Technical ReportPDF Available

Combining Strengths: Cyber and Physical Security Convergence

Authors:

Abstract

The increasing threat of an attack that compromises an organization’s physical operations in tandem with its computer network is an emerging issue. Converging physical and cyber security areas within the organization can better position companies to address the evolving threat landscape. Companies must aim to eliminate ineffective and disjointed teams, close the security gap to better protect assets, and design an organizational structure that aligns with company culture. However, questions remain about how to structure teams, close the gaps with existing processes, and share information seamlessly. Before making these decisions, companies must understand the concept of convergence, the potential reasons for converging security departments, and the issues that may arise from convergence.
BRIEFING FEBRUARY 2018
Combining Strengths.
The Convergence of Cyber and Physical Security
At a Glance
Both the physical security and cyber security teams within organizations share an
objective—to secure critical assets. Although the two teams approach this goal from
different perspectives, organizations can achieve the maximum level of protection by
converging the teams.
The goal of convergence is not exclusively to combine two security departments into
one—it is to create a security policy that combines the efforts of both departments to
ensure they are prepared to work in a unified way to prevent and/or manage threats
and provide the organization with a consistently comprehensive view of its physical
and cyber security.
An organization considering convergence must first design a security policy with
convergence in mind; involve senior management and all key members of the
organization’s security departments in the discussion; and choose a method of
convergence that suits the organization’s unique culture.
COMBINING STRENGTHS
The Convergence of Cyber and Physical Security
2Find Conference Board research at www.e-librar y.ca.
Executive Summary
The increasing threat of an attack that
compromises an organization’s physical
operations in tandem with its computer network
is an emerging issue that organizations need
to address. Converging physical and cyber
security areas can better position organizations
to address the evolving threat landscape.
Organizations must aim to eliminate ineffective
and disjointed teams, close the security gap to
better protect assets, and design a structure
that aligns with organizational culture to achieve
true convergence.
Both the physical security and cyber security teams within organizations
share an objective—to secure critical assets. Although the two teams
approach this goal from different perspectives, organizations can achieve
the maximum amount of protection by converging these security teams.
Traditional physical security operations are being significantly affected by
new technologies, which can be leveraged to improve the performance
of the security function but also have the potential to enable physical
and cyber security breaches. Traditionally, an organization's physical and
logical security teams have operated separately and often collaborate
only in response to an incident or an active investigation. This creates
duplication of effort between teams and a lack of information-sharing.
Communication gaps between teams can leave the entire organization
vulnerable, since siloed teams equal time delays and reduced situational
awareness, which creates opportunities for attackers. Merging the
infrastructure and processes utilized by all security teams leads to
consistent collaboration, which can in turn prevent security incidents
andpositively impact the safety and security of the organization.
The goal of convergence is not exclusively to combine two security
departments into one. The goal is to create security policies,
accountability, and governance that combine the efforts of both
For the exclusive use of Melissa Lalonde, lalonde@conferenceboard.ca, The Conference Board of Canada.
The Conference Board of Canada
3Find Conference Board research at www.e-librar y.ca.
departments to ensure they are prepared to work in a unified way to
prevent and/or manage threats and provide the organization with a
consistently comprehensive view of its physical and cyber security.
Although most experts agree that convergence is the best way to
eliminate silos and strengthen security, it is essential that an organization
first design security policies with convergence in mind; involve members
of the C-suite as well as all key members of the security departments in
the convergence discussion; and choose a method of convergence that
suits the organization's unique culture.
Our research findings indicate that the argument is no longer whether to
converge physical and cyber security, but how to achieve convergence
effectively. We can make nine overall recommendations for the effective
convergence of physical and cyber security.
Build Convergence Through Policy and Skills
1. Create holistic security policies that aim to combine the efforts
of physical and cyber security departments, either by placing
both departments under one manager or by completely merging
the departments.
2. Analyze the skill sets of current physical and cyber security employees
and identify potential overlapping activities between departments,
skill gaps, and methods for upskilling staff to work within a unified
security team.
3. Assess the organization's holistic security policies to ensure that all
security goals are being met, and adjust as necessary, to create a
consistent future strategy and direction for security processes as
technology evolves.
Merge Security Systems and Technology
4. If possible, merge security monitoring systems and ensure that the
organization operates using a single access security system for both
cyber and physical security to reduce duplication of effort and increase
the flow of information.
© The Conference Board of Canada. All rights reserved. Please contact cboc.ca/ip with questions or concerns about the use of this material.
COMBINING STRENGTHS
The Convergence of Cyber and Physical Security
4Find Conference Board research at www.e-librar y.ca.
5. Train staff with physical and cyber security backgrounds to monitor the
integrated security system, merging building access and network security
to monitor and prevent breaches.
6. If desired, isolate the entire security system on the network to ensure it
operates separately from general-use networks. This can remedy speed
issues and provide another layer of security in case there is a breach of
the general-use networks.
Assess Organizational Culture
7. Before rolling out a convergence strategy, assess the culture of the
organization and both security departments to determine the best
method for convergence.
8. Determine if the organization would benefit most from creating a single
point of governance, in the form of an individual at management level or
above to oversee both departments, or from a merger of both security
departments into a single entity.
9. Provide training for employees to explain the roles and responsibilities of
each security department and the benefits of convergence. Employees
may also benefit from hands-on training in their counterpart’s security
discipline, to make them more aware of security risks that exist outside
of their roles.
Context
Organizations need to take a multi-stakeholder approach when
determining whether or not to converge cyber and physical security. The
concept of convergence has been a point of discussion that cuts across
industry and sector boundaries. This discussion arose out of the concern
that the standard approach of operating cyber security and physical
security as separate entities was creating significant vulnerabilities in the
gaps between these twoareas. The case for convergence has largely
been made and is widely accepted as the way of the future. However,
questions remain about how to structure teams, close the gaps with
existing processes, and share information seamlessly. Prior to
The case for
convergence has
largely been made
and is widely
accepted as the
way of the future.
For the exclusive use of Melissa Lalonde, lalonde@conferenceboard.ca, The Conference Board of Canada.
The Conference Board of Canada
5Find Conference Board research at www.e-librar y.ca.
making these decisions, organizations must understand the concept of
convergence, the potential reasons for converging security departments,
and the issues that may arise from convergence.
This briefing addresses the challenge of merging physical and cyber
security departments within an organization, discusses the insights from
a literature review, and provides some recommendations on the issue.
Technological Advancement Contributes
to Security Threats
The increased presence of technology in the workplace has led to
an increase in security compromises and the overall vulnerability of
organizations. This susceptibility to threat has been multiplied by the
mobility of technology—including laptops, smartphones, and portable
data storage devices—that can easily be stolen or lost.1 Before the rapid
advancement of information technology (IT), it was usually enough for
organizations to rely on their physical security department to prevent
intruders from entering the office, since that was the only way to access
an organization’s data. This is no longer the case.2 Attackers can now
access data from remote locations, often undetected.
According to the SANS 2016 State of ICS Security Survey, there has
been a 4 per cent increase in the number of companies that have
security strategies to address the convergence of enterprise IT and
operations. Although convergence has inherent risks, many factors
lead companies to move to “software-driven, highly networked digital
systems.”3 SANS surveyed 234 participants from American and
international companies that work across a multitude of industries.
Of the respondents, 29.6 per cent were working to develop a security
convergence strategy, 36.5 per cent had a strategy that they were
implementing, and 14.3 per cent had a strategy in place. Only 19.6 per
cent of respondents had no plan to develop a convergence strategy.
