Physical and IT Security Convergence: The Basics

Call it convergence, call it holistic security management. By any name, it’s the subject of much talk these days. Here’s the definition of convergence and an explanation of the desired payoffs and unexpected pitfalls that can obstruct efforts to merge physical security and IT security.

• What do you mean by “convergence”?
• Let’s cut to the chase. How will convergence benefit my organization specifically?
• Give me some more specific scenarios where this is necessary and worth the effort involved (because I suspect that effort will be big).
• What are the roadblocks and potholes we need to plan to avoid on our way to convergence?
• Given that most security personnel are from one background but not the other, how can such a person manage both functions?
• If we don’t choose to combine operational groups, can we still get some of the benefits?
• We’ve seen more and more convergence articles and presentations in the media and at trade shows. Why all the buzz at this point in time?

Updated views about convergence and ERM

• 09/07/2010 Risk’s rewards: How to organize for ERM
• 09/07/2010 ERM: Get started in six steps
• 05/01/2010 Cooperating on ERM/convergence projects
• 03/01/2010 Convergence: The semantics trap
• 06/03/2008 A checklist for converged access ctonrol

What do you mean by “convergence”?

Here’s what it is: Formal cooperation between previously disjointed security functions.

When we say ‘cooperation’, we’re talking about a concerted and results-oriented effort to work together. Timothy Williams, CSO at Nortel Networks, notes that cooperation involves process and accountability, not just a “let’s have lunch once in a while” kind of loosey-goosey connection.

And here’s an important note about what convergence is NOT: Merging the information security group and the corporate or physical security group on your organizational chart.

That’s a definition that focuses on form instead of function, and as such, is the source of much of the pushback on security convergence. Yes, merged org charts are one very legitimate way to ensure cooperation and accountability, but many organizations may find valid reasons to not rejigger their reporting lines, and still achieve the cost efficiencies and security improvements that come through convergence.

It should also be said that there’s more a type of security management that is more holistic than simply information security and physical security. And there are risk management disciplines that benefit from cooperation and coordination. Those are such things as loss prevention, fraud prevention, business continuity planning, legal/regulatory compliance, insurance, and others. Forging connections with those functions is part of convergence too.

Let’s cut to the chase. How will convergence benefit my organization specifically?

Following are key payoff points, gleaned from interviews with security executives at BWX Technologies (BWXT), EDS, Level3 Communications, Pemco Financial, Rohm and Haas, SAIC, Triwest Healthcare Alliance, United Rentals and Wells Fargo, all of which have recast security in some way or another to foster better synchronization and collaboration.

– A comprehensive security strategy better aligns security goals with corporate goals.

Most CSOs these days would agree that security should dance cheek to cheek with the needs of the business. In a post-9/11 world, companies that hold the traditional view of security as just another cost centerfail to recognize the importance of security to day-to-day business activities.

When Marshall Sanders, vice president of corporate security and CSO ( who served as the founding director of security for President Reagan’s strategic defense initiative program in the ’80s), joined Level3 Communications in 1999, he had a mandate: establish a comprehensive security architecture.

Sanders’ mission was made easier because senior executives at the company viewed security as a key enabler for the business. “We’re a network services provider-we’re all about network availability,” says Sanders. “If the network isn’t available due to a logical or physical incident, it’s a revenue-impacting event. So security was seen by our [company leaders] as an integral component of the business architecture.”

A corporate risk management council, comprising Sanders and other senior executives, forms the basis for an integrated security governance structure and helps keep security top-of-mind at Level3. “It’s critical to have top-down sponsorship,” Sanders says, adding that in his case, the CEO “realized security needed to be integrated into the architecture of the business.” The council, an audience for updates on physical and logical security, business continuity and disaster recovery exercises, is critical to driving this agenda, he says. “It can provide an enterprisewide perspective and accountability for managing the risks to the business; so then security becomes not just security’s problem-it’s a business concern.”

