The term convergence is not a new one and the definition is still basically the same regardless of the application. It simply means coming together. Back when I was repairing TVs, before I got into the security industry, we had to correct the “convergence” on color TVs from time to time. This was especially true for the projection TVs. We would adjust the settings for the Red, Green, and Blue color beams in the CRT so that they aligned to create a crisp, color-correct image on the TV screen. Basically, we were getting the color beams to “come together” effectively for the best performance. Sure, you could still watch TV if that was not set correctly, but it was not near as enjoyable. In the security application, the idea is the same with physical and IT security operations. Where there are two different departments responsible for the Physical and IT activities in an organization, there is frequently friction between the two groups which is not productive for the organization. The term is commonly used to describe the inter-operability in technologies between security systems and IT systems, but there also needs to be convergence as it relates to the operational integrity between the Security and IT departments.
If your organization is still struggling with operational convergence, you are already behind in the game. I am still seeing a lot of conversation and posts regarding organizational convergence, which is a concern to me. There are very few situations where this can exist without consequences to the organization. I know. I’ve lived it. Failure to have a solid enterprise security engagement impacts not only the security of your organization, but others as well. Organizations that are not already operating in this mindset are adding overhead to their security operations on both sides of the switch, which creates additional risk, complicates security operations and frustrates those who depend on these services. The result is a “vs” mentality and nobody wins.
This may come across very harsh, but that is how critical this situation has become. I base my position on three primary observations, though there are others.
- All modern security platforms are converged, which creates dependencies. If the Security and IT relationship is not also converged, it is likely a “vs” struggle.
- Physical vs IT power struggles diminish the effectiveness of both. Without a converged approach, managers spend more time protecting their turf than protecting the organization.
- Physical vs IT management leaves gaps that can be exploited or cause friction. Either proper system management practices are not development, creating risk, or they are over developed reducing system effectiveness. Either way, enterprise security is diminished.
If you find yourself in this position, there is hope, but you can’t waste any more time. The longer you wait, the riskier your position becomes. Even thought there might be inherent technology convergence in your systems, that can’t be fully realized until the two departments also achieve convergence. The hardest part is developing a trust relationship that understands the mutual dependence and the common goals between Security and IT to support the organization. From there, develop a Memorandum of Understanding (MOA), or Mutual Service Level Agreement (MSLA) between the Security and IT departments. The purpose of this document is to establish agreed upon Division of Powers, Responsibilities, Service Level Expectations, Systems Ownership and Organizational Accountabilities. Establishing a Governance Team with representative from corporate leadership, Security, IT and stakeholders will help ensure continued stability and cooperation moving forward. This effort requires time and hard work, but the end result will benefit the organization immensely from that point forward and create a state of security that can’t be realized any other way. Push for organizational convergence, and keep the “vs” on the sports fields.