Security convergence

Security convergence refers to the convergence of two historically distinct security functions – physical security and information security – within enterprises; both are integral parts of a coherent risk management program. Security convergence is motivated by the recognition that corporate assets are increasingly information-based. In the past, physical assets demanded the bulk of protection efforts, whereas information assets are demanding increasing attention. Although generally used in relation to cyber-physical convergence, security convergence can also refer to the convergence of security with related risk and resilience disciplines, including business continuity planning and emergency management. Security convergence is often referred to as 'converged security'.

Definitions
According to the United States Cybersecurity and Infrastructure Security Agency, security convergence is the "formal collaboration between previously disjointed security functions." Survey participants in an ASIS Foundation study The State of Security Convergence in the United States, Europe, and India define security convergence as "getting security/risk management functions to work together seamlessly, closing the gaps and vulnerabilities that exist in the space between functions."

In his book Security Convergence: Managing Enterprise Security Risk, Dave Tyson defines security convergence as "the integration of the cumulative security resources of an organization in order to deliver enterprise-wide benefits through enhanced risk mitigation, increased operational effectiveness and efficiency, and cost savings."

Background
The concept of security convergence has gained currency within the context of the Fourth Industrial Revolution, which, according to founder and Executive Chairman of the World Economic Forum (WEF) Klaus Schwab, "is characterised by a fusion of technologies that is blurring the lines between the physical, digital, and biological spheres." Key results of this fusion include developments in cyber-physical systems (CPS) and the growth of the Internet of Things (ioT), which have seen a proliferation in the number and types of internet connected physical objects. In 2017, Gartner predicted that there would be 20 billion internet-connected things by 2020.

Security convergence was endorsed as early as 2007 by three leading international organizations for security professionals – ASIS International, ISACA and ISSA – which together co-founded the Alliance for Enterprise Security Risk Management to, in part, promote the concept.

Risk convergence
In the context of the Internet of Things, cyber threats more readily translate into physical consequences, and physical security breaches can also extend an organisation's cyber threat surface. According to the United States Cybersecurity and Infrastructure Security Agency, "The adoption and integration of Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices has led to an increasingly interconnected mesh of cyber-physical systems (CPS), which expands the attack surface and blurs the once clear functions of cybersecurity and physical security."

According to the WEF Global Risks Report 2020, "Operational technologies are at increased risk because cyberattacks could cause more traditional, kinetic impacts as technology is being extended into the physical world, creating a cyber-physical system". According to the United States Department of Homeland Security, "The consequences of unintentional faults or malicious attacks [on cyber-physical systems] could have severe impact on human lives and the environment."

Notable examples of attacks on internet connected facilities include the 2010 Stuxnet attack on Iran's Natanz nuclear facilities and the December 2015 Ukraine power grid cyberattack.

“Today’s threats are a result of hybrid and blended attacks utilizing Information Technology (IT), physical infrastructure, and Operational Technology (OT) as the enemy avenue of approach," notes former CISA Assistant Director for Infrastructure Security Brian Harrell. "Highlighting this future threat landscape will ensure better situational awareness and a more rapid response.”

Organisational convergence
Traditionally distinct, or 'siloed', approaches to physical security and cyber security are viewed by proponents of security convergence as unable to adequately protect an organisation from attacks involving both cyber and physical (cyber-physical) dimensions. The organisational aspect of security convergence focuses on the extent to which an organisation's internal structure is capable of adequately addressing converged security risks.

According to the Cybersecurity and Infrastructure Security Agency, "physical security and cybersecurity divisions are often still treated as separate entities. When security leaders operate in these siloes, they lack a holistic view of security threats targeting their enterprise. As a result, attacks are more likely to occur". "Many of the conventional physical and information security risks are viewed in isolation," states a PricewaterhouseCoopers document Convergence of Security Risks. "These risks may converge or overlap at specific points during the risk lifecycle, and as such, could become a blind spot to the organisation or individuals responsible for risk management."

In a survey of more than 1,000 senior physical security, cybersecurity, disaster management, and business continuity professionals, the ASIS Foundation study The State of Security Convergence in the United States, Europe, and India found that despite “years of predictions about the inevitability of security convergence, just 24 percent of respondents have converged their physical and cybersecurity functions.” The survey also found that 96 percent of organisations that had converged two or more security functions reported positive results from convergence, with 72 percent reporting that convergence strengthened their overall security. Overall, 78 percent of those surveyed believed that convergence would strengthen their overall security function.

Citing the work of Jay Wright Forrester on systems thinking, Optic Security Group CEO Jason Cherrington argues that a system of systems approach provides a useful lens to understanding how security sub-groups within an organisation contribute to an organisation's overall security goals. "In an ideal SoS world, organisations would see their security as a collection of task-oriented or dedicated systems that pool their resources and capabilities together as part of an overall system offering more functionality and performance than the sum of its parts. Importantly, oversight of the overall system would ensure that any gaps between its component systems are identified and failures avoided."

Solutions convergence (unified security)
The increasing prevalence of hybridised cyber-physical security threats has driven the parallel emergence of a range of converged security solutions that cover both cyber and physical domains. According to Jason Cherrington, "in contemporary security threats we’re seeing a convergence of physical and digital vectors; and that protection against these hybridised threats requires a hybridised approach." According to the United States Cybersecurity and Infrastructure Security Agency: "Organizations with converged cybersecurity and physical security functions are more resilient and better prepared to identify, prevent, mitigate, and respond to threats. Convergence also encourages information sharing and developing unified security policies across security divisions."