Today’s threats are a result of hybrid attacks targeting both physical and cyber assets. The adoption and integration of Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices have led to an increasingly interconnected mesh of cyber-physical systems (CPS), which expands the attack surface and blurs the once clear functions of cybersecurity and physical security. - Cybersecurity and Infrastructure Security Agency (CISA)
Traditionally, digital security and physical security have been considered separate in an organization’s overall business strategy. Digital and physical security teams may be siloed in their approach and communications, and protocols can get fuzzy when digital and physical risks are interconnected. Threat intelligence tooling, while valuable for cyber defense, can be inaccessible for less technical users investigating cyber-enabled crimes or physical security compromises.
A more integrated threat landscape means that physical and information security risks must be understood and treated as inter-related business risks. For example, digital and physical security breaches can have cascading impacts to interconnected infrastructure, resulting in damage to customer and stakeholder trust, affecting revenue and business relationships in the long term.
However, despite the risks, only about one-fifth of organizations in the United States, Europe, and India say that they have fully converged physical security, cybersecurity, and business continuity, even though organizations with converged cybersecurity and physical security functions are more resilient and better prepared to identify, prevent, mitigate, and respond to threats.
So what are the benefits of security convergence to an organization? And if your organization has converged cyber and physical systems, how can you start down a path toward cohesively managing your physical and cybersecurity risks?
In many organizations, there are separate, often siloed, groups who handle Physical and Cybersecurity.
Physical security and Protection Systems (PPS) includes CCTV, electronic access controls, physical barriers and locks, human patrols and surveillance used to protect the organisation’s physical facilities.
Cybersecurity covers the network or IT security systems comprising ID and authentication systems, firewalls and processes used to protect the IT network and assets.
Open source intelligence tools (OSINT) bridge the gap between physical and digital security intelligence. Organizations can help optimize physical security by providing proactive identification and discovery of threats via OSINT.
Security convergence closes the gaps and vulnerabilities that exist in the space between those functions. Fully converged functions are generally unified and interconnected, reporting to one security leader. They often have shared practices and processes, as well as shared responsibility for security strategy. Converged functions work together to provide an integrated enterprise defense.
Intelligence-wise, Cyber, cyber-enabled, and physical threat intelligence provide valuable context to each other as the threat landscape becomes more complex. For example, when threat intelligence strategies focus only on cyber, and see digital risk solely as a technical issue, organizations jeopardize themselves by underinvesting in digital risk protection, creating organizational silos, and becoming more vulnerable to attack and resulting business loss. Digital risks are no longer just cyber attacks; social chatter and other online content can be monitored for physical threats targeting an enterprise, as well as assessing global environments where business may be expanding.
If an organization wants to effectively protect both physical and digital/cyber assets, as well as its human capital, it needs an integrated framework that closes any gaps in its enterprise risk management processes between those realms. That’s where security convergence comes into play.
An ASIS Study launched in 2019 found that:
Despite years of predictions about the inevitability of security convergence, just 24 percent of respondents have converged their physical and cybersecurity functions. When business continuity is included, a total of 52 percent have converged two or all of the three functions. Of the 48 percent who have not converged at all, 70 percent have no current plans to converge.
Non-converged firms in the study stated reasons such as personnel issues and the perceived unique nature of cybersecurity. These challenges include different cultures and skills among converged units (41 percent); turf and silo operating traditions (41 percent); and the notion that separate security operations are needed (26 percent).
While CEOs today overwhelmingly prioritize cyber over physical security according to a May 2019 study, “Cyber and Physical Security: Perspectives from the C-Suite” by the Center for Cyber and Homeland Security in partnership with the International Security Management Association,the survey also indicated that CEOs and BODs reported an integrated approach to their security plan, where there should be “coordination and information sharing between Chief Security Officers (physical) and Chief information Security Officers (cyber) offices to ensure their respective agendas complement rather than hinder one another’s operations.”
As previously mentioned, Enterprise leadership often views digital risk as a technical, IT problem. But risk awareness is becoming relevant to multiple enterprise teams, helping drive revenue and protect against business risk on multiple levels. And as Scott Borg, Director of the U.S. Cyber Consequences Unit, says, “As long as organizations treat their physical and cyber domains as separate, there is little hope of securing either one.”
The State of Security Convergence in the US, Europe and India
Cybersecurity to Passport Fraud: How OSINT Supports Airport Security
Corporate Security: 10 Things Echosec Systems Can Do For Your Business
Even though online risks involve both digital and physical concerns, security strategies often fail to integrate the two.
For example, in June 2017 a state-sponsored cyberattack halted operations across hospitals, power companies, airports, banks, and government agencies and crippled the global shipping industry for more than a week. And in March 2019, one of the first attacks on the U.S. power system occurred when hackers exploited a firmware vulnerability and caused a grid operator’s firewalls to continuously reboot, leading to a brief communications outage.
A robust threat intelligence program will help organizations mitigate or avoid damages related to both cyber compromise and real-world threats, especially when they overlap.
An integrated threat management strategy can have benefits like:
Integrating physical and digital threats can have a number of positive outcomes for your security posture. Your security teams and software will likely deliver more timely and contextual threat intelligence for cyber, cyber-enabled, and physical scenarios when they inevitably overlap. This added context can inform faster, more informed response strategies and help organizations allocate security resources more effectively. This puts you in a better position to avoid—or at the very least, minimize—harm to your data, infrastructure, and stakeholders.
