The Myth of Convergence
George Campbell challenges a narrow, IT-centric view of security and risk management
By George Campbell
February 03, 2010 — CSO —
I love the headline in the January 13th Network World article Debate rages over converging physical and IT security! Not one CSO or CIO was invited to the debate, and I was enthralled with the notion that converged security fits in such a tiny IT package.
I also worry about how incredibly narrow and clueless the "debate" is when I read quotes like "unlike past tussles between say, voice and data communications teams, the contest between IT security and [physical security] tends to involve people who might never have had any reason to cross each other's paths." Or, "it typically takes a C-level executive to force these organizations to work together." And then, "the fact is there are different entities in a corporation for physical and logical security& We see turf wars happening." As a former CSO of a global company I had logical and physical security in my portfolio and shared the latter watch with my CIO counterpart. Most global corporate security models today recognize the inextricable interdependency between these functions and work for C-level executives who expect all governance entities to work seamlessly together - regardless of organizational alignment- to protect the enterprise.
"Convergence" must by now qualify for the past decade award for the most overused word in the security vocabulary. How is it that we invent a word that convinces professionals that something old and established is new and unique? Pick any security magazine and try and count the number of times "convergence" comes up. It reminds me of walking through ASIS and ISC exhibit halls for 20+ years and seeing everyone claiming to be the "integrated" solution. It took us years to get to open architecture and now an evolutionary corporate data communication scheme is revolutionary?
Convergence of bits of techie stuff is NOT converged corporate security!
It may be a fiction created by IT propeller-heads who formerly wouldn't talk to a "knuckle dragger". It is a marketing term invented by hardware vendors who suddenly discovered their devices could ride on the corporate network instead of dedicated lines. Or is it merely an evolutionary development that takes advantage of the explosive diffusion of corporate IT networks? Or maybe the normal ebb and flow of organizational alignment of security functions based on economic opportunity or management whim?
Or my choice: convergence is the obvious crap on the C-suite office floor that stinks up the debate on an appropriate mix of services for the corporate security function.