The security industry has been talking about the convergence of physical and information security functions for years.  Many act as if it’s a big deal or that it’s a difficult endeavor to accomplish.  I say, ready or not, it’s already here.  Security functions and technology has merged right under our eyes.  Let me explain.

First, let’s define “Security Convergence”.  According to ASIS, it’s, “The identification of security risks and interdependencies between business functions and processes within the enterprise and the development of managed business process solutions to address those risks and interdependencies.”  The key words are risks, interdependencies, and solutions.  It’s critical to review the risks to the business and determine the best methods for mitigation.  Notice that this definition contains no reference to information security or physical security.

Traditional practices have caused many large organizations to create security silos to solve individual problems rather than looking at the best solution to reduce risk.  They separate physical from logical (or information) security without realizing that these groups serve the same purpose: mitigating risks.  More progressive organizations have their security converged and are thus better able to handle common risks.  These organizations are addressing the reality of risk management, which looks at methods to address risks regardless of the form.

Many new or small organizations lack a separate physical security force that is seen in established firms. They will often outsource physical security functions as part of their lease.  They believe it covers all types of risks and ignore others that they cannot address due to time or money constraints.  These businesses would be better served with a converged security function under a single employee who’s responsibility is to address all types of security risks: both physical and logical.  With this, the company is better positioned to manage their security risks in a consolidated function.

One last point on the physical/logical security convergence is that most of the equipment used by physical security, such as cameras and monitoring, badge systems, etc. is already on the network.  The camera system in your facility is most likely on your corporate IP network.  There’s also a strong possibility that’s also true with your badge system.  They are network servers, but are usually managed outside of IT.  This is another case where a converged security function can better maintain critical company services.

Security isn’t something you bolt on and hope it works.  It needs to be incorporated into the fiber of the organization.  A converged security function allows this to occur in the most cost-effective way.

What do you think?  Feel free to comment below.