Everyone agrees—at least in theory—on the goal: IT security and physical/operational security should work together toward the collective objective of reducing risk to the organization. Agreeing on where you want to end up, however, doesn’t always make it easier to get there, as security professionals traveling the rocky road to convergence can attest.
To appreciate the progress made, it helps to put where we are today in perspective. The state of convergence of physical and information security “might be likened to the early days of flight,” wrote ASIS International Treasurer Raymond T. O’Hara, CPP, and Adel Melek, partner and global leader for Deloitte & Touche, LLP, Canada’s Security and Privacy Services, in the 2007 Alliance for Enterprise Security Risk Management (AESRM) and Deloitte white paper, The Convergence of Physical and Information Security in the Context of Enterprise Risk Management.
Today, some companies have progressed past “ambitious attempts at convergence by daredevil visionaries,” as Melek and O’Hara called them, into an enterprise risk management (ERM) strategy that is not the forced result of economic contraction but the outgrowth of expanded education and the recognition of mutual benefit.
Three of convergence’s early visionaries currently sit on the ASIS Board: Timothy L. Williams, CPP, who is director of global security for Caterpillar of Peoria, Illinois; O’Hara, who is senior vice president, consulting and investigations, for Andrews International of Palm Desert, California; and Dave N. Tyson, CPP, senior director of information security operations for eBay, Inc., of San Jose, California. Williams is currently chairman of the board.
Security Management asked each of these men for their thoughts on the evolution of convergence and for their advice to practitioners on both sides of the divide.
Williams, who helped to popularize the use of the term convergence as it applies to combining IT and operational security—has been advocating the process for years.
“What we see in corporations…is that there are many different company verticals that don’t talk to each other,” he says. This might occur because each unit reports to a different division head. It also might occur because of internal replications, such as having different groups in charge of IT security, operational security, facilities security, regulatory compliance, investigations, business continuity, and hazard or insurable risk management.
Whatever the reason, the lack of communication among these various units can lead to a lack of security cohesion, which means that risks go unaddressed. “These internal risks can become profound in a company that isn’t keeping an eye on them,” Williams states.
For example, at one corporation, operational security investigated an attack on a company server that had delayed the annual audit, but that group did not discuss its findings with IT. “They didn’t exchange information properly, and the result was a continuing risk exposure. If there had been better coordination and communication, the weaknesses could have been resolved faster and more effectively,” he says.