What do you mean by “Convergence”?
November 2, 2006

By Dave Tyson (dave.tyson@vancouver.ca)

Now that convergence has stepped from the shadows of obscurity and begun its growth into a legitimate topic of study, it may be time to start looking at the fine edge of the wedge to see what we really mean by it.

People discuss at every major security conference in North America these days “Security Convergence”, what it means and its value or applicability. I think it bears defining further what we mean by Convergence versus some other phases like Holistic Security and Enterprise Risk Management.

Let’s face it, convergence happened! It happened under the covers while no-one was looking. Physical security systems moved from standalone systems to converted IP systems and finally to IP enabled network systems. This conversion has happened basically over the past 7-8 years and effectively it happened quite quietly.

Next, the threats converged! Passwords moved from being useful mechanisms for operating the tools of your workplace, to the “keys to the kingdom” of personal information and business records. When social engineers set to bombarding helpdesk trying to get user ID’s and passwords instead of dumpster diving or shoulder surfing, the risks converged; physical security risks for IT systems! The risks escalated dramatically when criminals and individuals realized how much value was contained in a database of customer information.

These things happened without much prodding, businesses don’t need wholesale re-organizations to take advantage of or be susceptible to them, and they essentially transitioned to these places. This is the external environment acting on you and your organization.

Now, let’s look at Holistic Security, which brings to mind the view that one is looking at how to defend security threats on a more grand scale. This is where security practitioners are asking questions like who owns the security for the wiring closets and the long distance fraud the company experiences. It is the understanding that the loss of a laptop or USB storage device potentially delivers a larger loss to the organization that the cost of the hardware; it could mean the end of the organization itself depending on the content in storage on the device. To me this feels like the operational aspects of protecting the organization. “How” do we do this better? To me this is security practioners responding outwardly to the threats that are faced.

Enterprise Risk Management, which is getting much more airtime by many groups, seems to be the higher level concept of strategically approach the “what” question of assessing and managing security and other threats to the organization. I believe convergence is the vehicle that is enabling Enterprise Risk Management; the subject matter expertise that identifies risk in a new way, the converged risks and threats, is the engine of managing risks across the enterprise. With this new information, or more correctly, having access to the whole picture, risk facing departments can identify strategies to effectively mitigate more risks and ensure management understands all of the risks they are accepting on behalf of the enterprise.

People talk of convergence as just cooperation between previously siloed departments; defining opportunities for mutually beneficial tactics. I think this is a short term view given the likelihood of the evolution of senior manager education on security. The security function operates many duplicate systems and infrastructures. We usually have duplicate identity management systems in the enterprise with badging systems for doors and directory structures for computer systems both trying to authenticate and authorize users. People need a PIN code for their alarm system, and a password for their computer, and we hire people to do risk assessments for facilities and for enterprise computing systems. Much of this situation can be attributed to the limited number of people the education and expertise and with a full understanding of all of the security issues. I believe that this situation will not last for ever because when the accountants and money managers find out about this duplication, waste and opportunity for economy, security will be just another business function to be rationalized.

Although there are many models that you can choose from to engage convergence, don’t let the terminology get in the way, the aim is good for security professionals to begin the process of addressing these converged risks in new ways.

You can either lead or follow!

Share and Enjoy:
  • Slashdot
  • Digg
  • del.icio.us
  • Reddit
  • digg
  • Technorati
  • StumbleUpon
By Independent.Author • Articles, Future Forecast • •

Leave a Reply


 Sidebar
  • Pages
  •  
    November 2006
    M T W T F S S
    « Oct   Dec »
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • Archives
  • Categories
  • Meta

    • copyright 2008 reavis consulting group, llc

    all postings and articles are owned and the copyright is held by the author, all opinions expressed are held by same.

    Riskbloggers is proudly powered by WordPress
    Entries (RSS) and Comments (RSS).

    design by | live | life | loud |