1 Hutter, Physical Security and Why It Is Impor tant, 2.
2 LaRoche, “Information and Physical Security.”
3 Harp and Gregory-Brown, SANS 2016 State of ICS Security Sur vey, 29.
© The Conference Board of Canada. All rights reserved. Please contact cboc.ca/ip with questions or concerns about the use of this material.
COMBINING STRENGTHS
The Convergence of Cyber and Physical Security
6Find Conference Board research at www.e-librar y.ca.
Security Silos
Traditional physical security operations are being significantly
impacted by new technologies, which can be leveraged to improve the
performance of the security function but also have the potential to enable
physical and cyber security breaches. Traditionally, an organization's
physical and logical security networks have operated separately. Those
who work in physical security are responsible for physical access control
and are tasked with protecting physical assets, including personnel,
property, and equipment. In some cases, operations technology is used
to monitor physical devices and processes within an organization to
detect any changes.4 Physical security systems are typically managed by
an organization's security department and, in some cases, are created
and overseen by the owner of the building in which the organization is
situated.5 Physical security teams are often staffed by people with a
background in law enforcement, who are not often tasked with protecting
an organization's information. Instead, many organizations have a
separate logical security system6 (cyber, network, and data security) that
is operated by the information technology department. Those who work
in cyber security focus on preventing unauthorized access to information,
including networks, computers, and data.
Physical security and cyber security professionals typically work
separately and in different departments, and often do not work in an
integrated and effective manner. However, due to the emergence of new
technology, such as Internet Protocol (IP) networks that can include
building systems, security applications, and video surveillance, new
security risks have emerged and security boundaries have changed. For
this reason, many organizations are experiencing challenges with how
to manage these internal business functions. Converging physical and
cyber security professions within the organization is one potential solution.
Convergence is the evolutionary development of an organization’s
security posture by consolidating security policies, procedures,
technology, and resources under a single governance structure.7 Cyber
4 Gartner, “Operational Technology (OT).”
5 LaRoche, “Information and Physical Security.”
6 Kang and Kim, “A Case Study on Converged Security,” 79.
7 Contos and others, “Security Convergence,” 72.
Convergence is
the evolutionary
development of
an organization’s
security posture.
For the exclusive use of Melissa Lalonde, lalonde@conferenceboard.ca, The Conference Board of Canada.
The Conference Board of Canada
7Find Conference Board research at www.e-librar y.ca.
and physical security convergence requires the seamless integration
of three elements: technology, processes, and people. It is important
to note that convergence does not necessarily require merging an
organizations existing cyber and physical security departments. There is
a difference between convergence and mergingconvergence refers to
philosophically bringing together two groups, and can be enacted broadly
(for example, sharing the same security network, but operating separately).
Merging security teams is one method of convergence; however,
convergence can take various forms.
Merging Security Teams to Achieve
Common Goals
Cyber and physical security convergence comes with some risk. Due
to the ever-evolving nature of technology, organizations have begun
to rely more on IT, which can generate additional risks, as these
systems can be compromised. Dealing with these risks requires strong
defence systems that work to prevent and detect dangers across the
organization. In some cases, these defence systems are located on
high-security computers that must be secured in an isolated location
with physical access controls such as video surveillance or access card-
operated doors. Such physical security controls help prevent security
breaches, since they assist in keeping highly sensitive information in
secured locations.8 These systems require both cyber and physical
security teams to adequately prevent a breach. However, in many cases,
these teams operate in isolation, despite the overlap in their functions.
In some cases, organizations use cloud-based security systems, which
can enable them to pass on the bulk of their cyber security requirements
to a cloud service provider with dedicated data security teams. However,
security concerns still exist, especially from a physical and human
perspective. Physical access to an organization’s assets or premises
may offer an easy pathway for attackers to get to the organization’s
8 Kang and Kim, “A Case Study on Converged Security,” 78.
© The Conference Board of Canada. All rights reserved. Please contact cboc.ca/ip with questions or concerns about the use of this material.
COMBINING STRENGTHS
The Convergence of Cyber and Physical Security
8Find Conference Board research at www.e-librar y.ca.
data in the cloud. Thus, it is still necessary for internal physical security
processes to remain strong and work closely with the cloud provider’s
cyber security provision.
The need for cyber and physical convergence is increasingly being
recognized as organizations realize that keeping the two separate
can have consequences—“what happens is that you have a partial
response and you may not see the entire picture either from a response
perspective or a mitigation perspective, or even a deterrence to be able
to prevent it from happening in the first place.”9 With security threats
looming, organizations must “be aware of the two departments, and
the departments need to be aligned or combined so they can work
together. They need to have a common strategy. Policies need to be
harmonized and effectively cross referenced to cover standardization of
both physical and logical security.”10 By combining efforts, information will
be more easily exchanged between teams, making the organization more
responsive to internal or external threats.11 Organizations are beginning
to take a holistic view of their security operations as they recognize the
potential to strengthen their security by combining their cyber and physical
securityteams.12
Stronger Together
There have already been examples that demonstrate that physical
infrastructure can be hacked and controlled by malicious actors.
According to the United States Department of Justice, “seven Iranians
hacked the control systems of a small dam in New York state in 2013.
The dam was offline for repair, preventing the hackers from controlling
the flow of water.13 Cisco’s Senior Technical Manager, John Carney,
states that “[a] solid security policy starts at the top. Having a single,
high-level individual or department responsible for a comprehensive
security policy, whether actual or virtual, that covers both physical and
9 Chabrow, “Formalizing Cyber-Physical Security.”
10 Bryant, The Convergence of Physical S ecurity and Cybersecurity in B usiness , 3.
11 CGI, Convergence Brings Opportunity and Risk, 6.
12 LaRoche, “Information and Physical Security.”
13 Div, “The Future of Security.”
For the exclusive use of Melissa Lalonde, lalonde@conferenceboard.ca, The Conference Board of Canada.
The Conference Board of Canada
9Find Conference Board research at www.e-librar y.ca.
logical security is paramount.”14 Due to increased security threats as a
result of technological innovation, organizations can no longer take an
isolated view of cyber and physical security.
The shared mission of both physical and cyber security teams within
organizations is the same—to secure critical assets. Although the two
teams approach this goal from different perspectives, organizations can
achieve the maximum amount of protection through convergence. The
integration of physical and cyber security systems is beneficial not only
for the organization but also for each security team, as each requires
the other’s protection and skills. For example, cyber security teams
require the expertise and protection of the physical security department
to ensure that attackers are unable to access the physical building, since
once they are inside they can potentially access computing and network
resources, perhaps undetected.15
The issue of convergence was a major topic of discussion at the April
2017 International Security Conference & Exposition. Security company
Vidsys informed audiences that “[t]he convergence of IP-enabled devices
that perform functions such as controlling access to buildings, light and
HVAC systems, and other connected systems that are all controlled
through a business IT network has created a new security threat that
private and public organizations alike are struggling to address. The
ripple effect of such an attack on a business network can disrupt not just
its IT systems but also its physical operations.16 This presents an issue
for organizations and an opportunity for attackers: security teams may
not be positioned to act as a unified front against threats, as they do
not often communicate and do not have the same processes.17 Vidsys
suggests that the answer to this problem is convergence—essentially
creating a single platform that all security teams work from.
14 Ca rn ey, Why Integrate Physical and Logical Security?, 2.
15 Hurtt and Fehl, When Worlds Collide, 3.
16 Vidsys, Bridging the Gap Between Physical and Cyber Securit y.
17 Ibid.
The shared
mission of both
physical and
cyber security
teams within
organizations is the
same—to secure
critical assets.