Sanders defines convergence as the integration of logical security, information security, physical and personnel security; business continuity; disaster recovery; and safety risk management. (Logical security focuses on the tools in a network computing environment; information security focuses on the flow of information across both the logical and physical environment.) Cost savings is one of the important payoffs in this holistic security strategy. Because there’s always some duplication in a stove-piped security organization-in overhead and programs, for example-it’s more cost-effective to manage an integrated one. Not only that-duplication can lead to unproductive turf battles among security groups for resources, he adds.

– The CSO can be a single point of contact.

Bringing together different security silos into one big, happy family and running the combined organization can be a lot easier when one person sits at the top.

When there’s a single point of contact, the CFO or COO can pick up the phone and speed-dial the CSO instead of having to pull out an org chart to figure out whom to call with a security question.

John Pontrelli, vice president and CSO at Triwest Healthcare Alliance, a Department of Defense contractor that manages a health-care program in the western United States for military personnel and their families, wouldn’t have left his previous job at W.L. Gore & Associates to come to Triwest unless he had that kind of accountability.

To Pontrelli, convergence means one person is responsible for security, just as a CFO holds the reins over all things financial.

Pontrelli lists numerous benefits, such as the ability to see where the organization is going. “If I didn’t have the visibility of where the organization was going, where the C-[level] folks were going, the new technologies coming, it would be hard to put together a business plan to the requirements of the organization,” Pontrelli says. “Because I have such access and visibility to the C-level leadership, they know what I’m doing. It’s not a mystery. They know my resources, what’s being spent.”

This status helps to prioritize risk and create a comprehensive security business plan. Having a single point of contact also makes it easier for the CEO, board of directors, contractors, external business partners and employees to know that they can call Pontrelli if they have any questions or problems. Pontrelli, who reports to the COO, says he wouldn’t work at a place “that doesn’t have a CSO reporting at the C-level with visibility and accountability at that level.”

At Wells Fargo, CSO Bill Wipprecht likes the fact that other execs know they can pick up the phone and call him with any security questions. Wipprecht runs five divisions-internal investigations, external investigations, physical security, enterprise services and the uniformed services division-and has almost 300 full-time employees. (He does not manage infosec, though his department is the investigative arm of that unit.) He describes security as having a single voice with a single message, and that singularity translates into the way he handles customer service. “Our rule is, if you call anybody in corporate security on any issue, we don’t tell them to call Fred in the other group; we dial the number for them. They don’t know they’re talking to the wrong division-it’s an invisible transfer to the customer,” he says.

Still, it’s the top of the food chain that derives the greatest value. Constellation Energy’s CEO, Mayo A. Shattuck III, describes integrated security management as part of a top-down approach to getting a handle on an organization’s exposure to risk. That’s why his security department is responsible for all kinds of security, and reports into the company’s Chief Risk Officer.

– Information-sharing among disparate security functions increases.

Bringing team members into a more cohesive organization with one strategic mission and consistent goals will encourage collaboration and help break down some of the walls that can exist between people who previously had prime allegiance to their individual security function.

Richard Loving is reaping the benefits of a more collaborative environment at BWX Technologies, which manages and operates nuclear and national security facilities. Loving, a 25-year veteran at BWXT, wears two hats: He’s CSO (a title he picked up last June) and director of administration. For years, the company, which runs or helps run facilities for the U.S. government in nine states, organized its facility teams as self-contained units. That often meant that people in different locations were working on the same problem. Security directors at the plants acted independently to ensure the safety at their own sites, but there was little collaboration.. Loving and other execs decided last summer that BWXT needed a centralized focus for security, one that would improve information-sharing and get rid of the stove-piped structure. Loving began to coordinate security at the units.

The results were immediate. Last July, the Department of Energy ordered a stand-down (tk??what??)of all DoE operations that used controlled removable electronic media after two Zip disks containing classified materials were reported missing at the Los Alamos National Laboratory. DoE facilities were not allowed to resume operations until new security procedures were put in place.

“In the past, each site would have recieved guidance from the government, then they’d go off and put protections in place,” says Loving. “We were able to bring an expert from each site together to talk about the changes in regulations, how they were going to protect media and share that information back and forth so that as one site found a new and different way to control something, they would share that information the same day,” says Loving. (In January, the Energy Department released a report announcing that the two missing disks never actually existed.)

