Throughout my years in government, I engaged in many discussions regarding the convergence of information and physical security assets. While the “why-fix-it-if-it-ain’t-broke?” argument advocating the effectiveness of maintaining the separation of logical and physical security still stands strong in some circles, there is no doubt that convergence has become a growing fad.
At (ISC)2, we often poll our members on topics that represent a potential impact on the information security profession. Just prior to our recent (ISC)2 Security Congress, co-located with ASIS International’s 57th Annual Conference & Exhibits,we took the opportunity to poll our members on the integration of traditional and information security and discovered that many hold to the belief that information security and physical security should not be separate but equal and complimentary entities.
The survey concludes that organizations need to take a holistic and enterprise-wide approach to security, involving all disciplines and stakeholders, which would indicate that the convergence approach is taking a strong hold.
Let’s take a moment to consider the “convergence approach.”
Convergence advocates would argue that under certain circumstances and in some organizations, convergence should take place between at least some aspects of physical security and information security. Others argue that convergence should take place in all aspects and under all circumstances.
So should convergence be considered an all or nothing approach? Should all aspects of security converge if converging only some aspects makes sense for the organization?
Additionally, there are instances whereby government agencies have located information security, physical security, personnel security, security policy, and security operations in the same security organization, only to find that it can serve as a strong enabler for cross-communications between disciplines working toward a common goal.
Is the convergence approach more effective this way? Does convergence impact government and commercial organizations the same?
There is no doubt that collaboration between departments can enhance an organization’s overall security environment. In the end, each organization, considering its management, mission objectives, and other critical factors, needs to decide what makes the most sense in support of its goal to establish and maintain a strong security posture.
Meanwhile, what is the government security industry’s progress on establishing a position on convergence? The (ISC)2 Survey government respondents indicate that only one-quarter of organizations are actively sharing responsibilities between traditional security and information security departments to improve both areas.
With only 25 percent actively converging, it is safe to say that enterprise security strategy is still very much a work in progress.
W. Hord Tipton is executive director of (ISC)2 , the world’s largest non-profit body for certifying information security professionals; he is also the former Chief Information Officer of the U.S. Department of Interior and recipient of the President’s Distinguished Rank Award.