© The Conference Board of Canada. All rights reserved. Please contact cboc.ca/ip with questions or concerns about the use of this material.
COMBINING STRENGTHS
The Convergence of Cyber and Physical Security
10Find Conference Board research at www.e-library.ca.
Merged Processes and Infrastructure
Simplifies Security
One potential benefit that comes with converging physical and cyber
security teams is that both teams can use the same infrastructure
systems. This allows organizations to “detect physical manifestations of
cyber events as well as physical events that may impact information and
communication technologies, systems, and networks.”18 By linking cyber
and physical security defenses, security departments can align data to
create a clearer picture of their organization’s facilities, networks, and
employee behaviours. In theory, if there was a breach in the system,
perhaps in a case where an employee tries to log into a computer but
has not swiped into the building, a linked system would flag this to the
security department.19 This is a situation where the physical security
system for access card entry would need to be linked with the cyber
security system to flag a breach—which could only be accomplished
through convergence.
The aim of a converged security system is to allow the security team to
easily detect, respond to, recover from, and/or prevent security incidents.
Integrated physical and cyber security systems allow organizations to
“create operational efficiencies, reduce risks, improve risk management,
streamline incident management when breaches occur, maximize your
existing investment in security infrastructure, and reduce operational and
management costs.20 Existing teams can be cross-trained so that they
can be more aware of security risks that exist outside of their roles. With
the cultural differences between physical security and cyber security
departments, it is important for employees to understand the benefits of
convergence, the parallels that exist within their current jobs, and how
collaboration can allow for smoother daily operation.
Arguments Against Convergence
A review of the literature on the topic of physical and cyber security
convergence clearly shows that the majority of experts support
18 Matthews, “Why DHS Is Merging Cyber and Physical Security.”
19 Ibid.
20 Carney, “Eye on Security.”
It is important
for employees
to understand
the benefits of
convergence and
how collaboration
can allow for
smoother daily
operation.
For the exclusive use of Melissa Lalonde, lalonde@conferenceboard.ca, The Conference Board of Canada.
The Conference Board of Canada
11Find Conference Board research at www.e-library.ca.
convergence. However, it is necessary to discuss the arguments against
convergence, as they are helpful to understand before organizations
decide if and how to merge their security departments. The main issue
that is often discussed is culture conflict. Some argue that the cultures
of physical and cyber security departments are incompatible and for this
reason, it is better to have the two departments cooperate but remain
independent.21 Other human resources issues that are not unique to
security convergence—such as salaries, control, and budgets—also
arise when departmental mergers are considered.
On the IT side, some experts are concerned that physical security
operations, including video surveillance streams, will slow the
organization's computer network if they are moved onto the same
system.22 Furthermore, since IT systems are prime targets for attack,
having physical security operations, such as building access controls,
on the same system can make this information vulnerable to attackers.23
However, this issue can be remedied by isolating physical security
systems on the network. High-level strategic planning and design of a
holistic security strategy and open collaboration with physical and cyber
security departments during the transition can often ensure that these
issues are resolved.
Designing a Converged Security Policy
The goal of convergence is not exclusively to combine two security
departments into one. The goal is to create highly effective security
policies, accountability, and governance that combine the efforts of
both departments to ensure they are prepared to work in a unified way
to prevent and/or manage threats and provide the organization with a
consistently comprehensive view of its physical and cyber security. If
an organization is interested in uniting its physical security and cyber
security teams, it is necessary to ensure that a single person or unit is
responsible for designing and administering the new converged security
policy. This policy must be flexible, and take into consideration the
21 Radcliffe, “Physical and IT Security.”
22 Messmer, “Debate Rages Over Converging Physical and IT Security.”
23 Ibid.
© The Conference Board of Canada. All rights reserved. Please contact cboc.ca/ip with questions or concerns about the use of this material.
COMBINING STRENGTHS
The Convergence of Cyber and Physical Security
12Find Conference Board research at www.e-library.ca.
organization's unique culture and needs. According to Cisco’s John
Carney, organizations looking to merge their security departments should
consider three questions:24
1. What are you trying to protect?
2. Where is it located?
3. How do you build security around it?
By actively exploring these questions, organizations can create a
foundation for a holistic security policy that they can work to achieve
when they begin to consider how to combine or manage their existing
security departments. Ensuring both physical and IT assets are secure
is key to business success. Organizations looking to move their
security departments into the future in a unified way should keep these
questions in mind and aim to understand the larger challenges that
often arise when building effective convergence. Through convergence,
organizations must aim to eliminate ineffective and disjointed teams,
close the security gap to prevent breaches, and design an organizational
structure that aligns with internal culture.
Challenges for Building Effective
Convergence
As mentioned above, the purpose of this briefing is to address the
challenge of converging physical and cyber security departments within
an organization, discuss the insights from a literature review, and provide
recommendations on the issue. Through our review of the literature, we
found that most experts agree that the convergence of security teams,
coupled with a holistic security policy, is the best way to ensure that
teams work together to achieve a common goal and share information
consistently. It is important to reiterate that convergence does not
necessarily mean combining cyber and physical security departments
into one, as there is no “one size fits all” structure to adopt. Convergence
seeks to streamline the two functions, encouraging information-sharing
and developing unified policies under a governance structure that can
24 Carney, Why Integrate Physical and Logical Security?, 8.
Ensuring both
physical and IT
assets are secure
is key to business
success.
For the exclusive use of Melissa Lalonde, lalonde@conferenceboard.ca, The Conference Board of Canada.
The Conference Board of Canada
13Find Conference Board research at www.e-library.ca.
span both areas. The overall aim of convergence is to provide the
security function within an organization the capacity needed to prevent
and/or manage evolving threats across the spectrum. Convergence
allows security teams to maintain a consistently comprehensive view of
the organization’s security.
By analyzing the findings of our literature review, we can identify three
major challenges that organizations should take into consideration when
working to effectively converge physical and cyber security departments.
1. Duplicating Efforts: Eliminating Ineffective
and Disjointed Teams
When kept separate, physical and cyber security departments are not
as effective at holistically addressing threats, due largely to lack of
information-sharing and duplication of efforts. Merging the infrastructure
and processes utilized by all security teams leads to consistent
collaboration, which can in turn prevent security incidents25 and positively
impact the organization's safety and security.26 According to Cisco,
combining physical and cyber security departments allows for easier
detection, as well as efficient response and recovery post security
incident. Cisco provides five tangible benefits for convergence, stating
that it “creates operational efficiencies; reduces risks and improves risk
management; provides better, more streamlined incident management
when breaches occur; maximizes existing investments; and reduces
operation and management costs.27
Operational Efficiencies
The safety and security of organizations can be greatly affected when
security departments operate in silos. Technological advancements
have created a situation where physical security and cyber security
departments depend on each other’s unique experience and skill sets
to run efficiently, whether or not departments realize this.28 Simply put,
if an attacker is able to gain physical access to a computer within an
25 Ibid.
26 Carney, “Eye on Security.”
27 Car ney, Why Integrate Physical and Logical Security?, 8.
28 Carney, “Eye on Security.”
© The Conference Board of Canada. All rights reserved. Please contact cboc.ca/ip with questions or concerns about the use of this material.
