“We started bringing together physical and IT security in the late 90s, when ‘convergence’ was the leading edge,” he says. “There seems to be less clarity around it now than there was back then. It has gone from this grand idea of tying together risk-related functions to ‘Do your physical systems reside on the IT backbone?’ at the lowest level.”

Language exists to communicate meaning. If we can’t decide on a meaning for a word after all this time, maybe we should pack it up and retire the word. There are other terms that more narrowly and, perhaps, more accurately describe the various elements that different people equate with convergence. For instance, Terry Neely, President of PlaSec Inc., finds “systems interoperability” and “systems collaboration” helpful phrases to describe physical security systems’ cooperation with the other systems on the IT apparatus. Dave Kent refers to the organizational side of “convergence” – that is, the merging of the physical and information security business functions, as well as other functions in many cases, under common leadership – as a “unified model” of management.

Yes, these terms may need to be defined on occasion as well, but at least you know right away whether you’re talking about technology or business structure. Surely that’s a step up.

2. Because it implies a singular “rightness.” Industry bloggers, experts and watchers have been known to deride some security programs or technology implementations as employing less than “true convergence.” The word’s abstractness (see #1) appears to lend it a sense of superiority; the idea is that “convergence” is a very hard-won thing, like the Holy Grail of security, and if you don’t do it just so, then it isn’t really “convergence.” However, due to the inherent differences in security programs and the businesses they protect, there is no such thing as “true convergence,” and neither should there be. 

What works well in one company or with one set of systems or infrastructure, may not work at all in another, says John McClurg, vice president of Honeywell Global Security and a member of the Board of Advisors of the Security Executive Council. “Converged organizations come in all shapes and sizes and with varying degrees of seamlessness,” he says. Rather than one correct “converged” model, he says, “it’s more of a spectrum across which various organizations can distribute themselves in a converged world. Notwithstanding the temptation we often struggle with to see something as an exact science, this truly is an art. And art is that about which rational minds can and do differ.”

3. Because it doesn’t speak to management. “Here’s what best describes our program,” says Genzyme’s Dave Kent: “It’s a business security program, with an emphasis on risk as it relates to people, information, and products that are brought in contact with risk through global operations.” “Risk” is what corporate management and the Board of Directors are interested in.

In most cases, “convergence” doesn’t convey that focus. When it is defined for management (see #1), here’s what they’ll hear: “We want to combine business units (friction, tension, change) and our IT and physical security technology (expense, interruption, hassle).” “Convergence” puts the focus on change, cost, discomfort, on pushing two things together. And since you have to define it before you can talk about its benefits, all those negative connotations will be right up front to block the view of any business value you go on to propose.

It’s hard to win talking about “convergence.” It’s more effective to talk about risk. You want to reduce a duplication of effort and cost among various business units. You want to ensure greater protection of intellectual property and physical assets by managing risk in a holistic manner, combining physical and logical security technology and staff to accomplish better security. You want to improve information sharing between functions to better enable the identification of untapped efficiencies. That’s what speaks to management.

The thrust of all this is that “convergence” has become an ineffective word that unintentionally slanders some truly game-changing ideas. Bringing business units and technologies together to better address and manage risk is not only smart but necessary, and it’s a move from which many organizations have gleaned spectacular results.

 
“In the early days when hacking and phreaking were just emerging as threats that the IT community was concerned with, I had occasion to go up against a phreaker who, with a rather unsophisticated pick set, had breached the 30-year-old locks on the doors of central offices of the phone company,” says McClurg, who ran security for a major communications company prior to joining Honeywell. “With that set he opened up the door into a realm in which he gathered passwords, equipment, and other things that enabled him to go back to his apartment, study them up, and advance a cyber attack that was far more sophisticated than he’d ever been able to conduct before.”

The unified structure under which Honeywell Global Security operates allowed McClurg to find efficiencies in risk assessment, for one. “With our business hat on, we’re looking for ways to deliver security services in the most economically efficient manner possible. An example in the business world would be combining IT and physical security risk assessments. Traditionally, you knock on the door of a business unit one week saying ‘We need to do an IT security review’ – you disrupt business, engage the employees in trying to extract the information necessary, and produce a report that you want them to read and digest. Then two weeks later, you knock on the door and the physical security guys do the same thing all over again. Convergence in that realm means doing your risk assessments in a converged way as well, so you knock only once, and you deliver one final product that provides full-spectrum visibility to your customers as to what the issues are and what action they should take. Less time, less money, more comprehensive, more enlightening. And you’re more likely to be engaged and viewed as a true partner in the business environment rather than a cost of doing business.”

On the technology side, Terry Neely of PlaSec Inc. describes how interoperable access control systems can provide benefits. “Once you’re able to authenticate a person’s identity, you’re able to correlate it to his physical location, and you can start writing all kinds of very nice authentication rules as to what he’s allowed to do where and when. It can be anything from financial institution regulations and governance, to setting different access provisions if you’re out of the country and you want to transmit intellectual property information from your hotel room, for example,” says Neely. “One of the things I see happening is physical access control becoming accessible to IT tools and practices, so that if there’s a change in the security posture on the network it can also put my doors into two-factor authentication or lock my data center doors.”

Dave Kent has used interoperable systems to both centrally monitor global operations and to keep watch on his company’s supply chain. “We have a centralized program for product security, and the tools that are at work in that system notifies us when we have supply chain problems, even just operational supply chain problems, or products that haven’t arrived on time or have been stolen. There’s no better example of a business driver than being able to deliver product to your customers, and this investigative process, the security of the product, the network aspect or control system for monitoring the product in the supply chain, are all interlinked and come back into one central system.”

“Our service center is another good example,” continues Kent. “We have 14 manufacturing plants and more than 100 locations, and we have one point of control with one access card all around the world, with four staff members handling it. And they’re not only doing physical security, they’re monitoring travelers around the world; they monitor the wireless intrusion system for the wireless networks; they have all sorts of intelligence coming in. The world is really just a virtual campus based on technology. You get the efficiencies of thinking like you’re one location.”

So yes, it is simplistic to blame the slow growth of interoperability and structural unification on the word we use to describe them. Yes, other factors are at play. Yes, if you use the word carefully and specifically in your program, you and your colleagues can share a clear understanding of its meaning. But how we speak impacts how we think as well as how we’re viewed by others. If “convergence” lacks meaning, both within our industry and in the eyes of the businesspeople you need to influence, maybe it’s time to leave it behind.