Let’s Forget Convergence
The word “convergence” ushered itself into the security industry more than 10 years ago, but it wasn’t until the early Aughts that every industry manufacturer, magazine and communiqué began bandying the term about like a puck on a hockey rink. Is anyone else tired of it?
This is certainly not to say that the concepts that make up “convergence” aren’t wise and shouldn’t be incorporated in some way into every security program. But I’m convinced that the way that we talk about those concepts is helping to hamper their growth and adoption. Let’s start with three reasons to strike “convergence” out of our vocabulary.
1. Because even we don’t know what it means. “Convergence” is no longer a new term. The fact that it has to be constantly defined, even in writings and seminars within our own industry, is not a good sign. “We used ‘convergence’ early on,” says Dave Kent, vice president of global risk and business resources for Genzyme and a member of the Board of Advisors of the Security Executive Council.
“We started bringing together physical and IT security in the late 90s, when ‘convergence’ was the leading edge,” he says. “There seems to be less clarity around it now than there was back then. It has gone from this grand idea of tying together risk-related functions to ‘Do your physical systems reside on the IT backbone?’ at the lowest level.”
2. Because it implies a singular “rightness.” Industry bloggers, experts and watchers have been known to deride some security programs or technology implementations as employing less than “true convergence.” The word’s abstractness (see #1) appears to lend it a sense of superiority; the idea is that “convergence” is a very hard-won thing, like the Holy Grail of security, and if you don’t do it just so, then it isn’t really “convergence.” However, due to the inherent differences in security programs and the businesses they protect, there is no such thing as “true convergence,” and neither should there be.
What works well in one company or with one set of systems or infrastructure, may not work at all in another, says John McClurg, vice president of Honeywell Global Security and a member of the Board of Advisors of the Security Executive Council. “Converged organizations come in all shapes and sizes and with varying degrees of seamlessness,” he says. Rather than one correct “converged” model, he says, “it’s more of a spectrum across which various organizations can distribute themselves in a converged world. Notwithstanding the temptation we often struggle with to see something as an exact science, this truly is an art. And art is that about which rational minds can and do differ.”
3. Because it doesn’t speak to management. “Here’s what best describes our program,” says Genzyme’s Dave Kent: “It’s a business security program, with an emphasis on risk as it relates to people, information, and products that are brought in contact with risk through global operations.” “Risk” is what corporate management and the Board of Directors are interested in.
In most cases, “convergence” doesn’t convey that focus. When it is defined for management (see #1), here’s what they’ll hear: “We want to combine business units (friction, tension, change) and our IT and physical security technology (expense, interruption, hassle).” “Convergence” puts the focus on change, cost, discomfort, on pushing two things together. And since you have to define it before you can talk about its benefits, all those negative connotations will be right up front to block the view of any business value you go on to propose.
Interlinked Threats Are Not Best Addressed in SilosIn Honeywell’s 2007 benchmarking study “Enterprise Threat Management and Security Convergence” only 30 percent of respondents claimed to have seen an interlinked breach – a physical security breach causing an IT security threat, or vice versa. However, nearly 73 percent of respondents believe vulnerability to such breaches exists. Honeywell’s McClurg easily relates examples of interlinked threats.
“In the early days when hacking and phreaking were just emerging as threats that the IT community was concerned with, I had occasion to go up against a phreaker who, with a rather unsophisticated pick set, had breached the 30-year-old locks on the doors of central offices of the phone company,” says McClurg, who ran security for a major communications company prior to joining Honeywell. “With that set he opened up the door into a realm in which he gathered passwords, equipment, and other things that enabled him to go back to his apartment, study them up, and advance a cyber attack that was far more sophisticated than he’d ever been able to conduct before.”
McClurg has also seen interlinked threats that run in the other direction, using cyber vulnerabilities to attack physical entities. “Supervisory control data acquisition systems can be remotely accessed in order to control physical systems which, if not properly secured, can be compromised to undermine the physical wellbeing of the systems those SCDAs control,” he says.
Collaborative Models Provide Business ValueBoth a unified structure of security management and a judicious use of interoperable systems technology truly can provide significant business value.
The unified structure under which Honeywell Global Security operates allowed McClurg to find efficiencies in risk assessment, for one. “With our business hat on, we’re looking for ways to deliver security services in the most economically efficient manner possible. An example in the business world would be combining IT and physical security risk assessments. Traditionally, you knock on the door of a business unit one week saying ‘We need to do an IT security review’ – you disrupt business, engage the employees in trying to extract the information necessary, and produce a report that you want them to read and digest. Then two weeks later, you knock on the door and the physical security guys do the same thing all over again. Convergence in that realm means doing your risk assessments in a converged way as well, so you knock only once, and you deliver one final product that provides full-spectrum visibility to your customers as to what the issues are and what action they should take. Less time, less money, more comprehensive, more enlightening. And you’re more likely to be engaged and viewed as a true partner in the business environment rather than a cost of doing business.”
Words MatterA 2007 study developed by Deloitte for the Alliance for Enterprise Security Risk Management concluded that “convergence” was developing at a slow pace, and that visionaries were leading the way. Clearly, many factors play into this delay. Dave Kent notes that it’s one thing to implement a unified management structure when your model can grow along with a growing company, and it’s quite another to go to the management of an 80-year-old organization and say, “I’m going to tear down what you’ve built and put in this because it’s a better idea.” This is the situation in which many leaders find themselves. PlaSec’s Neely claims that end users want what interoperable systems have to offer, but in many cases they don’t have the desire, money or expertise to do the programming required to make systems communicate. In this sense, closed, proprietary systems continue to take a toll on what can and can’t be done.
So yes, it is simplistic to blame the slow growth of interoperability and structural unification on the word we use to describe them. Yes, other factors are at play. Yes, if you use the word carefully and specifically in your program, you and your colleagues can share a clear understanding of its meaning. But how we speak impacts how we think as well as how we’re viewed by others. If “convergence” lacks meaning, both within our industry and in the eyes of the businesspeople you need to influence, maybe it’s time to leave it behind.
Watch Your LanguageInstead of using convergence, consider these other terms:
For the combining or collaboration of functional roles and management structure:
Unified Risk Oversight™
Unified model of management
For the ability of physical access control systems (and others) to collaborate with the rest of the IT security apparatus:
While these terms may also need defining now and again, they are clearer than “convergence” and they shift the focus from change and cost to risk and opportunity.