COMBINING STRENGTHS
The Convergence of Cyber and Physical Security
14Find Conference Board research at www.e-library.ca.
organization, they are often then able to penetrate the network. Thus, it is
essential to ensure that all network-connected devices and access points
are physically protected. Organizations that operate with disjointed security
teams often duplicate efforts. In fact, many organizations have physical
and cyber security departments that operate and track employees, visitors,
and users separately. By converging these departments, organizations
can ensure that information flows consistently from one team to the
next by fixing disjointed security teams and implementing “processes
that work to protect the company from all sides.”29 Merging security
systems and technologies, including wireless cameras and alarms, cloud-
based systems, and Wi-Fi-enabled mobile devices, has the potential to
streamline the management of an organization's security and makes it
easier to track workers and their devices.30
Creating a holistic security policy that joins the efforts of both
security departments to prevent a physical attack that could lead to a
cyber attack or a cyber attack that could lead to a physical attack is
necessary. To do this, a single body must be responsible for creating
security policies and procedures and monitoring them to ensure they
are deployed successfully.31 When designing a convergence model,
consider questions such as “What does our organization need to do to
close security gaps and vulnerabilities?”, “What internal resources can
we leverage to get there?”, and “How can we engage all employees in
security?” Convergence models can be customized to meet the needs
of the organization, and thus can be adjusted over time. In the design
phase, it may be appropriate to include departments, such as Human
Resources, that traditionally do not factor into security considerations
to identify strategies on how best to implement change and ensure a
smooth transition should structural change be needed.
Overlapping Activities
Many of the day-to-day activities performed by physical and cyber
security departments overlap and require alignment in the form of
holistic security policies. For example, one area of overlap is access to
29 Bryant, The Convergence of Physical S ecurity and Cybersecurity in B usiness , 3.
30 Ibid.
31 Ibid.
Convergence
models can be
customized to meet
the needs of the
organization and be
adjusted over time.
For the exclusive use of Melissa Lalonde, lalonde@conferenceboard.ca, The Conference Board of Canada.
The Conference Board of Canada
15Find Conference Board research at www.e-library.ca.
data centres and IT equipment rooms. While this is a physical security
issue, it is typically managed by the IT support team or cyber security
team. To create a consistent future strategy and direction for security
processes, organizations must first identify these overlaps between
physical and cyber security and determine how to align them holistically.
It is also often the case that organizations have overlapping identity
management systems or device management systems. One of the main
reasons experts argue for convergence is that “traditional electronic
physical security equipment is becoming digital and sitting on an IP
network. The common purpose that this equipment has in protecting
facilities, the increasing use that is made of IP networks for equipment
to communicate over, as well as the manipulation of data to extract
monitoring information on security trends, is seen as a motivating
factor.”32 Enabling the flow of information across both physical and cyber
security systems allows for more effective analytics and detection of
potential threats across the entire security footprint of the organization.
Skill Set Differences
Physical and cyber security departments are typically made up of
employees with differing skill sets and backgrounds. Physical security
personnel typically have a background in law enforcement, whereas
cyber security personnel are often trained in IT. For example, physical
security personnel are unlikely to know how to configure a firewall, and
cyber security personnel are unlikely to understand how to physically
guard a building against attack.33 The methods used by physical and
cyber security professionals to protect their assets are fundamentally
different. Furthermore, “[t]he threat actors might be the same but the
tactics used to overcome defensive measures are not. The physical
reconnaissance of a potential target is completely different from sniffing
out unprotected endpoints. Climbing over or cutting through a perimeter
fence is not the same as exploiting the weaknesses in a firewall and
being able to manipulate mechanical locks has no relation to exploiting
a USB port.”34 To remedy these differences, organizations must create a
32 RedLeaf Consultancy, The Case for Merging Physical and Cyber Securi ty, 2.
33 Radcliffe, “Physical and IT Security.“
34 RedLeaf Consultancy, The Case for Merging Physical and Cybe r Securit y, 2.
© The Conference Board of Canada. All rights reserved. Please contact cboc.ca/ip with questions or concerns about the use of this material.
COMBINING STRENGTHS
The Convergence of Cyber and Physical Security
16Find Conference Board research at www.e-library.ca.
centralized point for information to flow through so that it can be used to
benefit both teams.
The broad concepts of security across the physical and cyber
landscapes have their similarities. While these two areas are essentially
trying to achieve the same goal in terms of protecting the organization,
they do not always communicate enough and may not be familiar with
each other’s processes.35 Thus, they may not work as a unified front
against security threats that may, in some cases, attack the physical
infrastructure to gain virtual access and vice versa.
2. Closing the Gap
When physical and cyber security teams are disjointed, and
communication between departments is lacking, organizations are
left vulnerable to attack. Cisco’s John Carney says it best: “As long as
organizations treat their physical and cyber domains as separate, there is
little hope of securing either one. The convergence of cyber and physical
security has already occurred at the technical level. It is long overdue
at the organizational level.”36 Through the convergence of physical and
cyber security departments, organizations have the ability to close the
gap and greatly decrease the chance of an attack.37
Potentially Vulnerable Areas
Organizations face several challenges by having physical and cyber
security teams that work separately: “IT security personnel focus on
virus and malware attacks, hacker penetration of network perimeters
and employee access and authorization. Corporate security personnel
focus on physical access to buildings, zones and remote facilities and,
often, environmental systems.38Both security departments operate
monitoring systems, but these are not always connected and are often
unable to cope with a security event attacking the entire enterprise.
Communication gaps between teams leave the entire organization
35 Siegel, “Physical and Cybersecurity Are Converging.”
36 Car ney, Why Integrate Physical and Logical Security?, 2.
37 Bryant, The Convergence of Physical S ecurity and Cybersecurity in B usiness , 4.
38 Gill, IT-OT-Physical S ecurity C onvergence I s Key.
Organizations are
left vulnerable to
attack by having
physical and cyber
security teams that
work separately.
For the exclusive use of Melissa Lalonde, lalonde@conferenceboard.ca, The Conference Board of Canada.
The Conference Board of Canada
17Find Conference Board research at www.e-library.ca.
vulnerable, since siloed teams mean time delays, which creates
opportunities for attackers.
Organizations with security teams working in silos may also face the
challenge of identifying individuals, since they often do not have a single
integrated database as each security department tends to control their
own database. Furthermore, organizations often have a “lack of physical
monitoring of logical security devices that can detect tampering; that
is, unauthorized access to a logical security device console.”39 Such
segregated systems are not coordinated and, thus, are often unable to
detect or respond quickly to certain forms of attack.
Single Access Point Systems
There are numerous benefits to having integrated security systems that
operate using a single access point. For example, having a single point
of management for user identities means data can be automatically
synchronized between systems and departments, creating a streamlined
system to add, remove, or change user access in the case of role
changes, remote working arrangements, or termination.40
The goal for all converged security systems is to create a centralized
system that evaluates and “examines common threads, blended attacks
and provides a picture that realistically measures the threat as it presents
itself.”41 Physical and cyber security departments use different methods
to achieve the same outcome, and would greatly benefit from a “free
flow of information, across an organisation … [that] will allow risk reports,
prepared by those with the relevant competence, to be included within
other reports where the information would be of benefit.42 Having
such an information exchange in real time is particularly important for
organizations that use access cards or tokens to enter buildings, portions
of buildings, and networks.
If organizations use access cards or tokens for buildings, they can use
the existing infrastructure more successfully by having a single unified
39 Car ney, Why Integrate Physical and Logical Security?, 2.
40 Hurtt and Fehl, When Worlds Collide, 4.
41 RedLeaf Consultancy, The Case for Merging Physical a nd Cyber Security, 3.
42 Ibid.
© The Conference Board of Canada. All rights reserved. Please contact cboc.ca/ip with questions or concerns about the use of this material.
