The Myth of Convergence

George Campbell challenges a narrow, IT-centric view of security and risk management

I love the headline in the January 13th Network World article Debate rages over converging physical and IT security! Not one CSO or CIO was invited to the debate, and I was enthralled with the notion that converged security fits in such a tiny IT package.

I also worry about how incredibly narrow and clueless the "debate" is when I read quotes like "unlike past tussles between say, voice and data communications teams, the contest between IT security and [physical security] tends to involve people who might never have had any reason to cross each other's paths." Or, "it typically takes a C-level executive to force these organizations to work together." And then, "the fact is there are different entities in a corporation for physical and logical security& We see turf wars happening." As a former CSO of a global company I had logical and physical security in my portfolio and shared the latter watch with my CIO counterpart. Most global corporate security models today recognize the inextricable interdependency between these functions and work for C-level executives who expect all governance entities to work seamlessly together - regardless of organizational alignment- to protect the enterprise.

Also see Jeff Spivey on Enterprise Risk Management

"Convergence" must by now qualify for the past decade award for the most overused word in the security vocabulary. How is it that we invent a word that convinces professionals that something old and established is new and unique? Pick any security magazine and try and count the number of times "convergence" comes up. It reminds me of walking through ASIS and ISC exhibit halls for 20+ years and seeing everyone claiming to be the "integrated" solution. It took us years to get to open architecture and now an evolutionary corporate data communication scheme is revolutionary?

Convergence of bits of techie stuff is NOT converged corporate security!

It may be a fiction created by IT propeller-heads who formerly wouldn't talk to a "knuckle dragger". It is a marketing term invented by hardware vendors who suddenly discovered their devices could ride on the corporate network instead of dedicated lines. Or is it merely an evolutionary development that takes advantage of the explosive diffusion of corporate IT networks? Or maybe the normal ebb and flow of organizational alignment of security functions based on economic opportunity or management whim?

Or my choice: convergence is the obvious crap on the C-suite office floor that stinks up the debate on an appropriate mix of services for the corporate security function.

The technological convergence model is the illegitimate cousin of the far more critical integrated security program. The notion of "integrated security" is a decades long and widely accepted concept of aligning diverse security countermeasures into a focused protection strategy; one which has traditionally looked inward to information assets. The convergence discovery has focused exclusively on the alignment (or misalignment) of physical and selected elements of IT countermeasures. This totally misses core security functions that comprise an integrated protection strategy.

Hyping convergence is like celebrating the discovery that you really can have an entree to the C-suite. If it's evolutionary owing to the presence of network connectivity, do we call it revergence when management decides to parse the pieces of the security puzzle elsewhere? Why not give revergence the same headlines as its cousin con?

Convergence or revergence? I think the appropriate mix or alignment of security elements and programs in any given organization is a function of four realities:

  • economics or expense management
  • the routine shuffling of the organizational deck
  • a logical melding of risk management goals
  • and a thoughtful realization of interdependencies.

In a mature corporate security setting, it does not wait for a C-level executive to force security elements to work together nor cater to enterprise protection senior manager's time plotting a stupid turf war.

If we are so passionate about converging physical and IT security, what happened to the rest of the security family? What are we to do with the investigative functions: background vetting, due diligence, incident investigation and fraud risk management? What about safety, compliance and crisis planning and management? How about the broader and often more critical security awareness programs? While our IT brethren sweat bullets fixing a cyber attack while trashing evidence critical to incident investigation, what are we to do with the cyber investigation function? Oh, put it in IT? That's as smart as having the HR function do background investigations!

Oh thank God! We are converged! OK, where do I get inoculated?

George Campbell is former head of security for a Fortune 500 financial company and current emeritus faculty member of the Security Executive Council. He is the author of Measures and Metrics in Corporate Security: Communicating Business Value


New! Download the State of Cybercrime 2017 report