“With enterprise risk, you have to build all the security disciplines into it,” says Ray O’Hara. Still, Bill Crowell admits that we all are “off to a slow start.” He does see emergence – one day – of a whole new profession that will bring together physical and logical security. “Specializing in one and ignoring the other is not satisfying,” Crowell understates. On Joey Sudomir’s wish list is “a more natural convergence. The change bringing newer types of physical security such as IP video to IT’s common, standardized infrastructure is a positive step.”

Convergence is challenging and controversial.

Some enterprise security leaders have embraced it. Their traditional system integrators are climbing on board. And value added resellers or VARs coming from the IT side are starting to work convergence, often entering into physical security with help from in-house IT and the chief information officer.

One indicator of the increased aggressiveness of IT-centric VARs into physical security came late last year when Ingram Micro, the world’s largest technology distributor, introduced a new physical security division. Its channel partners now access a variety of physical security products. “We’ve been watching the growing convergence of IT security and physical security and have established this division in anticipation of their eventual synthesis,” said Keith Bradley, president, Ingram Micro North America, at the time.

“Physical security companies and IT VARs. Which way to go? They will all go head to head with United Technologies Corporation and Cisco Systems being examples of the end game, from a vendor perspective,” says O’Hara, ASIS International’s 2010 president-elect and senior vice president at Andrews International.

Still, for early convergence adopter chief security officers, convergence as a descriptor may be overworked.

There are those who feel it’s the term that should be killed off and not the concept. In an article in the March 2010 Security magazine, under the feisty banner, “Let’s Forget Convergence,” the author proposes that “convergence” has become an ineffective word that unintentionally slanders some truly game-changing ideas. For instance, in that article, Dave Kent, vice president of global risk and business resources for Genzyme, says, “We used ‘convergence’ early on. We started bringing together physical and IT security in the late 1990s, when ‘convergence’ was the leading edge. There seems to be less clarity around it now than there was back then.”

Well, wishing and hoping is one thing.

Collaboration on the people side and interoperability on the systems side is quite another.
The ability to work together – whatever name you call it or reputation it has – is a forever business concept.

Things get decidedly dicey or opportunist – depending on that half glass of water thing – when getting around to identity management. A convergence hurdle, “It’s slowing progress but also is a fundamental place where both [physical and logical security] converge. It has been plagued with a large number of solutions aimed at one or the other. Smart cards? Combining a smart card with a proximity card in a single credential is a solution. But there are business problems such as the potential need for readers on every desk and in every laptop,” says Crowell, coauthor of Physical and Logical Security Convergence: Powered by Enterprise Security Management, with Brian Contos, Colby Derodeff and Dan Dunkel.

“What we are looking for is a more fundamental credential,” points out Crowell, who now specializes in information technology, security and intelligence systems. He is former chairman of Broadware Technologies and former CEO of computer security pioneer Cylink Corporation, acquired by SafeNet after partial ownership of it was spun off by Honeywell Corporation during its acquisition of Pittway, the latter then a major physical security and distribution player.

By the way, if such “what corporation acquires which” details are dizzy for the average security director, future big name industry acquisitions may prove the fastest pathway to security convergence. But more on that later.

In the meantime, today’s convergence efforts aim at all the stakeholders being at the same table, especially when it comes to protecting intellectual property, data and data centers, says O’Hara. Where are we now? Things are still emerging, and O’Hara believes that it is not a top down initiative. It’s bottom up.

There’s lots of action that’s always been going on at the bottom, or rather in those silos.

No doubt, “silos” is the much-preached word of the day, as reengineering was in the 1990s, and Peter Drucker’s phrase that pays, the knowledge worker in the early 1950s. But, when taking the kitsch out of the silo, there still remains separate areas – physical security and information security with a bow to building and facilities management – that have their own skills and knowledge bases; their own tools; their own threats and risks; their own perception by the C-Suite folks; and, in essence, their own territories.

Just as reengineering had its obvious business benefits during its hay-day, convergence does, too. 

One benefit is a no-brainer to Mike Snyder, partner, GSC Consultants, and who owns a unique background as president of ADT North America and CEO of Vonage Holdings. He suggests that the cost of operation will reduce and that there will be more investment in technologies.

A necessary focus on standards will sharpen. Maintaining stringent standards of security is a crucial enabler toward achieving organizations’ business objectives, suggests Neil Campbell of Dimension Data, a specialist IT services and solution provider. By adopting a strategy that allows organizations to prevent, detect and respond to threats – and honing that strategy with the insight and ongoing help of trusted advisors and integrators, who understand and are immersed in infrastructure, security strategy and overarching business goals, organizations are well en route to achieving a more effective and strengthened security posture, he advises.

Another convergence benefit is open architecture. Anthony Onorati, James Bracone and Laurin Rollins of Risk Controls Strategies, Inc., speak as one when pointing out that in the past, physical security had always been designed with closed architecture in mind. These systems had limited capabilities to the outside world. At the most, they used to dial up the central station to report an alarm or the security integrator would buy an overpriced piece of hardware or software to connect to their installed systems to perform simple programming or diagnostics. Today, in the natural progression of convergence, new synergistic elements need to be considered in the grand scheme of things.

Of course, whatever the benefits and drivers, there is always cost to contend with.