COMBINING STRENGTHS
The Convergence of Cyber and Physical Security
18Find Conference Board research at www.e-library.ca.
security system: “The integration of building access with network security
lets the two types of security solutions compliment [sic] and reinforce
each other. The synchronization of these two systems leads to stronger,
more integrated security, as convergence allows organizations to manage
network security under a single umbrella.”43 Such a system would ease
the ability of physical security departments to track who is in the building
and to be alerted if an employee who is not supposed to be in the building
accesses a computer. Identity management is a key component for a
converged security policy, as it allows for greater access control that can
be directly linked to a user’s identity. Organizations looking to successfully
link their security teams should consider linking their physical and logical
security systems as a starting point.
3. Organizational Structure
Organizations that are interested in unifying their physical and cyber
security teams should understand that convergence can eliminate
effort duplication and close the gap that often exists when two security
systems operate in tandem. Perhaps the most challenging aspect of
convergence is the decision of how to unify the two departments on
the organizational chart. The goal of convergence is not exclusively
to combine two security departments into one—the goal is to create
security policies that combine the efforts of both departments to ensure
they are prepared to work in a unified way to prevent and/or manage
threats and provide the organization with a consistently comprehensive
view of its physical and cyber security. The most common convergence
methods include appointing a single employee to be responsible for
overseeing all security within the organization, essentially keeping
the physical and cyber security departments separate under a single
manager; or merging the departments entirely to create one new
security department.
A Single Point of Governance
Many organizations prefer to appoint a single manager who is
responsible for both the physical and cyber security departments.
43 LaRoche, “Information and Physical Security.”
For the exclusive use of Melissa Lalonde, lalonde@conferenceboard.ca, The Conference Board of Canada.
The Conference Board of Canada
19Find Conference Board research at www.e-library.ca.
Often, this joint manager is simply called the chief security officer
(CSO). This goal of the joint manager is to cohesively organize the
security departments to achieve a common strategic mission through
collaboration. Ideally, a successful joint manager would be well versed
in physical security management, IT, cyber security principles, and fraud
examination.44 This role often requires the manager to understand how to
conduct a holistic threat assessment and have a strategic vision for how
to incorporate the human, physical, and virtual assets controlled by the
organization's current physical and cyber security teams. Furthermore,
the manager needs “to speak the language of business as do IT security
specialists and also need[s] to become better plugged into the business
objectives and culture side of things.”45 The role of the CSO will continue
to evolve, particularly as convergence becomes the norm, requiring an
expanded skill set and potentially new certifications.
It may be difficult to select an employee for this role, particularly as it
is likely that both the physical security and cyber security departments
have current leadership. Some organizations create a new position to
remedy this or have “all security functions report equally into [sic] a Chief
Risk Officer or a department of risk mitigation. The aim is to achieve
cooperation without making one group feel that they’ve been put under
the thumb of another.”46 Moreover, physical and cyber security managers
may understand threat and risk differently and have different skill sets.
Thus, experts suggest that “the Security Manager of the future will have
to have a solid background in threat, vulnerability and risk assessment
as well as knowledge of physical and cyber defence. They will also need
to regularly review their situation to keep up with the inevitable changes
on the threat horizon.”47
Creating One Unified Department
Organizations can choose to merge the physical and cyber security
departments into a single entity. This requires a deep understanding
of organizational and departmental culture and can save money if
44 Savard, Staying Ahead, 3.
45 Millman, “The Unstoppable Convergence of Physical Security and IT.”
46 Slater, “Physical and IT Security Convergence.”
47 Millman, “The Unstoppable Convergence of Physical Security and IT.”
The role of the
CSO will continue
to evolve, requiring
an expanded skill
set and potentially
new certifications.
© The Conference Board of Canada. All rights reserved. Please contact cboc.ca/ip with questions or concerns about the use of this material.
COMBINING STRENGTHS
The Convergence of Cyber and Physical Security
20Find Conference Board research at www.e-library.ca.
overlapping positions within the departments could be eliminated by
convergence. Some organizations may decide to create a centralized
unit, such as a global security operations centre (GSOC). The purpose of
a GSOC is to create a “cohesive platform that collects all organizational
data and presents actionable information from which all actions can take
place. This facilitates the communication and coordination between the
IT and physical security teams by allowing them to perform their job
functions separately but operate cohesively.48 The benefit of having a
GSOC is that staff from both physical and cyber security backgrounds
coordinate to respond to any and all security threats.
In some cases, organizations can maintain independent entities to
manage physical security and cyber security, as long as their actions
and security systems are coordinated by the GSOC.49 If an organization
has a physical security system that can be integrated within the
larger network, this can ease departmental integration. From there,
organizations must decide how to protect the system in case of a
breach.50 Those that choose to create a unified department or a single
governance body for security must determine who has decision-making
power over a variety of potential security issues that may arise.51 The
main role of convergence is to create a single, merged security database
that requires users to have proper credentials to access physical
locations around the building, as well as access to the organization's
network. In order to have one working system that is accessed and
maintained by both physical and cyber security personnel, policies
must be put into place to ensure identity data are accurate and security
policies are enforced.52
Cross-Training
Understanding the cultural differences between physical security and
cyber security departments is key to success, whether organizations
choose to appoint a joint manager or merge the departments. Such a
48 Vidsys, Bridging the Gap Between Physical and Cyber Securit y.
49 Siegel, “Physical and Cybersecurity Are Converging.”
50 Bryant, The Convergence of Physical S ecurity and Cybersecurity in B usiness, 4.
51 Carn ey, Why Integrate Physical and Logical Security?, 6.
52 Carney, “Eye on Security.”
For the exclusive use of Melissa Lalonde, lalonde@conferenceboard.ca, The Conference Board of Canada.
The Conference Board of Canada
21Find Conference Board research at www.e-library.ca.
change requires a comprehensive security policy and plan, as well as
strong leadership and execution on the part of the management team.
Employees in both departments can greatly benefit from cross-training,
so that they can understand the role of the other department and how
their goals and strategies fit within the larger plan. Such training should
aim to educate employees to understand the benefit of convergence and
how it can help to improve operations and prevent attacks.
The convergence transition period can be confusing for employees.
It is helpful to assist employees in understanding how their roles
and responsibilities can be aligned with those of their fellow security
practitioners to further the organization's goals. For example, managers
can explain to employees how they can create a partnership by having
the cyber security team support the physical security team through
security solutions that assist both teams.
Recommendations
Our research findings indicate that the argument is no longer whether to
converge physical and cyber security but how to achieve this effectively.
As mentioned above, convergence does not necessarily require the
merging of the cyber and physical security departments. Rather, it
requires the two departments to work together seamlessly to close the
gaps between the two areas. The case studies presented at the October
2017 joint meeting of the Centre for National Security and the Cyber
Security Centre demonstrated that even though some organizations
separate their physical and cyber security departments, many were
already operating in a converged manner or trying to determine how
convergence could work for them. Based on our findings, and comments
from the meeting, we can make nine overall recommendations for the
effective convergence of physical and cyber security.
The argument is no
longer whether to
converge physical
and cyber security
but how to achieve
this effectively.
© The Conference Board of Canada. All rights reserved. Please contact cboc.ca/ip with questions or concerns about the use of this material.
COMBINING STRENGTHS
The Convergence of Cyber and Physical Security
22Find Conference Board research at www.e-library.ca.
Build Convergence Through Policy and Skills
1. Create holistic security policies that aim to combine the efforts
of physical and cyber security departments, either by placing
both departments under one manager or by completely merging
the departments.
2. Analyze the skill sets of current physical and cyber security employees
and identify potential overlapping activities between departments,
skill gaps, and methods for upskilling staff to work within a unified
security team.