Another payoff Loving cites involved changes in a physical protection hardware system. Blueprints of the system were obtained from one site and shared with others. “That saved significant costs,” he says.

Bob Pembleton has also been experiencing the benefits of closer collaboration. The 30-year security veteran (he held positions at IBM and MCI) arrived at EDS in 2001 as director of global security operations and became leader of a fragmented security department. “I couldn’t get a clear picture of a program for the whole enterprise,” he says.

To improve efficiency, strategy and communication, he led the consolidation of the department, which was completed a year ago. (Pembleton is now chief security and privacy officer, a title he took on in January.) The four functional groups-information security, physical security, compliance and privacy-which previously reported to different parts of the organization, now reside in Pembleton’s security and privacy department. Now security can look at regulations such as the Health Insurance Portability and Accountability Act and Sarbanes-Oxley, for example, and address them with a centralized focus, not a haphazard one.

One project his team completed last year was reducing the 125 or so websites that had references to some type of privacy or security down to one portal for all internal security. Pembleton says the move improved efficiency and communication to the company and clients,” he says.

Pembleton is also replacing customized solutions with standardized ones. For example, he’s consolidated security monitoring and access control to regional data centers so that policies, while managed locally, are set at a central location. (That took place prior to the security department reorganization.) Next up: centralized user authentication.

– Convergence gives you a more versatile staff.

Although the unified security theme resonates today at Wells Fargo, it wasn’t long ago that the message was a little more garbled. Previously, external and internal investigations operated separately. Each had its own manager. That led to inefficiencies, which sometimes allowedtwo separate teams to investigate the same case. And if the case happened to be in Boise, Idaho, Wipprecht spent money to send somebody from the corporate office in San Francisco to work with the regional agent.

That changed in February 2004, when Wipprecht brought external and internal investigations into his new, converged organization and began cross-training most of his agents.

Now the regional agent, trained in external and internal investigations and physical security, can run the case from Boise solo, giving security more bang for its buck and improving response time. Cross-training has also made his agents more aware of areas that weren’t previously part of their job descriptions. In the past, the physical security folks thought a lot about homeland security but not investigative issues; investigators, conversely, were less observant about homeland security. Now the security organization is more cohesive, with different divisions pursuing similar goals. “The cross-training is an awakening of what they ought to be looking at internationally, nationally and locally,” says Wipprecht.

Triwest’s Pontrelli and Pemco’s Telders cross-train their physical and infosec staff. “It’s mostly a people cost savings,” says Telders. “I can take someone trained in CPR and have them do e-mail filtering and password accounts. I can cross-train staffs so they can cover each other, so my staffing costs are down. People assigned to projects can get cross-trained on the job,” he says. Pontrelli also likes the fact that cross-training gives his team members greater career opportunities.

– You save the company money.

You’ve probably already picked up on this thread. Pontrelli mentions lower staffing costs. Wipprecht mentions lower travel costs. Sanders mentions reduced duplication of efforts and fewer time-wasting turf battles.

There’s also savings to be wrung from technology convergence. Security Manager Eduard Telders put smiles on the suits at Pemco Insurance by replacing proprietary systems with a centralized, IP-based security management system for both field offices and headquarters that encompasses closed-circuit TV, door controls, access card controls, sensors, alarm monitoring and panic buttons. The system has obviated the need for local security guards; instead, guards monitor the system 24/7 from a central location. Burglar alarm monitoring is also done from that location, so outside contracts with third parties have, for the most part, become unnecessary. And video recording takes place on server disks, not on local digital video recorders. “If a DVR goes out, it could cost five grand,” he notes. “If a disk goes out, it costs $150.”

Telders says the system saved Pemco on the order of $2 million in the first year. (Most came from eliminating the guards; bringing burglary and security monitoring services in-house saved more.) The company can also use the surveillance cameras in the various locations to hold teleconferences at no additional cost. And Pemco has tied building control systems such as HVAC and lighting into the centralized system, which allows the real estate staff to remotely manage some building systems, largely freeing them from having to install their own network or wiring.

