improved collaboration between departments through shared platforms, systems and processes. Through improving collaboration and uniting operational teams under shared leadership, the goal is to develop a more resilient and responsive organisation, eliminating conflicting plans and processes and uniting under one organisational approach to security.
From an enterprise perspective, ongoing digital transformation has delivered significant benefits to organisations, improving customer relationships, productivity and employee engagement. This has also resulted in an over-reliance on IT systems and increased exposure to cyber attacks which means organisations need to improve collaboration between previously independent teams. To take an obvious example, it would have been rare for the IT network security manager to ever meet with the physical security officer. However, as physical systems have become digital, and are often connected to the enterprise network, there’s now a possible threat to network security from vulnerabilities in the video surveillance system.
Equally so, the risk associated with the insider threat posed to the IT network requires physical security teams to ensure staff are restricted to certain areas and are only able to access approved terminals.
Going further still, as operating technology is increasingly connected to the Internet, the risk of a cyber-physical event will increase. Understanding the organisational threat in an increasingly connected and interdependent organisation has led to approaches such as Enterprise Security Risk Management, which is strongly advocated by ASIS International, as well as collaborative business continuity platforms to log risks and share operational plans.
The convergence of management structures, processes and plans is designed to reduce risk and facilitate effective response and disaster recovery.
Measuring the value of security convergence
The theory is that a converged solutions and operations backbone will increase value, reduce risk and improve security. However, just because technologies have been combined, or systems merged, doesn’t necessarily mean that security operators will receive a better service. In fact, there are well documented cases where an over-engineered, converged security solution has failed to improve the status quo. Nevertheless, generally converged solutions should provide a better service and return on investment for the organisation.
Beyond considering the lifetime cost and compliance, decision-makers should test a new solution against a series of benchmarks as follows:
*Performance – Is the solution reliable and scaleable?
*Risk reduction – Will the solution improve detection and response?
*Productivity – Will the solution save analyst’s time, improve the user experience and provide reporting tools?
*Operational – Will the solution improve collaboration, facilitate data sharing and simplify processes?
*Implementation – Is the solution implementable and will it gain trust within the organisation?
It’s also important for organisations to understand the training requirement. A new technology solution may not require much training compared to systems convergence which can create an overload of information and technical processes that overwhelms the skill sets of security operators. Organisations need to consider whether staff have the requisite skills or capacity to learn, and the impact that this will have on both the cost and value of the solution.
When evaluating the benefits of security convergence, it’s important that organisations think beyond the technology and consider the organisational impact of new solutions on people and operations.
Security convergence is a continuing trend and one that’s unlikely to disappear as a topic of conversation. Digital and technology innovation will deliver new capability and opportunities, while threats will continue to change in response to innovation.
Security and risk management-focused professionals should frequently evaluate the benefits of security convergence in relation to business goals and objectives, while at the same time monitoring the risks associated with shared systems and networks.
Steven Webb and Anthony Leather are Directors of Westlands Advisory (www.westlandsadvisory.com)
*Westlands Advisory is happy to provide more information to interested organisations on the subject of security convergence. Send an e-mail to email@example.com or contact Steven Webb at firstname.lastname@example.org