3. Assess the organization's holistic security policies to ensure that all
security goals are being met, and adjust as necessary, to create a
consistent future strategy and direction for security processes as
technology evolves.
Merge Security Systems and Technology
4. If possible, merge security monitoring systems and ensure that the
organization operates using a single access security system for both
cyber and physical security to reduce duplication of effort and increase
the flow of information.
5. Train staff with physical and cyber security backgrounds to monitor the
integrated security system, merging building access and network security
to monitor and prevent breaches.
6. If desired, isolate the entire security system on the network to ensure it
operates separately from general-use networks. This can remedy speed
issues and provide another layer of security in case there is a breach of
the organization's general-use networks.
Assess Organizational Culture
7. Before rolling out a convergence strategy, assess the culture of the
organization and both security departments to determine the best
method for convergence.
8. Determine if the organization would benefit most from creating a single
point of governance, in the form of an individual at management level or
above to oversee both departments; or from a merger of both security
departments into a single entity.
For the exclusive use of Melissa Lalonde, lalonde@conferenceboard.ca, The Conference Board of Canada.
The Conference Board of Canada
23Find Conference Board research at www.e-librar y.ca.
9. Provide training for employees to explain the roles and responsibilities of
each security department and the benefits of convergence. Employees
may also benefit from hands-on training in their counterpart’s security
discipline, to make them more aware of security risks that exist outside
of their roles.
Conclusion
With the continued expansion of the risks that both physical and cyber
security have to deal with and increasing demands for operational
efficiencies, converging security systems has become necessary to
allow for seamless monitoring and information-sharing. Convergence
comes with its challenges, particularly from human resource, cultural,
and management perspectives. However, with ever-evolving technology,
convergence, or at the very least, a converged security system, is the
best way to easily detect, respond to, recover from, and/or prevent
security incidents. Although most experts agree that convergence is
the best way to eliminate silos and strengthen security, it is essential
that organizations first design a security policy with convergence in
mind; involve senior management as well as all key members of the
organization's security departments in the convergence discussion;
and choose a method of convergence that suits the organization's
unique culture.
Rate this publication for a chance to win a prize!
www.conferenceboard.ca/e-Library/abstract.aspx?did=9366
Convergence is the
best way to easily
detect, respond to,
recover from, and/
or prevent security
incidents.
© The Conference Board of Canada. All rights reserved. Please contact cboc.ca/ip with questions or concerns about the use of this material.
COMBINING STRENGTHS
The Convergence of Cyber and Physical Security
24Find Conference Board research at www.e-librar y.ca.
Acknowledgements
This briefing was prepared by Melissa Lalonde, Research Associate, under the
guidance of Dr. Satyamoorthy Kabilan, Director, National Security and Strategic
Foresight, The Conference Board of Canada. Andrew Pender, Associate Director,
Privacy and Corporate Security, The Conference Board, provided an internal
review. The Conference Board of Canada relies on external reviewers to provide
constructive, candid comments on most of our reports. Thank you to Dennis N.
Tracz, Manager, Cyber Risk, Governance & Policy, Enbridge; and Dave Quigley,
Bureau Commander, Chief Security Officer, Superintendent, Ontario Provincial
Police, for taking on this task.
Any omissions in fact or interpretation remain the sole responsibility of The
Conference Board of Canada.
About the Cyber Security Centre
In spring 2014, The Conference Board of Canada brought together a range of
senior executives to identify their strategic needs for cyber security. While many
cyber security forums exist, they tend to be sector-specific and/or highly technical,
leaving a critical gap in the current cyber security environment. The Conference
Board’s Cyber Security Centre fills this gap by providing a multi-sector, non-
partisan forum that focuses on the strategic and policy implications of cyber
security and informs and empowers senior executives responsible for these issues.
The Centre also provides a confidential, collaborative venue for executives to build
relationships and knowledge across sectors and industries, with the goal of making
Canada a safer, more prosperous place in which to live and work.
www.conferenceboard.ca/networks/csc/default.aspx
About the Centre for National Security
The Centre for National Security (CNS) works to help improve the capacity
of Canadian leaders to understand and effectively address national security
challenges. The Centre brings together executives from the public and private
sectors: executives who have a broad perspective of strategic-level security
threats and risks, and whose organizations have a stake in national security,
public security, and public safety. The CNS team works with participants to
produce timely and relevant insights needed to make effective decisions in
their areas of responsibility and/or to contribute to public policy-making. Centre
participants actively support customized research projects and facilitated
networking events designed to illuminate current and emerging threats, as well
as political, economic, social, and technological trends.
www.conferenceboard.ca/networks/cns/default.aspx
For the exclusive use of Melissa Lalonde, lalonde@conferenceboard.ca, The Conference Board of Canada.
Appendix A | The Conference Board of Canada
Find Conference Board research at www.e-librar y.ca. 25
APPENDIX A
Bibliography
Ahmed, Mastufa. “Why Convergence of IT and Physical Security Is the
Future of Cybersecurity.” CSO Forum, January 21, 2015. Accessed July
11, 2017. http://cso.cioandleader.com/articles/1001716/why-convergence-
of-it-and-physical-security-is-the-future-of-cybersecurity.
Bryant, Desiree. The Convergence of Physical Security and
Cybersecurity in Business. Spokane: Allied Fire & Security, 2017.
Accessed July 8, 2017. https://www.alliedfireandsecurity.com/wp-content/
uploads/The-Convergence-of-Physical-Security-and-Cybersecurity.pdf.
Carney, John. “Eye on Security: Integrating Physical and Cyber Security.
Enterprise Systems Journal, March 19, 2012. Accessed July 19, 2017.
https://esj.com/articles/2012/03/19/integrating-physical-and-cyber-
security.aspx.
—. Why Integrate Physical and Logical Security? n.p.: Cisco, 2011.
Accessed July 7, 2017. http://www.cisco.com/c/dam/en_us/solutions/
industries/docs/gov/pl-security.pdf.
CGI. Convergence Brings Opportunity and Risk. n.p.: CGI, 2016.
Chabrow, Eric. “Formalizing Cyber-Physical Security.” March 5, 2013.
Accessed August 17, 2017. http://www.bankinfosecurity.com/interviews/
formalizing-cyber-physical-security-i-1832.
Choraś, Michał, Rafał Kozik, Adam Flizikowski, Witold Hołubowicz,
and Rafał Renk. “Cyber Threats Impacting Critical Infrastructures.” In
Managing the Complexity of Critical Infrastructures: Studies in Systems,
Decision and Control, eds. R. Setola, V. Rosato, E. Kyriakides, and E.
Rome, vol. 90, 139–61. n.p.: Springer, Cham, 2016.
© The Conference Board of Canada. All rights reserved. Please contact cboc.ca/ip with questions or concerns about the use of this material.
26
COMBINING STRENGTHS
The Convergence of Cyber and Physical Security
Find Conference Board research at www.e-librar y.ca.
Contos, Brian T., William P. Crowell, Colby DeRodeff, Dan Dunkel, Eric
Cole, and Regis McKenna. “Security Convergence: What Is It Anyway?”
In Physical and Logical Security Convergence: Powered By Enterprise
Security Management, 59–92. Burlington: Syngress, 2007.
Div, Lior. “The Future of Security: A Combination of Cyber and Physical
Defense.” September 29, 2016. Accessed July 6, 2017. http://www.
networkworld.com/article/3125476/security/the-future-of-security-a-
combination-of-cyber-and-physical-defense.html.
