This board level issue will run and run, we believe because there are still practitioners from all disciplines within Corporate Security (physical and cyber) who fundamentally believe in convergence and those who fundamentally do not - and they might both be correct...
It's our considered professional opinion that security convergence for the sake of merging is folly, there are companies where it unquestionably makes sense and those where it may not (either at all or at present).
Any genuinely holistic security strategy has to take into account the business's overarching strategic objectives, risk appetite, economic outlook and the value chain of the company in question; and all too often those aspects just aren't adequately considered, leaving the tactical or operational security pressures to take precedence. That results in the marginalising of security as a cost centre there to handle operational tasks and not as a strategic partner that adds value. That is why many security departments then find it challenging to argue for a new budget or to retain existing funding levels.
The security profession collectively needs to understand business better and be business people with a focus on security and not security people with a focus on business. Only then should a security strategy be thought of down to the tactical and operational level of identifying the assets, identifying the risks, threats and prioritising the treatment of those.
There is also a real requirement in that strategic process to objectively understand the maturity level of the programme/s (physical or cyber), the desired maturity level and crucially the board's appetite for any change AND the costs associated. Too often there are significant initiatives (that are needed) yet there just is not the board level appetite or not a senior exec with enough political capital to make it happen.
That strategic planning may then include working toward a target operating model that leads to convergence. However, it may only advocate closer working relationships - ultimately it's about doing what is required on that businesses strategic timeline to enable and facilitate that business - and every business is different for a multitude of reasons.
We've seen organisations over recent years almost wholly outsource their global security function (and that was a significant global enterprise) that couldn't be further from convergence, and we have also seen companies converge physical and cyber security completely under one executive.
One size does not fit...
What's right for one organisation may not be right for another, however, what remains critical to protecting each enterprise is a complete and in-depth understanding both of leading-edge security practices and the strategic realities of the organisation. Also significant is the ability to speak the language of business, while being able to articulate the value a comprehensive security strategy could bring in achieving the broader businesses objectives.
Only once that is achieved will security as a profession be able to steer their respective business on the correct course... whether that be to converge or not converge.
Enterprise Security Risk has physical and cyber security consultants experienced in supporting and guiding businesses on precisely these topics - from all disciplines of Corporate Security. Whether you are a Board Member or Senior Executive, asking the question how to converge cyber and physical security, looking for in-depth analysis and assurance that your current security strategy meets industry best practice, cost-effectively protects the enterprise or if you're a Security Executive challenged with creating a new strategic direction and need to quickly understand the security maturity level of your organisation contact us today for a confidential discussion.