Likewise, at Intel, Alan Rude did a lengthy ROI study on switching to digital surveillance recording. In the process, he not only saved lots of money, he also wound up connecting much more closely with the IT department.

Stephen Baird, vice president of corporate security at United Rentals, North America’s largest equipment rental company, is also using CCTV improvements to reduce costs. Baird joined the company last July and has become the single point of contact for security. (Previously the top security role wasn’t as clearly defined.) He reports to the company’s president and CFO. Since coming on board, he’s been working on upgrading the company’s digital CCTV systems to make them motion-based. That will save his staff major chunks of time when conducting investigations-using the old system, watching the DVR could take hours; now it takes minutes. He plans on rolling it out in the company’s corporate facilities first and hopes to roll it out in stores eventually. He’s also looking to save money by standardizing DVRs across the company and by buying those DVRs in bulk.

Another technology Baird is exploring is global positioning systems, or GPS, which the company was prototyping before he arrived. One application would involve putting GPS systems on large pieces of equipment, such as light towers. United Rentals has more than 600 types of equipment, including 4,200 light towers. GPS systems would allow security to track where the tower is, how long it’s been there and even if it was turned on. And, of course, it would function much like a LoJack auto antitheft device (a tool they’ve also used) to make sure customers aren’t walking-or driving-away with equipment. And lest one think that light towers, backhoes and skid steer loaders don’t disappear, guess again. “We’ve had theft of everything,” says Baird. But rolling out a GPS system won’t happen automatically-as with any big project, Baird will first assess the risks and the costs before he and his fellow execs give a thumbs-up or thumbs-down.

Give me some more specific scenarios where this is necessary and worth the effort involved (because I suspect that effort will be big).

– Investigations.

Jim Mecsics arrived on the job at credit bureau Equifax in 2002 with a mandate to create a corporate security program-to bring together disparate pieces of security, including physical and information security, under one roof. It didn’t take long for the reorganization to bear fruit. Some three months into his tenure, a large identity theft ring began hitting credit reporting agencies and was attempting to penetrate Equifax’s networks. Mecsics and his team went to work-they set up a plan, mapped out the bad guys’ architecture and worked closely with the FBI. Soon they pinpointed the intermediary company where the breach was taking place. (A former help desk employee at the intermediary company had stolen user codes and passwords and sold them to more than a dozen mostly Nigerian nationals in the New York City area.) At the end of 2002, the U.S. attorney’s office in New York arrested the culprits, putting a stop to what it said was the largest identity theft ring in the country (some 30,000 identities were stolen). “That was a pure example of [the benefit of] us having everything under one umbrella,” says Mecsics. “I had the ability to bring the data and fraud folks and everyone else together and come up with a cohesive strategy,” he says. Mecsics didn’t have to get authorization from people’s bosses to work on the converged effort. He had the authority, he acted, and the coordinated security groups worked to the company’s benefit.

– Terminations (and, conversely, new hires).

Also referred to as provisioning and deprovisioning. When your company brings new employees on board, they need all sorts of things, from network passwords to access cards to corporate credit cards. And then when they leave the company, the company needs to gets its belongings back and also shut off access to networks and buildings in a timely manner. Companies with a coordinated approach to provisioning and deprovisioning do those things efficiently. See BT’s termination checklist, for example, at www.csoonline.com/read/090103/termination_checklist_1731.html) Those who do these things in a scattershot manner are more likely to leave the door open for ex-employees to abscond with materials or intellectual property.

Quick case study: Children’s Hospital in Boston has a complicated workforce. It’s a teaching hospital, so in addition to normal staff turnover, new physicians come and go “in waves,” according to CISO Paul Scheib. Some doctors are actually employees of various foundations rather than of the hospital itself. To help keep pace with creating and managing new network accounts and assigning the right privileges, the hospital first implemented password-management software and later a more complete identity-management suite from Courion. While the impetus was on the hiring end of the employee lifecycle, Scheib says a big payoff is that access can be shut off in a more timely manner when an employee leaves the organization. And Scheib finds himself working closely with the hospital’s physical security group to integrate door access badges into the identity management approach. In the past, Scheib notes, “we had our information and they had theirs”-there was very little sharing of information. “Now we’re working on a metadirectory project and starting to map both physical and infosecurity data and to define roles that require physical access to high-security areas such as surgical suites.” Children’s Hospital has no organizational initiative dubbed “convergence”; it’s just security people recognizing the efficiencies of working together.

