Once upon a time, no news was good news for a security professional.
Today, the security function is seen as a contributor to corporate success, and its leaders are often asked, “What have you done for our success lately?” It is pretty safe to say that in the past security was seen as an operational concern. Today, information and physical security have evolved into something much more strategic. That is just one sign of how the profile of security professionals has risen over the last few years. Other signs abound.
New Responsibilities, New Metrics
For example, at the corporate board level, there are now committees focused on risk and security exposure. It used to be that the corporate ceiling for security managers was middle management. Now they find themselves as executives and in the C-suite, with a corresponding widening of things that need to be secure.
These senior security managers now bridge gaps that were previously unheard of or unknown. Moreover, the general professionalization of the security function has led to its being treated as would any other business function: It is measured and accountable for performance.
ESRM vs. Convergence
The increased complexity of security issues today has also helped raise the profile of the security function. Generally, the divide between information and physical security is getting smaller. The alignment of the functions is something that virtually every security organization is either dealing with or avoiding (ostriches beware — head-in-the-sand tactics are a career-limiting position). The alignment of the two groups is often referred to as convergence.
This term and trend should not be mistaken with ESRM (Enterprise Security Risk Management). While convergence is about the industry’s structural change, ESRM is a management process used to effectively manage risks across an enterprise. The process quantifies threats, establishes mitigation plans, identifies risk-acceptance practices, manages incidents, and guides risk-owners in remediation efforts. (ASIS International CSO Center)
Traditionally, information and physical security were addressed separately. In my opinion, today’s trend is the second (maybe more than second) wave of convergence since I have been in the security industry.
When I first started twenty years ago, the convergence between security service and solutions began to happen: Namely, there used to be security guard people and security technology people on a physical security team. Although today people specialize, these two profiles are often found in one and the same person, and at a minimum they are on the same team.
Mind the Gap
At the end of the day, when you consider the gap between the domains of physical and information security, you cannot start with the solution in mind. You need to analyze the risk, while accounting for both information and physical security points, and then apply appropriate solutions to manage the risk. Generally, risk can be defined by this equation:
Risk = Threat x Vulnerability x Impact
In many cases, the common ground between the two domains is risks, assets, metrics, and resilience.
Risk assessment usually starts, of course, by identifying assets and classifying them based on their importance to the organization. In the case of convergence, assets are assets, and they can be compromised by both physical and technical means.
Business Metrics Remain the Same
Regardless of how assets are secured, the business metrics remain the same:
- How efficiently can they be secured?
- What are the mitigation measures and return on investment?
- What impact will a security issue have on the company if an asset is compromised?
In April, I was fortunate to attend the ASIS Europe conference, whose overall theme was “Going from Risk to Resilience.” Resilience is, in large part, the answer to “How does one get back to normal after an incident?” The answer, of course, ties into how well prepared an organization is for an incident, whether it be in physical or information security.
Closing the Gap with Data
In many cases, the gap between the two domains of security is measured with data. Without proper incident collection and incident management tools in place, we are eternally unsure of how our program or its individual parts are doing. For example, a security guard force that is not electronically reporting all of its actions, activities, and influence remains essentially untracked because the vast volume of data generated by the front line is not captured.
Harnessing such data supports the risk assessment process in large part by identifying incident likelihood, and that in turn identifies what actions should be taken, how they should be carried out, and the importance they should be given. This approach applies to a physical security solution as well as one focused on IT assets.
Measure All Solutions
All solutions applied to improve security should be measured. The measurement can be in the form of Key Performance Indicators (KPIs) and Service Level Agreements (SLAs). The data should always point to being risk – and resilience- focused as opposed to focused on a mitigating measure. If you cannot measure the activity or function, then you cannot improve it.
The ultimate point that supports alignment between the domains of security is communication: both the communication between the security teams and the corporation as well as that within the security team. Sharing information in a structured manner can only improve the overall risk profile and level of preparedness of the company.
What differs is the solution for protecting the asset. In many cases, the threats are not mutually exclusive, meaning that a physical security issue can affect an information system and an information system can impact physical security.
In such a case, implementing an appropriate security solution requires that you:
- Identify clearly how the two departments (usually siloed) will communicate between each other and the corporation;
- Be able to explain clearly the nature of the security threat and its implications;
- Provide data to support your proposed security solution.
With this approach to a security solution – whether the threat be physical or IT at source – the domains of physical and IT security can align, and the silos will break down. Once the security department’s goals are in harmony with corporate goals, the security team will be destined for success.