The convergence of the digital, virtual, and physical business environments, the constant change of the business models, and the dependence on digital interconnectivity, widen the scope of the security risks to which business resources are exposed. In such a business environment, a combined (hybrid) security attack on the entire infrastructure that would exploit any physical and digital security weaknesses, could cause incalculable damage to the Organization.
All corporate security disciplines should be managed under the same governance framework that is based on a holistic security risk management approach
Security convergence relates to the holistic governance, the management of risks and incidents, the daily operation and continuous improvement of the different security disciplines within an Organization. A converged approach to security would include physical and digital security, regulatory compliance, information security, crisis management and business continuity, loss prevention, brand protection, travel risk, supply chain security and workplace violence prevention, to operate under the same governance scheme. In this context, the role of the Chief Security Officer (CSO), who will lead the effort to convergence, is gaining importance, since this role’s area of responsibility is expanding beyond risk management.
Undeniably, the modern business era is characterized by an increasing technological interconnection and automation, and it offers huge opportunities for the development of the business environment, for economies of scale and for the empowerment of the innovation management process. However, without the proper protection of the wider digital, virtual and physical environment, the digital infrastructure, the interconnected devices, assets and people could be vulnerable to security related threats. It is also undeniable, that a combined (hybrid) attack that exploits physical and digital security weaknesses, can cause incalculable damage to the entire Organization. Once the Organization realizes that the convergence of physical and digital security is an inevitable consequence of the convergence of security risks and their impact to the Organization, it becomes easier to adopt a holistic approach to security risk management and governance.
The way forward – The convergence of physical and digital security
Aiming for security convergence, there are several important challenges that need to be considered. The lack of standards is one of them. The existing standards concern mainly the convergence of security technologies. There is also a need for new skills and continuous flow of information between the functions of digital and physical security. The ability to think about security holistically, is also a challenge. Digital and physical security require different knowledge and expertise. In a converged security model, the security professionals should be able to understand the particularities of each security discipline and fill any given gaps. Clearly defined roles and responsibilities along with the establishment of a Security Governance framework are also challenges that need to be considered at early stages of the convergence.
Managing security holistically in the corporate environment a continuous process that will manage all security related risks and will become part of the daily operation of the Organization
Managing security holistically in the corporate environment requires the implementation of a continuous process that will manage all security related risks and will become part of the daily operation of the Organization. This process should be based on widely accepted standards and best practises, should reflect on the security threat profile of each Organization and should also take into consideration the local and international regulatory requirements of each aspect of security. Furthermore, the process should integrate with the company-wide strategy and approach for Governance, Risk Management and Compliance (GRC).
Currently, there is no complete and widely accepted security GRC (sGRC) framework. The Organizations that would like to adopt a converged security approach need to establish their own sGRC process based on a framework they will develop themselves. The sGRC process will be established following a phased approach. The following diagram outlines the building blocks of such a sGRC process.
The convergence of physical, digital and virtual corporate environments, the interconnectivity of everything that communicates in a digital language, the automation of critical processes through digitalization and the constant change call for a holistic approach of corporate security. To achieve this, all security disciplines should be managed under the same governance framework that is based on a holistic security risk management approach. In the context of this paper, we described the necessity of a converged approach of corporate security, and we presented an approach to implement a security GRC (sGRC) process. The adoption of a continuous sGRC process provides the tool to achieve common governance and structures and unification of critical security operations such as incident management, asset protection and threat management. At the same time, the effectiveness of the implementation of the security controls is maximised since all security controls are aligned under the same guiding principles and all aspects of security are taken into consideration.
- CISA, “Cybersecurity and physical security convergence”, https://www.cisa.gov/publication/cybersecurity-and-physical-security-convergence, 2021
- John Carney, “Why Integrate Physical and Logical Security?”, 2011
- Giannopoulos, G. Smith, H. Theocharidou, M. “The landscape of hybrid threats: A conceptual model”, European Commission, 2020
- Alvaro Cardenas – University of California, Santa Cruz, “CYBER-PHYSICAL SYSTEMS SECURITY KNOWLEDGE AREA Issue 1.0”, 2019
- Nick Goodwin, “The convergence of physical and cyber security governance”, 2020
- AlertEnterprise, ‘CYBER-PHYSICAL SECURITY CONVERGENCE: THE DISRUPTIVE APPROACH TO TODAY’S THREAT LANDSCAPE”, 2020
- ASIS, “Enterprise Security Risk Management ASIS ESRM”, 2019
- David Feeney, “A Brief Guide to ESRM Implementation”, 2019
- RESOLVER, “Physical and Cybersecurity Defense: How Hybrid Attacks are Raising the Stakes”, 2020
- Optic Security Group “What is Converged Security?”, 2020
- ASIS International, The State of SECURITY CONVERGENCE in the United States, Europe, and India, 2019
- NIST Special Publication “1500-201 Framework for Cyber-Physical Systems: Volume 1, Overview”, Version 1.0, 2017
- Senstar Corporation, “Cyber Threats in Physical Security, Understanding and Mitigating the Risk”, 2019
- Ellen Messmer, Senior Editor, Network World, “Converging physical and logical security: A good idea or not? Debaters argue the pros and cons”, Network World, Jan 13, 2010
- Kate Fazzini, “New Equifax CISO Integrates Physical and Cyber Security in Post-Breach Overhaul”, 2018
- Rene Millman, “The Unstoppable Convergence of Physical Security and IT and What it Means for Your Role”, 2016