– Business continuity.

Mike Hager, who helped get OppenheimerFunds up and running four hours after their offices and systems at the World Trade Center were destroyed on 9/11, puts it this way: “Some companies have people who do information security, and people who do physical security, and people who do business continuity. The three people may come up with three separate answers about what to protect. If you have a total protection program, you can save a lot of time, money and effort. It just simplifies the whole process and makes it more effective.”

– Dealing with camera phones, USB tokens and other gadgets.

An employee (or visitor, or janitor for that matter) connects a thumb drive to his work PC, copies a database with juicy customer details, and walks out the door. Or he uses a camera phone to wirelessly e-mail a surreptitious snapshot of your company’s R&D area. Are these digital threats? Or physical ones? Who cares! Again, good communication between the information security and physical security functions will help you craft intelligent policies and enforcement measures to stop this kind of incident.

– SCADA and process control systems.

At manufacturing companies and utilities, Supervisory Control and Data Acquisition (SCADA)systems sit directly at the intersection of the physical and digital worlds. They are used to electronically control and monitor the actual machines that mix chemicals, control temperatures, and so on. Typically, network security professionals don’t know much (if anything) about securing SCADA, and process engineers don’t know anything about information security.

For Keith Antonides, corporate information security director at Rohm and Haas, a large specialty chemical manufacturing company, convergence has meant establishing a closer working relationship with the process control engineers. In the past, the engineers took care of the systems themselves. “When I joined the company six years ago, it was hands off, you have no authority here,” he says. “After 9/11, they were asking for my input. It was a major shift.” Antonides boned up on process control networks, and now he works in tandem with the engineers to do cybersecurity vulnerability assessments at the plants.

What are the roadblocks and potholes we need to plan to avoid on our way to convergence?

– Turf battles.

Many employees, both managers or lower-level employees, will be unhappy with any change to their turf. They’re not going to like whom they report to, whom they have to work with and the new projects they’re assigned to. Egos will be bruised, if not battered.

When Mecsics consolidated security functions at Equifax, he had to deal with pushback from certain process owners. For example, the CIO was reluctant to turn over control of his systems to Mecsics. So Mecsics used a personal approach in which he listened to their concerns and tried to win their hearts and minds. “I said, ‘I’m not going to do anything to hurt your system or inhibit your business processes. I’m here to protect you so our CEO isn’t standing before a congressional committee someday explaining why credit reports are in front of some gym locker,'” he says. He used the same approach with HR, which, prior to his arrival, handled all company personnel issues. Mecsics convinced the HR leadership that the security organization should take over responsibility for developing background check policies. He also assuaged their fear that he was coming in there to steal people from their department.

– Executive buy-in.

You can propose the most wonderful, cost-saving, mega-ROI convergence project in the universe, but if the CEO doesn’t feel as warm and cuddly about it as you do, your proposal will stay just that-a proposal. One way to get the green light for your initiative is to demonstrate smaller-scale successes first.

At EDS, Pembleton wanted to consolidate data security management (which includes policies, standards, education and security compliance monitoring) from multiple local sites, with multiple standards and approaches, into a centralized site. “We had conversations about what we were trying to do, then did a couple of sites to prove the concept,” he says. “The centralization proved so efficient that the senior leadership raised the question, ‘Wouldn’t it be more efficient to put all four lines in the same security organization?'” Ultimately, the success of the consolidation project helped pave the way for Pembleton to converge the privacy group and the physical, logical and information groups under one umbrella.

Communication is also critical-if you don’t get buy-in initially, communicate with the leaders who are feeling the impact of whatever change you’re trying to make, says Pembleton. “Try to put yourself in the other person’s position, and ask yourself, What would I want to know if someone from headquarters showed up and wanted to change the way I deliver security services?” he says.

