We have been hearing about the “convergence” of physical and cyber security for years, but even today there are still debates about whether it has happened yet (spoiler alert: it hasn’t). Part of the challenge might be that the word convergence itself can apply to more than one kind of activity – for example, some believe it applies to the linkages or integration of IT and security systems, while others believe it applies to IT and security organizational structures and teams. It can also be viewed by how threats can have both physical and cyber dimensions to them. Another part of the challenge is that the word is not very precise – at what point of integration can systems be said to be “converged”?
Based on our experiences with some of the world’s leading companies and a wide range of security system users in a variety of industries, we can say categorically that convergence is accelerating, but with severe challenges brought about by the nature of cyber threats. Physical security technology silos are rapidly being connected and integrated with corporate IT, not only for the transport of video data, but also to improve the management of video and access control systems themselves. Convergence on cyber issues is also happening, but more slowly than for physical security systems because there are significant differences in cyber-security and cyber-hygiene for physical security systems versus traditional computer and consumer device security.
Thankfully for cyber security there are established and proven frameworks for maintaining a high-security posture. Organizations like the Center for Internet Security (CIS) or NIST publish cyber hygiene processes that many customers have already adopted. There is the challenge of not what to do, but how to do it efficiently – for example, always knowing the devices and their status on their network or having patch management processes. Making these established processes more easily and painless to implement is where more effort is needed to improve convergence.
Going forward, securing the safety, security and operational gains that will flow from converged systems and organizations will require a range of new and existing technical and organizational solutions. Cyber threats are growing and are more sophisticated – making true convergence difficult because cyber-criminals (“the enemy”) are well resourced and well established.
Some technical solutions can be adapted from existing approaches used in other domains (such as virus and malware detection), but other solutions will need to be crafted within and for the physical security industry (camera firmware updating is a notable example). Organizational solutions, such as how to integrate physical and cyber security procedures, or the optimal security team design, will continue to evolve over time as the threats and the nature of the workforce changes.
Here are just two examples of the technical solutions that will have to be broadly addressed to support effective convergence:
- Data Verification addresses the need to ensure that transmitted and stored data remains accurate and unchanged by hackers, technical or human errors or any other source of alterations. Every security system has to rely upon known users, authorities and auditable records to be effective. Because of the complexity of this task and the need for constant vigilance, only an automated system has a chance of achieving the necessary performance and effectiveness.
- Service Assurance addresses the need to ensure that the necessary security systems, including surveillance video, access control records and cyber-breach detection maintain the highest possible uptime, regardless of the specific devices used, their age or what software applications are running on them. Here again, the only real way for this to happen is to update procedures and practices to eliminate as many manual processes as possible and to move toward the use of service assurance automation.
For the industry at large to benefit from the gains of convergence, the technical and organizational solutions must also be accessible and effective for a wide range of business sizes and types. This ability for most businesses to adopt and implement the solutions will be critical to achieve the ‘critical mass’ that will cement the gains into best practices that can be used and followed by others.
Solutions that only apply to large companies with sizeable physical and cyber security teams will not make the gains of convergence relevant for the full market. In order for convergence to genuinely and broadly happen, there will need to be a mix of how solutions can be delivered and implemented so that all organizations can adopt them – for example, managed services for small and medium sized organizations, and customer-run solutions for larger teams.
I am confident that in the context of the vibrant and motivated security industry of today, these technical and organizational challenges will be met. Yet because the nature of this convergence (having on one side a relentless enemy of cyber criminals), the physical security industry must be always vigilant against newly emerging threats.
Every business and every security provider should review their security stance and move forward to improve their processes to make use of available security and assurance automation. By doing so, you will not only improve your safety and security, but you will also achieve the system availability and performance necessary to gain a positive ROI from these initiatives.