An effective security convergence strategy can also result in:
First and foremost, convergence strengthens your overall security posture. This is reported by 72% of organizations engaged in security convergence. When security departments are siloed, it creates information gaps that adversaries can easily exploit. When physical and cybersecurity departments integrate, organizations improve visibility into these risks, particularly when they overlap (as they inevitably will). They are better positioned to predict threats and address them before they escalate.
For example, imagine your physical and digital security teams are converged with your BCM team. A threat actor just posted an information leak targeting your CEO on a deep web forum, including their personally identifiable information, logins, addresses, and family member data.
In a coordinated effort, your security function can simultaneously secure any systems where this information was obtained and warn staff about potential BEC scams. It can also ensure their family and home are physically secured, and address any interruptions to the CEO’s business meetings and travel. This is the kind of comprehensive security accountability that a segregated approach misses.
After the COVID-19 outbreak, organizations were suddenly faced with risks from all directions. Cyber adversaries leveraged social panic and remote workforces. Facilities were more vulnerable as staff got sent home. Supply chain security became an increased concern. And overwhelmed healthcare systems relied on security teams to help sustain life.
Whether it’s a pandemic, natural disaster, data breach, or targeted attack—crisis management is now an org-wide responsibility. Security convergence allows organizations to manage crisis impacts more holistically and avoid risk oversight when crises intersect physical and digital spaces.
Traditionally, cybersecurity and physical security are considered separate from the overall business strategy. But a more integrated threat landscape means that physical and information security risks must also be understood and treated as business risks. For example, digital and physical security breaches can damage customer and stakeholder trust, affecting revenue and business relationships in the long term.
In fact, organizations that actively invest in security convergence tend to prioritize business continuity management. BCM is converged by almost twice as many organizations as those that focus only on digital and physical security convergence.
Companies are often entrenched in seeing digital risk as an IT problem—or access control as a physical security concern. Bridging these strategies with business management ensures that security teams work cohesively to mitigate risk and drive revenue.
Improved communication is a widely reported benefit of security convergence. For one, a more integrated strategy aligning with business goals encourages more cultural cohesion among staff that were previously divided by turf allegiance.
In converged organizations, the security function tends to have more clout with the C-suite, resulting in better security budgeting and prioritization. CSOs also become a source of truth for all things security, addressing communication breakdowns and point-of-contact confusion. Another benefit is knowledge transfer: convergence enables personnel to have more well-rounded security and business continuity skills. For Bill Wipprecht, Wells Fargo’s CSO, this cross-training has “made his agents more aware of areas that weren't previously part of their job descriptions,” establishing a more cohesive and effective security function.
When more security personnel have the skills to intersect physical and digital security, efficiency naturally follows. Organizations save time and resources spent coordinating siloed teams and addressing communication gaps. Deduplicating security roles means that organizations can minimize staffing costs. Integrating physical and digital security teams can also result in technology convergence, cutting maintenance and replacement costs for outdated tools like video surveillance systems.
When strategies and tooling do not address the integrated nature of cyber and physical security, threats can be missed and intelligence may lack the context necessary for timely and informed response. This could mean not only facing millions in damages, system downtime, and compliance fines but also compromising the safety of your most valuable assets—people.
So where do you start?
The CSO might start with revisiting, at a high-level, how security teams organize and communicate within their organization—and if a divided approach creates functional gaps in their strategy. Improving communication between technical and non-technical teams - in other words, using plain language to translate digital risk into business risk- can help position security as a wider business strategy. (Check out this RSA session by Avertro’s Ian Yip for some guidance on cybersecurity-executive communication.)
If one hasn’t been completed already, organizations may want to perform a security assessment, or seek out a third-party to do it for them. This can help identify security vulnerabilities, which may assist the organization in figuring out the path toward security convergence.
There also doesn’t have to be a One Size Fits all approach to Security Convergence. Organizations of all sizes can begin the process of convergence by developing an approach that works with the organization’s structure, priorities, and capability level.
Digital Risk Management: Why Integrating Corporate Teams Is Crucial
Why Digital Risk Protection Isn’t Just an IT Issue Anymore
Security Technology: Improving Risk Assessments for Service Providers
Connecting the Dots | What Public Sector Analysts Need from OSINT Software
To echo industry experts: the future of security is converged. Physical and digital attack surfaces are becoming more overlapped every day. Reflect this in your risk management strategy, and your people, data, assets, and business strategy will benefit.
A comprehensive security solution, whether it’s in the public or private sector, requires access to both physical and digital threat intelligence. Integrating the teams, data sources, and tooling required for these overlapping use cases will help organizations respond more effectively to a diversifying threat landscape. It will also help them minimize costs and reputation damage associated with these threats—and most importantly, protect the people and assets most vulnerable.
Simplicity should be prioritized in security tools and software. Organizations need to equip their teams with solutions intuitive enough for non-technical users who require digital risk intelligence but maintain the depth of data and functionality required for technical users. Some emerging security and intelligence solutions also offer usage permission options to support collaboration within and across departments, helping avoid organizational silos.
Security solutions like the Echosec Systems Platform give security teams access to a variety of online data relevant for both digital and physical use cases. The Platform’s focus on ease-of-use and team collaboration are also ideal for converged security functions—especially where some personnel lack the technical background to operate complex security software.
Do your digital and physical security strategies often overlap?
Consult with us to ensure all your bases are covered.