Another way to sell a convergence project, advises Steve Hunt, a former vice president and research director at Forrester Research, is to package it with something that executives can more easily understand. He cites, as an example, trying to build a better security architecture using public-key infrastructure (PKI)-a major undertaking. Executives might view it as an expensive investment that doesn’t return immediate value to the company. Implementing PKI would require every business unit to conform their applications to the system, and users would have to change their behavior. Trying to sell that kind of project is a lot of work, says Hunt.

A better way to sell it is to package it with a one-card system that controls both cyber and physical access. Moving to one card will save money and increase operational efficiency. “Everybody gets a digital smart card-a big step toward PKI-and you can help sell it by saying the card would contain a smart chip that contains all of a user’s passwords. Users would get behind the idea, and it would be only a small step toward moving to full-fledged PKI,” says Hunt. “A convergence project will fail if it can’t demonstrate business value. Some convergence projects have to be made more relevant to the business,” he says.

– Cultural differences.

It’s no secret that, in many companies, corporate security people are from Venus and IT security people are from Mars. So CSOs with a bent toward convergence need to be aware of the cultural differences-and not just between physical and information, but among all security-related departments-and have a plan to deal with them. Cross-training is one effective way to make people more understanding of their fellow employees. Pontrelli at Triwest and Telders at Pemco both cross-train their physical and information security staffers.

– Organizational structure.

As part of the convergence process at Wells Fargo, in which external and internal investigations were brought under the corporate security umbrella, Wipprecht took a long, hard look at the structure of his department. His guiding question became, Do we have the right people with the right expertise in the right jobs in the right locations?

“With 300 people, it becomes a significant issue evaluating where your needs are,” he says of his security organization. After spending several months studying case metrics, such as volume of work and number of phone calls, Wipprecht found that there were some redundant management positions. That led the company to offer retirement packages to some of the agents and management team members (he declined to say how many).

During the review process, Wipprecht also sought the input of his staff. “You have to communicate. You redefine the new organization, set goals, then go to the agent level for their input. We want participatory management. The responses I got really helped formulate what our organization was going to be today,” he says.

Wipprecht also says training is key to a successful, converged department. “We as a management team have an obligation to have the best and the brightest,” he says. “To do that, we need to provide the training they need to maintain an expert level. If they’re the best they can be, that can only assist you in the field as agents communicate with customers, the FBI, Secret Service, whatever. It saves time and money.”

– Information sharing.

Think about information-sharing between the FBI and CIA. Or the FBI and CIA and NSA. Or FBI and CIA and NSA and DoD. You get the drift: Getting security folks to share information can be as hard as telling your boss his putt isn’t a gimme.

Security pros “are not accustomed to talking a lot; they’re trained to protect information,” says Richard Loving, CSO and director of administration at BWX Technologies (BWXT), a manager of nuclear plants and other high-security facilities.

Loving says communication across his organization was the biggest challenge he dealt with when he centralized security, which had been the domain of each individual nuclear facility. To get over that hurdle, Loving has emphasized to facility security managers that working together is in the best interests of the company and that headquarters is trying to enhance-not control-their local operations.

He also advises showing employees the successes of their collaboration. “One time you may be sharing, the next time you may be on the receiving end,” says Loving. For BWXT, the benefits of information-sharing came after the Department of Energy ordered all its facilities to improve security of controlled removable electronic media (CREM). Loving and his colleagues coordinated a group response across BWXT facilities rather than having each plant act on its own to comply.

This kind of sharing won’t come easily; it’s an evolution, Loving says. “It really is getting people to open up and share and recognize that there will ultimately be benefits, whether in operations, security or safety.”

Given that most security personnel are from one background but not the other, how is such a person going to have the credibility and expertise to manage both functions?

First, CSOs leading formally converged programs stress that the leader doesn’t have to be an expert in every sub-field of security. That’s what you hire smart infosec and physical security specialists for.

Second, a small but growing number of academic programs (at Northeastern and Carnegie Mellon, for example) are available to help round out your background. John Petruzzi, an ex-Marine now leading security at Constellation Energy, took SANS Institute classes to get up to speed on information security. It can be done.

