I was delighted and greatly honoured to receive the 2011 Imbert Prize for the convergence work I have been leading on behalf of ASIS UK, and which is now developing across Europe.
Essentially, convergence recognises the importance and need for all areas of physical, information and IT security to work closely together to protect the nation, our people and the business.
It’s crucial that the business understands each area of security is as important as the other as the danger of cutting anything out represents a weaker defence.
One of the problems to date is that each area thinks it’s the most important and usually only works with the other in the investigation of an incident.
It’s fair to say that the ‘security convergence movement’ is partly a response to our increasing dependence on technology and the Internet, but in actual fact it’s somewhat more concerned with the management of all security risks.
There is much more to this than the technology issue. People and processes are, of course, just as important. This is true for both physical and information/IT security professionals.
The military, for example, has been reliant on a complex array of systems for many years now, and the Internet itself was largely developed to enhance military capability. Hence the obvious need for the experts who know how to secure this environment to work very closely with those in the field.
The implications for the business, it seems to me, are not difficult to work out. Those who wish to attack our businesses will do so by finding the weakest link. This could be the CCTV system which, if connected to the company’s IT Infrastructure and not patched, could be exploited by a hacker.
The key benefit of a unified security strategy is that security leaders can look at these issues together rather than assume the other area is dealing with it.
Diploma in Security Management
I first started to examine the benefits of converged security management in 2002 while studying for the Diploma in Security Management at Loughborough University and working at BP. I was very fortunate to be able to interview senior security leaders from physical and information security arenas in a variety of large organisations and seek to understand and help develop their thinking on this area.
Of course, each company has its own policy and procedures. It was apparent to me that probably 15% of large global organisations had tried or were operating a converged security strategy.
I then worked on a Masters dissertation with Loughborough University and BP to look at this in greater detail, and interview leaders from more than ten global organisations.
At the same time, ASIS International formed an alliance with ISACA and ISSA called the Alliance for Enterprise Security Risk Management. The aim was to bring the physical and information security communities closer together in recognition that the threats are converging and, therefore, so must we.
My Masters research duly confirmed my earlier findings and outlined some of the many benefits of convergence.
In addition, the growth of the role of the converged chief security officer (CSO) has led some organisations to expect a CSO to lead all areas of security whether he or she wants to or not! This requires a considerable level of expertise, or at the very least strong and clear support from those in areas wherein the CSO is not an expert.
United security function: joint leadership
The case for a joint leadership of a united security function is attractive, but it also requires a high level of mutual respect and understanding. However, the alternative of a ‘siloed’ approach is now so dangerous that it’s probably only a matter of time before companies are affected by what the US military is calling ‘a destructive cyber attack’. This is when a piece of malware is launched on a system that controls physical systems.
While most of us are familiar with the recent Stuxnet incident, I think we are less prepared for such an attack on our own companies/facilities. Many of us operate systems that are just as vulnerable to this kind of attack and, because we rarely spend much time with IT security professionals, we’re just not prepared.
ASIS UK was aware of the Alliance’s work in the USA and, at the beginning of 2008, invited me to join the committee to develop our relations with information security associations here in the UK.
I made contact with ISSA and ISACA and started to attend their meetings. In February 2008, we were invited to join the Information Security Awareness Forum (ISAF). This was formed to develop a more joined-up response to security awareness.
There were 22 other security organisations represented including ISSA, BCS, EURIM, ISACA, the Jericho Forum, IISP, the SASIG, Get Safe Online, the IET, the National e-crime Prevention Centre and many more. Recently, we were very pleased to welcome The Security Institute into the fold.
Over the last three years, the ISAF has met regularly to look at a wide variety of security issues and develop a consistent, co-ordinated response. In many ways it has been a fantastic example of how security leaders can work together on the best solutions to complex problems (or, as I like to call it, convergence in practise!)
In 2009, several members of the ISAF – including Martin Smith (chairman and founder of The Security Company and the Security Awareness Special Interest Group), Dr David King (chairman), Sarb Sembhi (ISACA) and myself – led a two-hour panel discussion on convergence at the ASIS European Security Conference in Montreux. This was a great and very productive discussion focused around the key issues.
We agreed that the best way to raise awareness of the importance and benefits of convergence was to develop an ISAF convergence project. I was invited to lead this project with Martin and David’s clear support.
Great champion of convergence
As some of you will know, Martin has been a champion of security awareness, ‘the human factor’ and convergence for many years, and it’s a privilege to work with him on the convergence area.
Martin and the SASIG very kindly hosted a Convergence Workshop with CSC and the ISAF in September of that year. More than 100 people attended from a wide cross-section of the security industry. We subsequently agreed that a group of us would work on a convergence document aimed at highlighting the issues of converged threats and how we could respond effectively to them.
Incredibly, 25 leading figures – each highly respected in their field, and including Mike Bluestone, chairman of The Security Institute – agreed to join the Working Group. We met at PwC’s offices, discussed what should be included and agreed an approach.
After several meetings we began to formulate the content as each organisation submitted text and the paper began to evolve. Many of us crystallised the very best of our ideas and this, I think, ensured a paper of high quality.
It was particularly significant that so many different people could agree the content and a great example of how convergence can actually work. I include one passage of text here to give you an idea…
“There is immense value in having a single point of ownership for all aspects of your organisation’s security. This senior leader can take responsibility for managing risk to both tangible and intangible assets. A dotted line to the audit and risk committees is vital, and a direct reporting line to the chief operating officer can ensure that the issues raised are understood and addressed at the highest level.
“It’s important to ensure that the Board and the business have a complete picture of the security risks the organisation really faces, and plans in place to deal with them.
“The chief operating officer would only need to meet with one person to consider all security risks. This could lead to up to 50% fewer meetings with the Security Department and a confidence that all areas of security are now more effectively managed.