Electricity Advisory Committee. Implementing Effective Enterprise
Security Governance. March 2014. Accessed July 4, 2017. https://energy.
gov/sites/prod/files/Mar2014EAC_Recs-CyberGovernance.pdf.
Gartner. “Operational Technology (OT).” 2017. Accessed July 27, 2017.
http://www.gartner.com/it-glossary/operational-technology-ot/.
Geiger, Rick. “Energy Networking Convergence Part 2:
Cyber & Physical Security.Cisco Blogs. Cisco, June 16,
2014. Accessed July 24, 2017. http://blogs.cisco.com/energy/
energy-networking-convergence-part-2-cyber-physical-security.
Gill, Jasvir. IT‐OT‐Physical Security Convergence Is Key to Delivering
Holistic Security Across the Enterprise. ASIS International, n.d.
Accessed July 5, 2017. https://www.asisonline.org/Membership/Member-
Center/Security-Spotlight/Documents/IT-OT-Physical%20Security%20
Convergence%20is%20Key%20to%20Delivering%20Holistic%20
Security%20across%20the%20Enterprise.pdf.
Griffin, Joel. “Breaking Down the Walls Between IT and Physical
Security.” Security InfoWatch, March 28, 2016. Accessed July
12, 2017. http://www.securityinfowatch.com/article/12187472/
breaking-down-the-walls-between-it-and-physical-security.
Harp, Derek, and Bengt Gregory-Brown. SANS 2016 State of ICS
Security Survey. Bethesda: SANS Institute, 2016.
Hurtt, Ivan, and Peter Fehl. When Worlds Collide: The Convergence of
Physical and Logical Security. n.d. Accessed July 24, 2017. https://www.
security.honeywell.com/documents/Novell_White_Paper.pdf.
For the exclusive use of Melissa Lalonde, lalonde@conferenceboard.ca, The Conference Board of Canada.
27
Appendix A | The Conference Board of Canada
Find Conference Board research at www.e-librar y.ca.
Hutter, David. Physical Security and Why It Is Important. Boston:
SANS Institute InfoSec Reading Room, 2016. https://www.sans.org/
reading-room/whitepapers/physical/physical-security-important-37120.
Ismail, Nick. “The Ineffectiveness of Siloed Cyber
Security Thinking.” Information Age, February 27, 2017.
Accessed July 19, 2017. http://www.information-age.com/
ineffectiveness-siloed-cyber-security-thinking-123464723/.
Kang, Dongho, and Jungchan Na. 2012. “A Rule Based Event Correlation
Approach for Physical and Logical Security Convergence.” International
Journal of Computer Science and Network Security 12, no. 1 (January
2012): 28–31.
Kang, Koohong, and Jinoh Kim. “A Case Study on Converged
Security With Event Correlation of Physical and Information Security.”
International Journal of Security and Its Applications 9, no. 9 (2015):
77–94.
LaRoche, Gregg. “Information and Physical Security: Can They Live
Together ? Information Systems Security, n.d. Accessed July 19, 2017.
http://www.infosectoday.com/Articles/convergence.htm.
Leetaru, Kalev. “When Cybersecurity Meets Physical
Security.” Forbes, January 13, 2017. Accessed July 18,
2017. https://www.forbes.com/sites/kalevleetaru/2017/01/13/
when-cybersecurity-meets-physical-security/#5904ab37d256.
Letsky, Jim. “Why (And How) to Merge Physical and Cybersecurity at
Your Company.” Small Business Pulse, March 9, 2016. Accessed July 11,
2017. http://cbspulse.com/2016/03/09/merge-physical-cyber-security/.
Ma, Joy. “Top 10 Security Concerns for Cloud-Based Services.” Imperva
Incapsula, December 14, 2015. Accessed August 16, 2017. https://www.
incapsula.com/blog/top-10-cloud-security-concerns.html.
Matthews, William. “Why DHS Is Merging Cyber and Physical Security.”
GovTech Works, August 17, 2016. Accessed July 7, 2017. https://www.
govtechworks.com/why-dhs-is-merging-cyber-and-physical-security/#gs.
fCQkWqY.
© The Conference Board of Canada. All rights reserved. Please contact cboc.ca/ip with questions or concerns about the use of this material.
28
COMBINING STRENGTHS
The Convergence of Cyber and Physical Security
Find Conference Board research at www.e-librar y.ca.
Messmer, Ellen. “Converging Physical and Logical Security: A Good Idea
or Not?” Network World, January 13, 2010. Accessed July 4, 2017. http://
www.networkworld.com/article/2240602/security/converging-physical-
and-logical-security—a-good-idea-or-not-.html.
—. “Debate Rages Over Converging Physical and IT Security.”
Network World, January 13, 2010. Accessed July 24, 2017. http://
www.networkworld.com/article/2241458/security/debate-rages-over-
converging-physical-and-it-security.html.
Millman, Rene. “The Unstoppable Convergence of Physical Security and
IT and What It Means for Your Role.” April 12, 2016. Accessed July 7,
2017. https://www.ifsecglobal.com/unstoppable-convergence-physical-
security-means-role/?cid=homepage_4th-6th.
Radcliff, Deborah. “Physical and IT Security: Overcoming
Security Convergence Challenges.” June 2004. Accessed
July 24, 2017. http://searchsecurity.techtarget.com/
Physical-and-IT-security-Overcoming-security-integration-challenges.
Radiflow. “Convergence of Cyber and Physical Security for Protecting
Operational Networks.” n.d. Accessed July 4, 2017. http://radiflow.com/
cyber-physical/.
RedLeaf Consultancy. The Case for Merging Physical and Cyber
Security: Has It Been Made? April 2015. Accessed July 18, 2017. http://
redleafconsultancy.co.uk/wp-content/uploads/2015/04/Merging-Cyber-
and-Physical-Security.pdf.
Savard, Jean-Francois. Staying Ahead: The Convergence of the Fraud
Examiner, Security Management, and IT Security Disciplines. n.p.:
Agriculture and Agrifood Canada, October 29, 2012. Accessed August
16, 2017. http://www.acfe.com/uploadedfiles/acfe_website/content/
canadian/2012/presentations/5a_jf-savard.pdf.
Sembhi, Sarb. “What Makes a CISO Employable?” Infosecurity
Magazine, July 20, 2010. Accessed August 16, 2017. https://
www.infosecurity-magazine.com/magazine-features/
what-makes-a-ciso-employable/.
For the exclusive use of Melissa Lalonde, lalonde@conferenceboard.ca, The Conference Board of Canada.
29
Appendix A | The Conference Board of Canada
Find Conference Board research at www.e-librar y.ca.
Siegel, Aviv. “Physical and Cybersecurity Are Converging.” Information
Systems Security, 2014. Accessed July 18, 2017. http://www.
infosectoday.com/Articles/physical_cyber_convergence.htm.
Slater, Derek. “Physical and IT Security Convergence: The Basics.”
CSO, December 5, 2005. Accessed July 24, 2017. http://www.csoonline.
com/article/2117824/strategic-planning-erm/physical-and-it-security-
convergence—the-basics.html#specific.
Varga, Greg, and Bob Voss. “IT & OT Turn to Physical Security
for Productivity.” May 2016. Accessed July 10, 2017. http://www.
industrial-ip.org/en/knowledge-center/solutions/security-and-compliance/
it-and-ot-turn-to-physical-security.
Vidsys. Bridging the Gap Between Physical and Cyber
Security: A Key Theme at ISC West 2017 (blog). March 14,
2017. Accessed July 4, 2017. http://www.vidsys.com/general/
bridging-gap-physical-cyber-security-key-theme-isc-west-2017/.