Third, other companies get around this by not putting a single individual in charge. Having all security functions report equally into a Chief Risk Officer or a department of risk mitigation is one possible solution. The aim is to achieve cooperation without making one group feel that they’ve been put under the thumb of another. (See next question.)

If we don’t choose to combine operational groups, can we still get some of the benefits?

Steve Hunt, the former Forrester Research analyst (and CPP) who founded consultancy 4A International, believes convergence is better handled on a project-by-project basis. “You might have two employees, both with the company for 10 years, and [the infosecurity person] gets paid twice as much as the [corporate security person]. That makes for a natural cultural segmentation in the department,” says Hunt. “My argument is, let’s keep talking about converging the departments, but what’s the hurry? The business doesn’t care who people report to as long as value is delivered.”

We’ve seen more and more convergence articles and presentations in the media and at trade shows. Why all the buzz at this point in time?

Here are five current trends knocking down the walls between traditional security stovepipes.

1. Technology convergence. Corporate security services—video surveillance, access control, fraud detection and access control, for example—are increasingly database-driven and network-delivered. In other words, IT is ever more tightly woven together with physical security.

2. Vendor convergence. Not so long ago, infosec vendors protected networks, and physical security vendors protected bricks and mortar, and the two never met. Now a growing roster of security companies operate in both spaces, as well as in other risk-related areas. Brink’s, the armored car company, offers managed network security services. Unisys, the former mainframe purveyor, has a consulting business in supply chain security. Software giant Computer Associates is mixing with smart-card vendors like HID in the Open Security Exchange consortium, developing a network-and-building-access standard called PhysBits. Kroll, historically a physical security services provider, owns digital forensics unit Ontrack Data Recovery.

Bill Hancock, CSO and vice president of global security solutions at Savvis, points out that this is a rudimentary form of convergence. Nevertheless, Hancock expects vendors to continue to merge and meld these distinct product lines into more tightly integrated offerings. And aside from these well-known companies with roots in one discipline or the other, a growing fleet of smaller vendors now present all kinds of interesting examples of cross-functional services. Green-Tech Assets is an interesting illustration, offering a computer-disposal service that blends physical, digital, legal and insurance safeguards against potential liabilities created by inadvertently dumping hard drives and other technology assets containing sensitive financial or customer records.

3. Community convergence. Security is an association-driven world, and for years the associations gave little acknowledgement of each other’s existence. That changed in a big way in 2004 and 2005, notably with a statement of solidarity from CISSP promulgator (ISC)2 (in the infosec corner), CPP certifier ASIS International (from the corporate security side) and IS audit association ISACA. Observers such as Williams (who is active in ASIS) anticipate ever more concrete cooperation between these communities over the near term.

4. Threat convergence. Hancock, among other experts, has been sounding the klaxons about the idea of blended threats (combined physical and logical attacks) for some years. The most likely scenario is a physical attack (such as 9/11) with its effect multiplied by concurrent digital denial-of-service attacks aimed at telecommunications or other infrastructure. This scenario becomes more likely as digital controls become more and more prevalent for physical systems. Hancock tells of a company that extolled its foresight in implementing a door-lock system at headquarters requiring verification of digital certificates to allow employees to enter. Hired as a consultant, Hancock used his laptop to launch a “mini-DDoS” attack against the server that handled the verification. Throughout the building, the door locks stopped working.

5. Educational convergence. This trend is just picking up steam, but universities such as Carnegie Mellon and Northeastern have launched programs aimed at equipping students with a portfolio of knowledge and skills in both corporate and information security.

I’ve also seen some companies who’ve tried a single security department and then moved away from it.

There will be ebbs and flows, but according to the State of the CSO survey conducted every spring, the overall trend toward consolidated departments, specifically, has been upward for at least the last three years.

This primer was compiled from articles published in CSO magazine. Contributing writers include Scott Berinato, Kathleen Carr, Todd Datz, Simone Kaplan, and Sarah Scalet. Send feedback to CSO Editor Derek Slater at dslater@cxo.com.