January 2, 2020
Despite well-researched advantages and being advocated by security experts, a new study finds convergence between physical and cyber security operations is not as pervasive as predicted.
The research, from ASIS International, finds just 24 percent of respondents have reorganized to combine their physical and cybersecurity functions. When business continuity is included, a total of 52 percent have converged two or all of the three functions. Of the 48 percent who have not converged at all, 70 percent have no current plans to do so.
The study, titled State of Security Convergence in the United States, Europe, and India, is based on responses from more than 1,000 security leaders from around the globe.
The research found business continuity management (BCM) is more likely to be converged than physical or cybersecurity. Among respondents, nearly half (47 percent) said BCM is converged with either cyber or physical security, compared to just 24 percent with converged physical and cybersecurity functions. In addition, 71 percent of BCM managers surveyed felt that converging functions would somewhat or greatly strengthen BCM. Only 16 percent felt convergence might weaken the function.
Though convergence is not catching on in most organizations, 96 percent of organizations that converged two or more functions (physical, cyber, and/or BCM) report positive results from the combination, and 72 percent believe that convergence strengthens overall security. Even in companies that have not converged, 78 percent believe that convergence would strengthen their overall security function.
Aligning security with business goals
A key driver and benefit of convergence is the desire to better align security strategy with corporate goals, according to the results of the survey. When asked “which of the following factors might convince you to converge?”, the number one answer, cited by 38 percent of those who had not yet undertaken convergence, was “better alignment of security/risk management strategy with corporate goals.” This was also considered the most positive benefit by 40 percent of the respondents that already converged two or more functions.
But convergence or integration needs to be customized to fit the needs of a business and its culture.
“For example, safety is a major concern in the chemicals industry. One chemical industry security leader explained that physical security and fire safety are often converged, but it did not make sense to converge them with cybersecurity,” report authors said in a summary of the findings. “A major U.S. e-commerce company executive explained that “cyber is very important and so it is kept separate from all other sectors.”
Challenges to convergence
Bringing together the often very different skills and mindset of physical and cyber security teams is one of the most difficult hurdles in convergence. The study finds the most frequent challenges cited by companies that converged were “different cultures and skillsets” (36 percent), “turf and silo operating tradition” (24 percent), and the “belief that cyber security requires its own operation” (21 percent). However, more than one-fifth of all respondents (22 percent) reported no challenges in converging departments.
And because physical and cybersecurity require different education and experience, finding the right talent to lead a converged security department can be challenging, according to the results.