The Myth of Convergence
George Campbell challenges a narrow, IT-centric view of security and risk management
By George Campbell
February 03, 2010 — CSO —
I love the headline in the January 13th Network World article Debate rages over converging physical and IT security! Not one CSO or CIO was invited to the debate, and I was enthralled with the notion that converged security fits in such a tiny IT package.
I also worry about how incredibly narrow and clueless the "debate" is when I read quotes like "unlike past tussles between say, voice and data communications teams, the contest between IT security and [physical security] tends to involve people who might never have had any reason to cross each other's paths." Or, "it typically takes a C-level executive to force these organizations to work together." And then, "the fact is there are different entities in a corporation for physical and logical security& We see turf wars happening." As a former CSO of a global company I had logical and physical security in my portfolio and shared the latter watch with my CIO counterpart. Most global corporate security models today recognize the inextricable interdependency between these functions and work for C-level executives who expect all governance entities to work seamlessly together - regardless of organizational alignment- to protect the enterprise.
Also see Jeff Spivey on Enterprise Risk Management
"Convergence" must by now qualify for the past decade award for the most overused word in the security vocabulary. How is it that we invent a word that convinces professionals that something old and established is new and unique? Pick any security magazine and try and count the number of times "convergence" comes up. It reminds me of walking through ASIS and ISC exhibit halls for 20+ years and seeing everyone claiming to be the "integrated" solution. It took us years to get to open architecture and now an evolutionary corporate data communication scheme is revolutionary?
Convergence of bits of techie stuff is NOT converged corporate security!
It may be a fiction created by IT propeller-heads who formerly wouldn't talk to a "knuckle dragger". It is a marketing term invented by hardware vendors who suddenly discovered their devices could ride on the corporate network instead of dedicated lines. Or is it merely an evolutionary development that takes advantage of the explosive diffusion of corporate IT networks? Or maybe the normal ebb and flow of organizational alignment of security functions based on economic opportunity or management whim?
Or my choice: convergence is the obvious crap on the C-suite office floor that stinks up the debate on an appropriate mix of services for the corporate security function.
ESSENTIAL READING
The reactive, event-driven nature of security makes strategic planning more important, not less. Here are practical tips for creating a strategy that is aligned with your organization's business and enterprise risk management goals.
Risk's rewards: Organizing for ERM
Leading companies are coordinating risk management activity, finding efficiencies and better visibility in the process. Here's how they do it.
Beginning ERM in 6 simple steps
ERM look like too big a commitment? Choose one process to improve, create a working group, show progress, and build momentum.
5 steps to an effective strategic plan
Enterprise risk management basics
A simple model for thinking strategically about security services
- Balancing Increasing Security Requirements with Decreasing Budgets
- Gain Control of the New Threat Landscape
- Securing Your BYOD Strategy: Cisco Secure Mobility Solutions
- Securing Your BYOD Strategy: Cisco Secure Mobility Solutions
- Introduction to VMware vCenter Site Recovery Manager 5
- Reliable Disaster Protection with VMware vCenter Site Recovery Manager
- Planning For Failure: Incident Management Is A Top Priority
- Application Performance Management: The End User is King
- Overcome Top 7 Admin Challenges of Active Directory
- X-Ray of the PCI Process-4 Proactive Steps
- Beyond SFTP: Five Ways Secure Managed File Transfer Can Improve Your Business
- Secure Managed File Transfer: Bringing Coherence & Control to Compliance
- Patch Tuesday preview, February 2012
Microsoft published its Patch Tuesday Preview for February of 2012 a few minutes ago. IT admins can expect nine bulletins to address 21 security vulnerabilities.
It looks like four bulletins will be rated critical while the rest are designated as important.
Affected Microsoft products are:
- M86 report proves water is wet
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
More Salted Hash with Bill Brenner
