March 01, 2010, 8:52 PM — George Campbell has so much to contribute to our industry that I hate to see him fall into such a common trap as he did in The Myth of Convergence.
The trap was set by the Networkworld article he was commenting on: Debate rages over converging physical and IT security. That article, while an interesting survey of a wide range of thinking about the role of technology in physical security, made a simple but unfortunate mistake. Mr. Campbell made the same one.
Convergence, as it has been used in the physical security industry for the last decade, indeed how I used it when I introduced it in my keynote address at the 2000 ASIS Emerging Trends conference, is an expression that has three distinct meanings based on its context.
Also see To Security Convergence (And Back)
There are three types of convergence relevant to physical security. The first and highest level is the convergence of physical security with IT--with the computers, software and networks of IT. This is what many of those interviewed in the NetworkWorld article were talking about. Physical security vendors and end users are more and more interested in using systems built on the technologies and best practices of IT. For example, recording video as meta-tagged, searchable data, rather than on analog video tapes.
The next level of convergence brings together physical security with IT security. The NetworkWorld article mixed that in as well. Here we are talking about how the "stuff" of security--IT and physical event logs, video, alarms, output from environmental sensors, etc - is actually data that can be correlated and analyzed and turned into information useful for risk management. A popular new niche of this type in physical security today is PSIM, physical security information management. Of course, IT security has already been doing this sort of thing for at least a decade.
The third level of convergence is the convergence of physical security people and processes with IT security people and processes. Here is where tempers flare. There are of course countless personal and political challenges facing any organization attempting to bring the two security teams together under single management. I should have called it security collaboration back then. Maybe that would have avoided the train wrecks so many of us have witnessed when companies try to merge the two groups.
(Editor's note: We've been dissecting this issue for many years; see Campbell's discussion with Bill Spernow of the cultural challenges in 2003's Cyber Security Versus Physical Security: Smackdown!, which remains entirely relevant today.)
Plenty of people pass over these distinctions and focus on the third and most controversial of the "convergences." That's unfortunate, since convergence has brought great innovation to security technology and has built many bridges of collaboration between physical security teams and their colleagues in IT.
The last thirty years of IT have seen it absorb much of the day-to-day tasks of every business unit in any organization. IT manages the infrastructure (computers, software and networking) of accounting, sales, business planning, manufacturing, and nearly every other business area within a company. Why shouldn't it manage the computers, software and networking of physical security?
Mr. Campbell makes a good point when he asks when challenging the convergence concept, "What are we to do with the investigative functions: background vetting, due diligence, incident investigation and fraud risk management? What about safety, compliance and crisis planning and management?" My answer is that these are the tasks that rightly remain the domain of corporate security. The collaboration, then, is simple. Let the physical security folks do what they do best, and let the IT folks do what they do best.
The integrated security Mr. Campbell remembers from his tenure in security management was different. Computers, software and networking were used rarely and downright primitively in physical security until very recently. "Integrated security" didn't need sophisticated involvement from IT until just in the last few years.
In the end, I very much agree with the underlying message Mr. Campbell seems to want to deliver, that security is not the point. Measuring value and achieving risk management goals is the point. Or, as I always say. It's not our job to secure the building. It's not our job to secure the network. It's our job to security the business.