“A common line of reporting could be established that would enable experts from each security area to examine vulnerabilities together and ensure all incidents receive the necessary attention they deserve. As a consequence, one report would be produced. This would help prioritise the most important risks and give a single view of key threats and vulnerabilities”.
That paper is entitled: ‘Convergence of Security Risks: Addressing the Security Dilemma in Today’s Age of Blended Threats.’
“The paper will act as a foundation stone for members and other IT security professionals to build the innovative security defences needed in the modern connected business world,” said David King. “The major security problem that all businesses are now encountering centres on the blended threats that cyber criminality and hacker attacks now pose.”
Martin Smith comments: “Despite the long-recognised and yearned-for need for greater convergence, the security industry remains fragmented into its various specialisations. As the criminal becomes more organised and determined, then our industry must respond with improved efficiency of, and greater co-operation between, all those involved in defending our corporate assets. I’m delighted that the Security Awareness Special Interest Group has been able to contribute to this crucial debate.”
Professor Paul Dorey – chairman emeritus of the Institute of Information Security Professionals – has this to say: “Our opponents have no departmental barriers or concerns over responsibilities. We recognise that only by working closely with our security and risk colleagues will the protection of our businesses be equally joined-up.”
Details of the acronym and what it stands for may be found in the paper, which can be downloaded by following the link (www.theisaf.org) at the foot of this page.
Overriding requirement for additional detail
The paper explains that each organisation would need to develop this in its own way and some would gain from a group-led response.
It was recognised that while the paper has much value in terms of outlining the principles of respect and alignment there was a need for more detail. Later that year, I was given the opportunity to ask those who had contributed to the paper whether they would like to work on a convergence section of an ANSI/ASIS standard which looked at physical asset protection. The purpose of the convergence section being that the most effective way to manage the people and systems that protect your physical assets is in a converged way.
Put simply, if your teams are not working together on new access control/card systems/CCTV projects, for example, or conducting converged risk assessments then you will be exploited by an attacker whether you are aware of it or not.
About 16 of us agreed to develop the converged risk paper further with more detail and implementation guidance. This is currently with an ASIS Working Group in the USA/UK, and it’s hoped that this will help convergence become recognised Best Practice for security management.
Since April 2008, Sarb Sembhi (past-president of ISACA’s London Chapter) and I have spoken at many national and International security conferences on the subject of security convergence. We have discussed the issues with the delegates and found that while some thought they were converged to some extent, few were realising the real benefits that could be achieved.
In July last year, we started work on the development of a Converged Security Management Maturity Model which we hope will be freely available next year once we have trialled it with organisations interested in benchmarking their converged strategy.
We are currently developing the model such that it can be used as an open source tool to assist companies in the assessment of their converged security management practises.
To this end, we’re looking to work with leading security providers on the project and believe that this approach will actually help organisations identify how to converge and the benefits they can gain from the process. Please do contact us if you would like to be involved in this work by sending an e-mail to: admin@incomingthought.com
ASIS European Advisory Council: promoting convergence
In June last year, the ASIS European Advisory Council (EAC) appointed Alessandro Lega as its European convergence representative to look at ways of promoting the benefits of convergence across Europe.
Alessandro contacted me and we agreed to work together on this project. We put together a proposal and discussed this with members of the ISAF and some of our European counterparts.
In November, we met several representatives from ISSA and ISACA and agreed that there were many ways we could work together on this. Increasingly there are panel discussions at conferences, articles and workshops on this subject.
Alessandro and I also contacted Dave Tyson, ASIS’ US lead on convergence, and we began work on developing contacts across Europe and the US. The EAC agreed that a convergence committee should be formed with Alessandro as chair that included member representatives from each European region.
We are delighted to advise that we now have 11 members who include CSOs, CISOs and other key leaders. All share the conviction that only by creating a dynamic fusion of ideas in a unified approach to security will we effectively protect our people, information and property.
The Netherlands, France, Germany, Switzerland, Italy, Croatia and the UK are all represented. We meet on a bi-monthly basis and are currently working on a number of European initiatives (including a European survey, a one-page document and discussions with other business functions around convergence).
The European convergence movement, like the ISAF, realises that organisations are increasingly vulnerable to blended threats and emphasises the value of being able to prioritise risks and respond effectively to cyber attacks.
Benefits of holistic approaches to security management
There are many benefits to a holistic approach to security management. These range from significant cost savings when a company uses its own IT resources and infrastructure rather than outsourcing it to third party providers through to faster response times achieved through effective communications in a crisis.
Converged security management also benefits companies when they engage in new security projects. Increasingly, organisations are installing IP-enabled CCTV and access control systems. This dependence on the IT infrastructure brings the advantages of speed and immediate access, but also introduces vulnerabilities which are not always identified by physical security managers.
Hence it’s vital for each area of security to work closely on such projects and maintain that relationship throughout the system’s lifecycle. The issue of secure systems development is only achievable by a converged approach to security management.
Since 2007, the Information Security Awareness Forum has brought together information security and physical security organisations in the UK to consider ways to help companies and individuals recognise increasingly converged threats. In this way it has been an excellent example of how people from across the security industry can work together in responding to these risks.
The new ASIS Security Convergence Sub-Committee includes leaders from across Europe who are developing similar ways to engage with their security colleagues and other business functions to ensure that our people, information and assets are effectively protected.
It’s a tremendous privilege to be involved in this crucial work, and really inspiring to see the growth of what is a dynamic process.
James Willison is convergence lead for ASIS UK and vice-chairman of the ASIS European Security Convergence Sub-Committee
James is principal consultant with Incoming Thought, working with and alongside organisations as a convergence specialist to ensure they benefit from converged strategies