On the road to security convergence
Security convergence—that utopian state where two historically distinct security functions, physical and information, come together to work in united peace and harmony to protect people, property, and information.
Security convergence—that utopian state where two historically distinct security functions, physical and information (and maybe three if you throw in business continuity), come together to work in united peace and harmony to protect people, property, and information. Chances are you’ve been hearing the term convergence for years or even decades.
This constant buzzing around the industry is reminiscent of a long summer drive with a car full of kids droning the same question: “Are we there yet?” Convergence. When are we going to get there? And what on-ramps, roadblocks, and fast-lanes can security professionals expect along the way?
Merge signs ahead?
Operational technology (OT) and information technology (IT) were historically developed in siloed environments. The physical environment was typically the domain of OT while IT professionals concerned themselves with the interconnected world of data storage and transfers in cyberspace. That’s not to say the two didn’t share common security concerns and strategies.
We can point to three distinct phases in the evolution of convergence:
1. Stand-Alone Architecture: For facility access, stand-alone servers were often used to control security cameras, video recorders, intrusion detection devices, and access point. These air-gapped, closed, legacy systems controlling building operations, whose only connection to the outside world was a power cord, still required a password to lock down the only point of access into the system.
2. Enterprise Architecture: Providing a single, unified database, system redundancy, as well as centralized, regional, or local autonomous control satisfied the increased demand from users, however, it also provided more avenues of vulnerabilities to outside bad actors.
3. Cloud Architecture: Moving from LAN/WAN connectivity to using third party data center cloud hosts improved communications and efficiencies, but also proved to be more prone to cyber-attacks.
Throughout this progression, IT security protocols were evolving to accommodate the explosion in data transmission and consumption. By some estimates, the total amount of data stored in the cloud will reach 100 zettabytes by 2025, or 50 percent of the world’s estimated data at that time. (A zettabyte is approximately one trillion gigabytes.) Total global data storage on everything from public and private IT systems to personal computers and smartphones is expected to reach over 200 zettabytes by the same time.
According to a study published by ASIS International, “The State of Security Convergence in the United States, Europe, and India,” for the past two decades, companies have been exploring, and some implementing, a holistic approach to security by blending physical, cyber, and business continuity together. Yet after years of the predicted inevitability of security convergence, the survey reported just 24 percent of respondents had combined physical and cybersecurity functions. When business continuity was thrown into the mix, that number climbs to 52 percent who had converged two or all three of the functions. For the remaining 48 percent who had not converged operations, 70 percent reported they have no current plans to do so.
Signs pointing to eventual convergence, however, continue year after year. Three main reasons continue to spark the interest of security professionals and business executives alike:
1. Physical security devices (cameras, smart cards, sensors, etc.) are increasingly IP-enabled making the coming together of IT and physical systems a natural next step.
2. Responding to incidents and mitigating risks are functions of both physical and cybersecurity operations. The logical evolution is to join forces to manage threats with a united, coordinated response.
3. Money. For many C-suite executives watching costs and efficiencies, the overlap of security functions could signal duplication and waste.
Roadblocks to security convergence?
According to the ASIS survey, the biggest obstacle slowing organizations to adapt to combined systems revolve around people issues. Physical security departments are often set in a history of siloed traditions and functions. Personnel are often hesitant to give up or share control of what they consider to be core competencies including people management, intelligence, and investigations. IT professionals can be equally rooted in their own routines built around the latest technology, system innovations, and cyberthreats. Loss of authority, status, control, or staff are equally feared by both groups.
On the flip side to apprehension about this possible loss of control is the hesitancy there may be to take financial responsibility. When systems begin to merge there can be disagreements about which budget is hit.
The size of the organization also seems to be a factor. Larger companies are slower to adapt, taking more time to study the impact of convergence to make sure it aligns with business goals and culture. Smaller organizations with lean staffs and more modest cybersecurity and physical security requirements are quicker to combine responsibilities.
Finally, complacency can be a major impediment to security convergence. Organizations are often content with the status quo until an incident occurs or a mandate for change is declared by senior leadership. According to the ASIS study, 44 percent of firms surveyed have no form of convergence while many more are only partially converged. The report indicates that, for whatever reason, a disconnect between a good idea and a corporate imperative persists in many organizations.
Revving up convergence
The need to expand to meet the needs of customers ushered in the era of Enterprise-class systems providing a single unified database, system redundancy as well as centralized, regional, or even local autonomous control. Local Area Networks (LAN) and Wide Area Networks (WAN) connecting LANs over a large geographic area across the country and around the globe provide even more avenues to infiltrate the once non-existent physical security network. To account for this logical and physical growth, a number of cybersecurity measures have been added to the mix: Virtual Private Networks (VPNs), multi-factor authentication, and file encryption to shield data speeding back and forth across the world. Firewalls are the first lines of defense to protect environments from external threats.
Manufacturers, integrators, and building management companies alike are realizing the potential of convergence. They are combining HVAC, lighting, and other smart building controls into the same bucket. Grouping these together with the rapid growth of both physical security and cybersecurity brings to light the age-old question. Capital expenditures can be offset with a move to the cloud, which can lessen the infrastructure and personnel required to manage and maintain these systems. Owning the evidence versus owning the system can make a lot of sense to those who have the freedom to trust security to a third party.
Additionally, there is greater need to securely house all this new data. Today, data is being centrally gathered from much more than just the security world. This cyber escalation was not the first to require a physical security reciprocation, but it may be the most substantial. Facilities are now following the principles of Crime Prevention Through Environmental Design (CPTED). Properties are designed with increasingly sophisticated and connected perimeter fences, barbed-wire, bollards, all types of exterior detection devices, as well as a variety of interior layered security features.
Bottom line, the physical security realm seems to be catching up with the rest of the digital world. Now the same people wondering why anyone would ever want a computer in their home now want to wear one on their wrist. The internet of things (IoT) and all the wonderful edge devices in demand are adding to the ever-growing web of data access points needed for data. End user devices are now delivered with security measures such as bit locker and two-factor authentication tools including biometrics, and features to additionally authenticate when accessing files and other directories within a company.
And then – BOOM! – COVID-19 hits and the world shut down with a global pandemic. The need for even safer, healthier, and more secure buildings explodes. Physical security again is forced to grow to meet a new demand for screening technologies, density control, no touch access, environmental monitoring, and more.
Convergence: Are we there yet?
The short answer is no. Although we have hit quite a few forks in the road, nobody is threatening to turn this car around just yet. Security convergence continues to be on the horizon for some very important reasons:
- The increasing ability of all systems to be controlled via 1’s and 0’s verses voltage variations push them all firmly onto a combined network
- Networks are extending geographically to satisfy the global economy
- Increased demand to open portals into networks virtually anywhere via the IoTs and an endless array of edge devices
Convergence seems to offer many more benefits than drawbacks, a fact that will continue to grow increasingly clearer to key stakeholders and decision makers. And as noted throughout this article, advances in technology continue to permeate physical security spaces. It is all but inevitable IT and OT security functions will eventually merge to develop proactive solutions to potential problems and strengthen systems from the inside out rather than being reactive.