Thank you for Subscribing to Business Management Review Weekly Brief
I agree We use cookies on this website to enhance your user experience. By clicking any link on this page you are giving your consent for us to set cookies. More info
So, there I was, sitting in a conference room with crossfunctional internal colleagues and representatives from a potential new external partner when a member of our legal team said to the external lead, “Good question. I’m not sure. I’ll need to defer to T to provide you with those answers.”
I wanted to look around and see who was going to answer until I remembered that T is short for Terrell and that’s me.
wasn’t supposed to be the one sitting in that room with all eyes on me looking for answers to complex cybersecurity questions. I’d already fielded and answered the physical security questions because I’m the PhySec director and I can answer those questions all day long. But when my direct manager, the Chief Security Officer (CSO), was pulled away by an emergency, I found myself in the hot seat. Had I known being in his seat meant covering a project with numerous internal and external stakeholders, I might have changed my name.
The question I fielded was about processes and procedures outside of my day-to-day wheelhouse: platform security; product security; infrastructure security; governance, risk and compliance (GRC) and foundation security. As a leader, we put pressure on ourselves to know all of the answers and to have the solutions to every problem in our back pockets. But as all eyes were focused on me and our legal partner was looking at me expectantly, I knew I did not have a response ready. It was an uncomfortable feeling for someone. used to having all the answers when it came to physical security.
This is when I remembered what our CSO told me, “I know you got this T, reach out to the CyberSec team if you need anything.” Wow did I need them! I took a deep breath and explained that the answers to their questions were complex and that we’d need to bring in the relevant CyberSec leads to provide the subject matter expertise. Everyone nodded so I did a quiet whew of relief.
Being in the hot seat reminded me of the importance of convergence and relationship-building. For 13 years, I’d honed a career in PhySec. I realized, for most of that time, I’d stuck to what I’d known. This moment showed me how important it is, as a leader, to seek out help and expertise across the aisle when I need it. It encouraged me to learn more and expand my knowledge set, so that I could communicate about CyberSec more fluently with leadership. Turns out, the answer to expanding my knowledge set was pretty easy to arrive at—Convergence!
What Is Convergence?
Merriam-Webster defines convergence as “the act of converging; and especially moving towards union or uniformity.” In security, I was introduced to the concept of PhySec-CyberSec convergence by a mentor back in 2009. I see it as bridging the shared lanes that exist between CyberSec and PhySec and developing an enterprise-wide solution to company threats. At the end of the day, we (CyberSec and PhySec) have a similar mission and tend to respond and handle incidents in a similar way. For example, someone gets through a firewall or breaks into a building. We both want to identify where and how they got in, if they’re still in, what was taken, how they got out, and who they are.
Why Is Convergence Important?
Convergence makes your security organization stronger and more resilient - Your organization will benefit from a balanced security team, refined crisis response team, unified approach to security initiatives, and cost-saving by consolidating and/or eliminating duplicative measures and improved efficiency by tearing down silos. Your security professionals (Cyber or Physical) will be able to speak intelligently to any security threats facing the organization and be able to provide solutions so that an informed decision can be made. Bringing these two departments together is also beneficial when it comes to budgets. The common practice of siloing these two departments potentially results in underfunding one over another, which decreases the effectiveness of the organization’s security posture. Those organizations with converged cyber and physical security functions are more resilient and better prepared to detect, deter, deny, delay, or proactively respond to threats.
Convergence?! Is It The Right Path For My Organization? Where Do We Even Start?
Honestly, it starts with you. I started two years ago by reaching across the aisle to my internal CyberSec partners and talking about our commonalities. Two years later we are continuing down a path to convergence together:
● Areas we Must Converge
○ Where is cross-pollination already occurring, such as (but not limited to);
■ Common language/terminology (defining)
■ Incident response framework
■ Business continuity and resiliency planning
■ Project management
■ Tabletop and field training exercises
● Areas We Should and Would Benefit from Converging ○ Identifying swimlanes/roadmaps which align with the company mission ○ Security Operation Centers and Tooling
■ Shared resources (ex. analysts)
■ Shared space
■ Incident reporting systems
■ Incident management systems
■ Mass communications systems
Even if you believe a full convergence is not right for your department or organization, do not let it stop you from building relationships or leveraging the knowledge held by CyberSec. Do customer walks with your CyberSec team to view how they look at physical security risks - especially in the Internet of Things space. Share what you see with them. Find a way to implement their risk viewpoint into how your team patrols/reports issues. Leverage your system tools to identify and report issues or concerns to their team. Invite them to participate in PhySec tabletop and/or field training exercises. Ask to have visibility on incidents or be a fly on the wall during an after-action debrief to see how they approach, resolve, and mitigate incidents. If you have the appetite and budget, hire a specialized consultant to conduct a convergence workshop with your combined teams. Sometimes an outside perspective can be a good way to get people thinking.
Do not wait 13 years or feel that you cannot make a change in this industry.
Even if you/your company is not considering convergence, my challenge to you is to share these ideas with your industry peers and those within your security organization and see what kind of tangible benefits you can identify for your organization.
This content is copyright protected
However, if you would like to share the information in this article, you may use the link below: