Security Convergence: A System of Systems approach

New Zealand Security Magazine Update - 25 November 2020

Converged security
Converging security functions requires some SoS thinking.

Jason Cherrington, CEO of Optic Security Group, writes that converging the digital and physical security functions within traditionally siloed organisations requires a bit of ‘systems thinking’.

I’ve been championing what I call the ‘converged security thesis’ for some time – the idea that in contemporary security threats we’re seeing a convergance of physical and digital vectors; and that protection against these hybridised threats requires a hybridised approach.

An attacker infiltrating an organisation’s network, for example, may well be a guy in a hi-vis vest tailgating his way into a workplace rather than the archetypal guy in a hoodie hunched over a computer keyboard in remote cyberspace. Good firewalls help, but so does good physical access control and security awareness.

It’s a simple logic: it doesn’t matter how great your digital security controls are if you have gaps in your physical security…and conversely, great physical security measures alone provide no defence against a cyberattack. But if it is this simple, why aren’t organisations doing it better?

The trouble with convergence

A 2019 ASIS Foundation study The State of Security Convergence in the United States, Europe and India investigated the extent to which organisations in the US, Europe and India have converged their physical security and cybersecurity functions.

That most organisations are ill-positioned to apply a converged approach to security reflects an inability to effectively coordinate their security siloes.

The study’s survey of more than 1,000 senior physical security, cybersecurity and disaster management professionals found that just 24% of respondents had converged their physical and cybersecurity functions despite “years of predictions about the inevitability of security convergence.”

It found that the biggest barrier to convergence (36 percent) was reported as differences in culture and skillset between physical and cybersecurity. Following at 24 percent was “turf and silo operating tradition”, and the “belief that cyber security requires its own operation” (21 percent).

Forescout has made similar observations based on various studies that while the IT, OT and physical security worlds have been colliding for some time the industry is well behind in cross-skilling its people.

A System of Systems (SoS) approach

It’s clear that the theoretical logic of converged security starts to fall apart when overlayed in real world organisations and the complex challenges they face around organisational hierachies, systems siloes, skills gaps, and cultural disparities.

It’s understandable, but it leaves organisations eposed, and poses the question of how one might go about sorting it.

The late Jay Wright Forrester, the pioneering American computer engineer and systems scientist – and one of the inventors of magnetic core memory – identified many decades ago the problem that systems (or organisations) are made up of any number of smaller systems (or sub-groups) and that these can often operate at odds with one another.

As a result, the celebrated MIT professor came up with the idea of ‘systems thinking’ – an approach that focusses on how systems interrelate and work over time within the context of larger systems. It contrasted with the traditional approach that studied systems by breaking them down into their seperate elements.

Applying systems thinking to how security is managed within most organisations will reveal that their security ‘sub-systems’ tend not to interrelate too well. This isn’t surprising given that cyber defences tend to be managed under IT, physical security is part of the Facilities Manager’s domain, and personnel security (management of the insider threat) is a HR responsibility.

That most organisations are ill-positioned to apply a converged approach to security reflects an inability to effectively coordinate these security siloes.

What we need – to steal another phrase from the systems engineering world – is to take a Sytem of Systems (SoS) approach to security.

Used heavily in critical environments, such as in the design of systems used in aviation and defence, an SoS approach considers a large system (such as an aeroplane) as a collection of independently operating systems (avionics, navigation, fuel, etc) that must all work in a coordinated way in order to prevent the overall system from failing.

Prevention of failure in the case of aeroplanes is of obvious importance. Why not then security?

In an ideal SoS world, organisations would see their security as a collection of task-oriented or dedicated systems that pool their resources and capabilities together as part of an overall system offering more functionality and performance than the sum of its parts. Importantly, oversight of the overall system would ensure that any gaps between its component systems are identified and failures avoided.

Most organisations are a long way from this. They’re aeroplanes flying at 30,000 feet on a wing and a prayer.

‘Converged security’ isn’t about implementing costly new security systems. It’s about implementing new thinking on how your organisation is managing its physical and digital security – and the gaps between them. It’s about applying ‘systems thinking’ and taking an SoS approach in order to minimise your enterprise security risk.