Convergence talk dominates at ASIS European Conference

Security convergence was a major theme at this week’s 11th Annual ASIS European Security Conference, which took place at the Hilton London Metropole Hotel on Monday and Tuesday.

On the first day of conference the parallel sessions track witnessed a lively panel discussion on the convergence of business support functions.

Moderated by UBM Live London’s media solutions manager Brian Sims, the two speakers – security consultant Alessandro Lega and Filippo Abramo (president of the European Association of People Management) addressed several key questions:

• in terms of today’s businesses, how can we build a functional team within an organisation?
• what’s the notion behind a common manifesto designed to foster an environment of collaboration rather than competition in support of the host business?
• how might traditionally separate and different business functions learn to co-operate with each other in contributing towards the removal of so-called ‘silos’ of management?

Borrowing from Einstein’s theory

Alessandro Lega CPP is the current chairman of ASIS International’s European Security Convergence Sub-Committee. He began his career back in 1966 as an IT specialist with IBM, rising through the ranks to become head of company security with the organisation in his homeland of Italy.

Lega’s excellent presentation at conference immediately engaged the fulsome audience with reference to Einstein’s theory of relativity, in this case with the E representing Efficiency, M relating to Management and the C – not surprisingly – standing for Convergence.

However, Lega has developed his own version of Einstein’s epic formula all based on E = M (CCC). In this scenario, E is Efficiency, M is Management and the three Cs stand for Convergence, Communication and Co-operation.

“You’re moving from the scientific E = mc2 to E = mc3,” asserted Lega, “and how we get there as far as convergence is concerned relates to harnessing the right capabilities.”

The concept of security convergence from the ASIS International perspective focuses on the removal of any silos in which, very often, the different security management segments are kept separate. “This doesn’t mean there is any need to destroy existing specialisms,” stated Lega, “but there are evident needs to remove barriers between dominions.”

Lega has observed “progress” in Europe as far as security convergence is concerned. Apparently, in terms of vertical sectors its aerospace, defence, telecoms and IT organisations who are currently “leading the movement”. He added: “Some security functions are ahead of the curve while others are following. It’s fair to say that top management has to be the main driver behind it all.”

ASIS-ISAF survey from 2011 referenced

The acting assistant regional vice-president for ASIS Region 27A and the CPP representative for Chapter 211 in Italy referenced the recent ASIS-ISAF survey on convergence and, in particular, the influence that company size can have on the movement (the suggestion being that it’s easier to converge in smaller companies).

“The most important positive effect of convergence,” asserted Lega, “is the harmonisation of different priorities. Different corporate functions need to sit together as a team and discuss the key issues involved. The Steering Committee approach does pay off.”

Additionally, Lega referenced the “Round Table of King Arthur” concept which will help “create a mutual benefit” and “guarantee regular exchange” while at the same time “enhance a better mutual understanding”.

Lega’s conclusions were also fascinating. “In convergence terms the battlefield is well identified,” he urged. “It’s the whole company. The actors are even better casted: we’re talking about all the functional leaders here. The ‘art director’ is already in charge – it’s the CEO supported by the Board. The effect to be generated is a progressive co-operation between the different functions.”

Managing the business in volatile times

For his part, Filippo Abramo – who holds Masters degrees in both business administration and economics and was last year elected president of AIDP, the Italian Association for People Management – examined how companies might be successfully managed in what are volatile times.

How are organisational structures beginning to change, and what are the consequences of that change for prime service functions?

“We have to work towards cancelling the silos of management,” suggested Abramo. “It is the Human Resources Department’s job to motivate and engage the workforce. There’s a compelling argument for convergence with legal teams, accountants and HR, for example, all working together.”

Abramo waxed lyrical on the need for culture changes within organisations if convergence is to be realised. Like Lega, he spoke of “openness, co-operation and teamwork” and, interestingly, went on to talk about the role of associations in this changing world.

“They [the associations] need to help spread the new management cultures that are developing around convergence,” explained Abramo. “They can help professionals across many business functions enhance their competitiveness and better share Best Practice ideas and techniques.”

State of security convergence in Europe

The Information Security Awareness Forum (ISAF) in general, the chairman of the ISAF (Dr David King) and the chairman of ASIS’ European Security Convergence Sub-Committee recently agreed to conduct a survey of their members to examine the landscape of security convergence in Europe.

