The Holistic Security Momentum Theory: Why Resistance Is Futile

2. Vendor convergence. Not so long ago, infosec vendors protected networks, and physical security vendors protected bricks and mortar, and the twain never met. Now a growing roster of holistic security companies operate in both spaces, as well as in other risk-related areas. Brink’s, the armored car company, now offers managed network security services. Unisys, the former mainframe purveyor, has a consulting business in supply chain security. Software giant Computer Associates is mixing with smart-card vendors like HID in the Open Security Exchange consortium, developing a network-and-building-access standard called Physbits. Kroll, historically a physical security services provider, owns Ontrack Data Recovery.

Bill Hancock, CSO and vice president of global security solutions at Savvis, points out that this is a very rudimentary form of holistic security; having one foot in each of two ponds doesn’t mean you know how to swim. Nevertheless, he expects vendors to continue to merge and meld these distinct product lines into more tightly integrated offerings. And aside from these well-known companies with roots in one discipline or the other, a growing fleet of smaller vendors now present all kinds of interesting examples of cross-functional services. Green-Tech Assets is an interesting illustration, offering a computer-disposal service that blends physical, digital, legal and insurance safeguards against potential liabilities created by inadvertently dumping hard drives and other technology assets containing sensitive financial or customer records.

3. Community convergence. Security is an association-driven world, and for years the associations gave little acknowledgement of each other’s existence. That changed in a big way in 2004 and 2005, notably with a statement of solidarity from CISSP promulgator (ISC)2 (in the infosec corner), CPP certifier ASIS International (from the corporate security side) and IS audit association ISACA. Observers such as Williams (who is active in ASIS) anticipate ever more concrete cooperation between these communities over the near term.

4. Threat convergence. Hancock, among other experts, has been sounding the klaxons about the idea of blended threats (combined physical and logical attacks) for some years. The most likely scenario is a physical attack (such as 9/11) with its effect multiplied by concurrent denial-of-service digital attacks aimed at telecommunications or other infrastructure. This scenario becomes more likely as digital controls become more and more prevalent for physical systems. Hancock tells of a company that extolled its foresight in implementing a door-lock system at headquarters requiring verification of digital certificates to allow employees to enter. Hired as a consultant, Hancock used his laptop to launch a “mini-DDoS” attack against the server that handled the verification. Throughout the building the door locks stopped working.

5. Educational convergence. This trend is just picking up steam, but universities such as Carnegie Mellon and Northeastern have launched programs aimed at equipping students with a holistic security portfolio of knowledge and skills in both corporate and information security.