Gartner says more companies should put all risk managers, IT, and OT security experts on one team to to create one view of the threat landscape.
One way to give security teams a louder voice is for individual leaders to combine forces. Instead of competing for attention from the executive team, physical security and cybersecurity leaders could present a unified assessment of the threat landscape. As lines between physical and cyber security threats blur, companies need that comprehensive view to get a full picture of the threat landscape.
Dell’s Chief Security Officer John Scimone runs a converged security organization, which creates an unusually broad view of security risks. His responsibilities cover these four areas:
- Physical security
- Product security
- Resilience which includes disaster recovery, business continuity planning, and crisis management
Gartner recognized this emerging trend in a recent research note about security and risk management and recommended that companies break down functional security silos and move toward a converged structure.
Katell Thielemann, a VP analyst of security and risk management at Gartner, said that she is seeing and encouraging this trend for clients who have business or mission-critical reliance on cybersecurity, physical security, supply chain security, and/or health and safety.
“These disciplines need to converge as cyber-physical systems—both brownfield via IT/OT convergence and greenfield via IoT, IIoT, and Smart Cities programs—continue to deploy at an accelerated pace,” Thielemann said.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Scimone said he sees three major benefits of a converged organization:
- Streamlined communication with customers, employees, and senior managers
- One unified view of overall security risks
- One point of contact and set of policies for employees
Scimone also said that combining each of these disciplines into one group allows him to have a simpler and more consistent conversation about security risks with business leaders.
“Also, customers increasingly see security as one thing and most importantly, hackers don’t make distinctions between crimes,” he said.
The ASIS Foundation report, “The State of Security Convergence in the United States, Europe, and India,” found that most companies still have separate physical and cybersecurity departments.
The foundation surveyed 1,000 security professionals and 48% of respondents said that cybersecurity, physical security, and business continuity were not in a single department while only 19% said they were. Physical security and business continuity were most likely to be combined at 21%. Companies in Europe and India both reported a convergence rate of 23%, compared to only 16% in the US.
How convergence works at Dell
Scimone’s organization is unique in that it combines all four departments, based on findings from the ASIS study. Dell merged the four departments several years ago and Scimone has tightened the integrations since he joined the company more than three years ago.
Scimone said the key to merging four disparate teams is to prioritize collaboration, innovation, and experimentation and to have the courage to change “the way we’ve always done it.”
The next step is to be open minded about the change and to orient the new team around a common mission that includes digital and physical risks.
“I think what you’ll find is an incredible degree of collaboration and energy and excitement from team members who get energized by new challenges and learning new skills,” he said.
One change he made is to create business unit security officers who are embedded in core Dell functions, such as manufacturing and logistics, infrastructure, and solutions groups.
“These dedicated security experts proactively identify risks and opportunities that might be difficult to identify with a centralized security organization,” he said.
This organizational structure helps security experts establish trust and credibility with business units and ensures the central team’s work is relevant to the business needs on the ground.
The security team at Dell also holds regular joint strategy and operational planning meetings that include physical and digital security professionals, resilience professionals and business unit security leaders.
“Representatives from every skill set and discipline come into these meetings and bring their experiences to the table,” he said.
Dell also extended the convergence mindset to the security operations center by building a workspace that includes security experts from all disciplines.
Finally, Scione hosts problem-solving sessions that include cybersecurity, physical security, and executive protection as well as business leaders including travel planners and supply chain experts.
“We bring all those people under the same roof, put them in front of the same data and screens and get them to focus on some of the company’s biggest challenges,” he said. “From some of these structural changes, which are simple to do in practice, we’ve seen incredible energy from team members and more importantly incredible solutions and innovation come out of these merged teams.”
Scione said prioritizing communication, aligning incentives, and setting common goals are the best ways to encourage people to work together.
Barriers to and benefits of convergence
The ASIS researchers found that the biggest barriers to bringing cybersecurity, physical security, and business continuity functions into one group include:
- Different cultures and skills among converged units: 41%
- Turf and silo operating traditions: 41%
- Belief that separate security operations are needed: 26%
The ASIS research found that 46% of survey respondents say that convergence has at least somewhat strengthened their overall security function, and another 30% said it has greatly strengthened security. Other benefits include:
- Better alignment of security strategy with corporate goals: 40%
- Enhanced communication and cooperation: 39%
- Shared goals across all three teams: 35%
- Enabling the security staff to become more versatile and well-rounded: 26%
- Helping the organization gain a more-efficient security operation: 25%
- More visibility and influence with the C-suite and board: 23%
The promised cost savings of convergence did not show up in this survey with only 7% of security executives from converged organizations listing cost savings as a primary benefit of convergence. Six percent say that convergence actually added cost.
The ASIS survey included more than 1,000 CSOs, CISOs, physical security directors, cybersecurity directors, business continuity heads, and crisis/disaster management leaders and covered the states of convergence, barriers to convergence, benefits and drawbacks of convergence, and related topics. The researchers also did more than 20 in-depth interviews to understand convergence at organizations in the United States, Europe, and India.
In a recent research note about security trends, Gartner analysts recommended that corporate leaders should take these steps to create a unified security approach:
- Inventory all cyber-physical systems in the organization, and map who is in charge of their security.
- Review enterprise risk registers to determine whether security risks outside enterprise IT are captured and addressed.
- Conduct asset discovery efforts to uncover all assets and devices touching enterprise systems.
- Extend vulnerability and threat management efforts to all systems.
- Start building a business case for a C-suite leader who can aggregate IT security; OT security; physical security; supply chain security; product management security; and health, safety and environmental programs into a centralized organization.