Philip Ingram MBE assesses how the increasing convergence of security is helping businesses to better manage risks.
Having attended The Security Event at the NEC in Birmingham and the International Security Expo at Olympia, one theme that is consistently coming out is that of security convergence. For many, convergence is the bringing together of the traditionally separate physical and cybersecurity worlds, as more and more devices are IP enabled and network configuration is as important as camera installation skills.
However, in reality, convergence is much more and is the product of taking a true Enterprise Security Risk Management (ESRM) approach to deliver a uniform security risk governance for an organisation. It therefore brings together not just the physical and cyber (including IT) areas but also the people aspect which brings with it its own challenges.
Last year ASIS International released an ASIS Foundation report, titled: “The State of Security Convergence in the United States, Europe, and India.” It is one of the only true insights to security convergence and had input from more than 1,000 CSOs, CISOs, physical security directors, cybersecurity directors, business continuity heads and crisis/disaster management leaders.
Of significance, the study found that 48% of organisations had not converged cybersecurity, physical security and business continuity into one department with only 19% having done so and the rest a mish mash of partially doing so. One of the major issues that was identified was a perception that cybersecurity was its own unique discipline. This is something that only the security industry can change.
Having a centralised approach to risk management is a recognition that managing risks holistically is better than trying to manage them in isolation or stovepipes. That holistic approach then properly allows the risks to be considered alongside other business risks and the appropriate resources spent in managing them. In effect it aligns the understanding of security risk and mitigation to corporate goals in a much better way.
Converging technology is driving the need
Technology is converging. Physical security devices are no longer just that, many if not most are IP based, internet visible and are, like any endpoint or Internet of Things (IoT) device, vulnerable. With the increased ‘network-isation’ of physical security devices there is a convergence of threats and it is that that dictates the need for convergence within the risk management sphere.
Add into the mix distributed computing, working from home, BYOD and then imagine how an organisation’s attack surface has increased exponentially. Often with cloud computing and “as a Service” offerings, responsibility for elements of the connectivity is outsourced. Multiply that through the complete supply chain and it is easy to see why many CSOs seem to age more quickly than most!
It is all about risk
It is generally accepted that there are five principal risk elements at the core of ESRM. They are, identify your assets, identify the risks associated with those assets, mitigate these risks, respond to incidents and through situational awareness continue to learn from incidents. The one element I believe is missing as a core principle, is assigning ownership of the risk. Nothing focuses a member of the management team or board more than having personal responsibility and therefore accountability.
The UK Government’s “The Orange Book, Management of Risk – Principles and Concepts,” core principle is “Risk management shall be an essential part of governance and leadership and fundamental to how the organisation is directed, managed and controlled at all levels.”
The definition of risk from an ESRM perspective is key to understanding why the ESRM process embraces business continuity. According to an Optic Security Group study for the Australian and New Zealand Government, its view is: “Risk is a very broad term and ESRM deals, quite specifically with ‘security risk’. A security risk in an ESRM context is anything that threatens harm to the enterprise, its mission, its employees, customers, partners, its operations, or reputation.” That could include natural disasters as well as insider threats. That is why ESRM espouses a holistic approach as in reality many of the risk mitigation and business continuity measures will be the same.
The panel discussion examining the effects of systems integration over the next decade at The Security Event in Birmingham, involving the author, Andrew Schofield from Reliance High Tech, Chris Watts from Mitie and Steve Kenny from Axis also highlighted the necessity to have a holistic understanding of risk and concluded that “it was essential that risk and security risk mitigation is seen as a business critical function and the culture in an organisation is a critical part to ensuring a coherent approach to any and all mitigation methods.”
A second panel discussion with Mark Neate from Sellafield, Scott Weiner from Atkins and Ellie Hurst from Advent IM re-emphasised the culture point and highlighted some very human approaches to risk mitigation which emphasised the importance of, “education, experience, gut feeling and culture,” but went on to suggest that standards set by the industry, not regulators as is a trend in some areas, would enable best practice to be properly understood and shared.
What is clear is that convergence is here to stay. The ASIS report highlighted how those companies that had embraced it found no negatives, but it didn’t highlight the positives. The biggest positive is that security convergence means that an organisation will have a proper understanding of what may cause it harm and therefore find it easier to mitigate against any potential harm. It also brings security activities into a place where they can be seen as integral to core business processes and therefore become a business enabler, not as is often the case seen as a disabling function.
As threats begin to evolve then so must the methods of defeating them and given the complexity of the wider security environment there is no one silver bullet solution or magic product that will do everything. Instead, a combination of elements all working to a common plan and purpose, such as provided in the ESRM framework, can be the only logical way forward.
This article was originally published in the October edition of Security Journal UK. To read your FREE digital edition, click here.