Co-author James Willison, vice-chairman of ASIS’ European Convergence Committee and founder of Unified Security, explained: “The analysis from 216 companies of what is converging showed that 60% are working together on security projects across the enterprise. In fact, 39% are working either in the same department or report to a shared executive director, with a further 21% collaborating on a variety of security issues.”

Speaking about the survey results, Willison – who attended both convergence sessions at conference and is speaking on convergence at IFSEC International 2012 – stated: “Companies are increasingly seeing the need to develop their thinking on security strategies. As awareness of cyber threats increases, it’s perhaps the case that there’s a correlating concern for looking at security more holistically. Common reporting, advances in technology and increasing reliance on networked systems will inevitably develop converged relations.”

Sarb Sembhi – the co-author of the survey report, chairman of ISACA’s GRA Sub-Committee and director of consultancy services at Incoming Thought (who hosted the survey) – added: “One of the underlying objectives for this survey was to understand why any organisation today is considering a converged security response. 57% indicated that the blended threat was the key driver. Our understanding as to why responding to blended threats had a much higher response could have been largely due to the increase in blended threats in the press, and that many organisations may have personal experience of dealing with them. Further, to deal with them effectively they worked closely with their colleagues in other security functions.”

Dr David King commented: “Convergence has been a topic of significant interest and relevance in recent years in traditional security and information security arenas alike. The prevalence of the ‘blended’ threat and the coming together of physical and information security techniques has contributed to the growing sense of a need for converged responses.”

He continued: “Indeed, organisations have been embracing convergence of their security capabilities to varying degrees. However, it has been very hard to put a figure to the extent of adoption.”

Strategy to promote converged security approaches

ASIS Europe has pioneered a strategy to promote converged security approaches across Europe. Indeed, Alessandro Lega saw the value of a survey which would seek to answer this question.

His initial thoughts were that, as this was the first real survey on security convergence run in Europe, there was the risk of impact from a potential starvation due to the complexity of the subject.

“It was unpredictable as to whether corporations would have been willing to share information with us.”

Three specialists in the field of security convergence were asked to analyse the data and write a report. Professor Paul Dorey, director with Security Faculty and IISP chairman Emeritus, stated: “We have had a long-standing interest in the effective integration and convergence of different security functions and skills sets. This comes both from actual experience of running a converged security team covering IT and physical security and working with teams in other companies who have done just that, too.”

He explained: “We have had the experiences first hand. We were interested in getting some more recent data on what companies were really doing. We were particularly interested in testing conversations we have been having with both corporate and IT security professionals who say that they are brought to work together by the actions of our attackers.”

Following the response to the survey and the results gathered, Dr King outlined: “This report is particularly welcome as a useful addition to our understanding of convergence overall. It provides a foundation to underpin the work of those in the industry who’ve been pioneering convergence as a key strategic theme for their own organisations.”

Alessandro Lega concluded: “The survey was very well received. Respondents gave their valid contribution to draw a picture of where we stand right now with security convergence in Europe.”

The full report is available to read here

About the Information Security Awareness Forum

• A number of professional bodies and organisations involved in information security joined forces to form the Information Security Awareness Forum (ISAF) www.theisaf.org.
• The aim is to co-ordinate and build on existing work and initiatives, to improve their overall effectiveness and, ultimately, to increase the level of security awareness in the UK that will help protect us all.
• The ISAF is a group whose aim is “to deliver rather than to merely talk about awareness”.
• The Forum was launched in February 2008, and member representatives meet on a monthly basis to progress its agenda and actions.
• Founding members of the ISAF include the ISSA, the BCS, CMA, the Cybersecurity Knowledge Transfer Network, eema, EURIM, GetSafeOnline, ASIS International (UK Chapter), IAAC, the Information Technologists’ Company, InfoSecurity Europe, the Institute for the Management of Information Systems (IMIS), the Institution of Engineering and Technology, the Digital Security Working Party of the International Underwriting Association of London (IUA), ISACA, (ISC) 2, ISF, the Institute of Information Security Professionals (IISP), the Jericho Forum, the National Computing Centre, the National e-Crime Prevention Centre (NeCPC), the Police Central e-Crime Unit, the SANS Institute, the Charities Security Forum and the Security Awareness Special Interest Group.