There will be more innovation, more productive thinking outside of the box. “When you have different groups come together, they often come up with different ideas,” comments Bill Jacobs of Next Level Security Systems. “The question is, at some point, all these groups want to be recognized, seen as leaders and show management that they have a brain and their solution has value to the enterprise.” But, he warns, convergence must not just reduce to job retention and budget renewal. When all is said and done, Jacobs adds, “the primary business benefit is the reduction of risk.”

In the corporate world, the case for physical and logical security convergence is difficult to make, suggests Jacobs. When you speak to CFOs, they ask: What are you trying to achieve; what does it cost; and what is the return on the investment. Physical and logical security convergence may not have a tangible result that can be quantified in terms of ROI or net present value.

Cost aside, however, based on commonsense and business benefits, convergence has a toe-hold. But, beyond how fast to move to the finish line, the question remains as to what road to take to the endpoint.
Pathways can include:

• Collaboration over specific projects
• Use of convergence savvy integrators
• The network and infrastructure factor
• The IP security video factor
• Continued consolidations in the physical and IT industries
• Cyber crime added to the mix

Let’s look at the pathways in more detail.

When these integrators work with enterprise security executives, there most often is involvement from in-house IT, too. Still, “the best applications and providers win out. But you will also see influence from the Ciscos and IBMs for platform functionality,” advises Snyder.

A key element in this pathway is trust – trust in systems and processes, technologies and strategies. And when selecting a systems integrator to partner with, trust also takes center stage, as companies are increasingly seeking to partner with not just any integrator, but rather a “trusted advisor” who understands and is immersed in their infrastructure, security strategy and overarching business goals – as well as the broader security market, including both the threat and vendor landscape.

But if we all work together, that’s good. Work that is silo-ed is just wasting energy and time, adds Jacobs. On the logical security side, some solutions may be similar but different enough that there is a waste of time pursuing a converged answer, he adds.

Other applications cry out for convergence. For example, if an employee didn’t card into a building, he or she is not allowed into the network, if the enterprise has that as a business rule. It could significantly cut down on employee tailgating. And the business would have a greater level of granularity about how buildings are used to reduce the real estate footprint and save on energy costs.

An obstacle, video devices that do not work together or within the larger system, is being quickly overcome. The Physical Security Interoperability Alliance, for one, is a global consortium of myriad physical security manufacturers and system integrators focused on interoperability of IP-enabled security devices across all segments of the security industry. As an example, IQinVision, a PSIA member, was among four open system vendors that conducted a joint live demonstration of IP technology interoperability at ASIS International 2009. The firm, with Exacq Technologies and Firetide, showed how standards-based solutions can integrate and be supported in the field.

Unfortunately, the software industry grew to power the American high technology engine with a blind eye toward security concerns, to our collective detriment. During the late 1990s’ tech wreck, the deployment of fiber optic networks at pennies on the dollar wired the world allowing mobility and social networking to exacerbate this security problem and today we find our digitally connected world at serious risk.

Today security professionals face cyber crime on an unprecedented level as hackers, global organized crime syndicates, and nation-state actors threaten national security and the global economy. The trend is so enormous that it is rapidly rewriting international business rules and the job description for the 21st Century security executive.

For instance, the McAfee Corporation reveals in 2009 international businesses lost over one trillion dollars in intellectual property due to data theft and cyber crime. So cyber security is more than simply the protection of all things Internet and involves people, partners and policy. The concept grew out of necessity as business operations embraced Web 2.0 technologies to leverage online collaboration and information sharing on a global scale and in real-time. The growth of the Internet has been a doubled-edged sword of business opportunity and risk. The roles of the CSO and CIO remain to protect the operation and integrity of the business, and it must evolve rapidly with the technology cycle to answer new age risks.

As information is being generated by more people and deployed to more remote devices, we compound our risks. The technology road map has pushed information from computer room to desktop to laptop to handheld. As a result, the responsibility for security protections has quickly outgrown the capabilities of the internal IT department. They still have a vital role to play, but securing business operations against supply chain fraud, corporate espionage, intellectual property theft, and traditional criminal activity remains the responsibility of the security executive. Cyber crime is still crime.

In these early months of 2010, it is interesting to consider how cyber crime will impact the security profession.

Over the last five years the traditional physical security industry (if that description still applies) has embraced convergence with their IT colleagues, albeit reluctantly in some cases. The next two years will see an accelerated convergence between physical and cyber security policies. The threat is too big to ignore any longer. The FBI recently warned small- and medium-sized business owners that they are under attack by organized hackers who systematically penetrate their commercial bank accounts, credit unions, or third party providers because these firms lack proper cyber defenses. The stakes are very high and they involve businesses of all sizes and geographic locations.

This warning points to the weak link theory enacted by cyber criminals. Cyber crime leverages new technical capabilities to threaten the successful operation of a business and/or its supply chain of regional, national and global partners. These criminal activities have a range equal to cyber space and capitalize upon a lack of coordinated law enforcement efforts to stop them, and until recently ignorance of the threat. Today’s emerging security executive understands the importance of a policy that blends the converged physical/logical domain with cyber security defenses to defend the brand.
There simply is no alternative. Cyber policy must be integrated with ongoing convergence efforts. We have entered a new era of security risk.