© The Conference Board of Canada. All rights reserved. Please contact cboc.ca/ip with questions or concerns about the use of this material.
e-Library.
Do you want to have access to expert thinking on the issues that really
matter to you and your organization?
Our e-Library contains hundreds of Conference Board research studies in the areas of
Organizational Performance, Economic Trends and Forecasts, and Public Policy.
www.e-library.ca
Insights. Understanding. Impact.
CONTENTS
b Résumé
4 Context
12 Challenges for Building Effective
Convergence
21 Recommendations
23 Conclusion
Appendix A
25 Bibliography
For the exclusive use of Melissa Lalonde, lalonde@conferenceboard.ca, The Conference Board of Canada.
About The Conference Board of Canada
We are:
• The foremost independent, not-for-profit, applied research organization
in Canada.
• Objective and non-partisan. We do not lobby for specific interests.
• Funded exclusively through the fees we charge for services to the
private and public sectors.
Experts in running conferences but also at conducting, publishing,
and disseminating research; helping people network; developing individual
leadership skills; and building organizational capacity.
• Specialists in economic trends, as well as organizational performance and
public policy issues.
• Not a government department or agency, although we are often hired to provide
services for all levels of government.
• Independent from, but affiliated with, The Conference Board, Inc. of New York,
which serves nearly 2,000 companies in 60 nations and has offices in Brussels
and Hong Kong.
© The Conference Board of Canada. All rights reserved. Please contact cboc.ca/ip with questions or concerns about the use of this material.
Insights. Understanding. Impact.
255 Smyth Road, Ottawa ON
K1H 8M7 Canada
Tel. 613-526-3280
Fax 613-526-4857
Inquiries 1-866-711-2262
conferenceboard.ca
PUBLI CATI ON 9366 | 9381
PRICE: $420
Combining Strengths: The Convergence of Cyber and Physical Security
Melissa Lalonde
To cite this briefing: Lalonde, Melissa. Combining Strengths: The C onvergence of Cyber and Physical Security.
Ottawa: The Conference Board of Canada, 2018.
©2018 The Conference Board of Canada*
Published in Canada | All rights reserved | Agreement No. 40063028 | *Incorporated as AERIC Inc.
An accessible version of this document for the visually impaired is available upon request.
Accessibility Officer, The Conference Board of Canada
Tel.: 613-526-3280 or 1-866-711-2262 E-mail: accessibility@conferenceboard.ca
®The Conference Board of Canada and the torch logo are registered trademarks of The Conference Board, Inc. Forecasts
and research often involve numerous assumptions and data sources, and are subject to inherent risks and uncertainties.
This information is not intended as specific investment, accounting, legal, or tax advice. The findings and conclusions of
this report do not necessarily reflect the views of the external reviewers, advisors, or investors. Any errors or omissions in
fact or interpretation remain the sole responsibility of The Conference Board of Canada.
For the exclusive use of Melissa Lalonde, lalonde@conferenceboard.ca, The Conference Board of Canada.
Full-text available
Article
Today's security initiatives have encouraged incorporation of physical security and information security into converged security for greater effectiveness and capabilities. However, efforts for converging security have largely limited to the issues of the organizational structure with respect to streamlining processes and abstract frameworks for security management. To go beyond just a buzz word of converged security, it should be necessary to bring significant technical merits from this convergence. In this work, we consider event correlations that examine any associations between events coming from the above two distinctive worlds to provide greater capabilities for preventing unauthorized access to high-security computers, as a tangible step towards convergence of security. For this purpose, we introduce our approach using event categorization that maps physical events to a finite number of classes (five) instead of considering event types individually for feasibility, and also show how to define correlation rules with the categories. In addition, we present our prototype system that implements the incorporation of two typical physical security entities: a door/gate access control and a video surveillance system. Our exploration presented in this paper would be beneficial for guiding future development of a diverse range of converged security functions.
Book
Government and companies have already invested hundreds of millions of dollars in the convergence of physical and logical security solutions, but there are no books on the topic. This book begins with an overall explanation of information security, physical security, and why approaching these two different types of security in one way (called convergence) is so critical in today's changing security landscape. It then details enterprise security management as it relates to incident detection and incident management. This is followed by detailed examples of implementation, taking the reader through cases addressing various physical security technologies such as: video surveillance, HVAC, RFID, access controls, biometrics, and more. *This topic is picking up momentum every day with every new computer exploit, announcement of a malicious insider, or issues related to terrorists, organized crime, and nation-state threats *The author has over a decade of real-world security and management expertise developed in some of the most sensitive and mission-critical environments in the world *Enterprise Security Management (ESM) is deployed in tens of thousands of organizations worldwide.
Article
Cyber threats have rapidly evolved in frequency and sophistication. As a result, physical and logical security systems are an essential solution to protect enterprise assets. Most enterprises deployed different types of physical and logical security systems but manage them as independent domain. Most physical security systems focus on the protection of the physical behavior of the unauthenticated personnel. Logical security systems protect information assets. Physical and logical security systems generate a large volume of alerts. Some of them report false positives and retrieve different alerts for a single attack. Those problems may cause the delay in response and miss detection. The convergence of physical and logical security brings significant benefits, specifically identifying blended attacks. Recent event correlation techniques have become one of the most important security techniques. The objective of this paper is to overcome the limitations of existing physical and logical security systems that focus on specific problems rather than event correlation for an entire enterprise. To solve this problem, we build the correlation rules to define the relationship between physical and logical security events caused by abnormal behavior activities, and provide the correlation analysis technique to detect the multi-stage attacks.
the Future of security: A Combination of Cyber and Physical Defense
  • Lior Div
Div, Lior. "the Future of security: A Combination of Cyber and Physical Defense." september 29, 2016. Accessed july 6, 2017. http://www. networkworld.com/article/3125476/security/the-future-of-security-acombination-of-cyber-and-physical-defense.html.
Cyber & Physical security
Cyber & Physical security." Cisco Blogs. Cisco, june 16, 2014. Accessed july 24, 2017. http://blogs.cisco.com/energy/ energy-networking-convergence-part-2-cyber-physical-security.
IT-OT-Physical Security Convergence Is Key to Delivering Holistic Security Across the Enterprise
  • Jasvir Gill
gill, jasvir. IT-OT-Physical Security Convergence Is Key to Delivering Holistic Security Across the Enterprise. AsIs International, n.d.
Breaking Down the Walls Between It and Physical security
  • Joel Griffin
griffin, joel. "Breaking Down the Walls Between It and Physical security." Security InfoWatch, march 28, 2016. Accessed july 12, 2017. http://www.securityinfowatch.com/article/12187472/ breaking-down-the-walls-between-it-and-physical-security.
The Conference Board of Canada. Appendix A | the Conference Board of Canada Find Conference Board research at www.e-library.ca. hutter, David. Physical Security and Why It Is Important. Boston: sAns Institute Infosec Reading Room
  • For The Exclusive Use Of Melissa Lalonde
For the exclusive use of Melissa Lalonde, lalonde@conferenceboard.ca, The Conference Board of Canada. Appendix A | the Conference Board of Canada Find Conference Board research at www.e-library.ca. hutter, David. Physical Security and Why It Is Important. Boston: sAns Institute Infosec Reading Room, 2016. https://www.sans.org/ reading-room/whitepapers/physical/physical-security-important-37120.
the Ineffectiveness of siloed Cyber security thinking
  • Nick Ismail
Ismail, nick. "the Ineffectiveness of siloed Cyber security thinking." Information Age, February 27, 2017. Accessed july 19, 2017. http://www.information-age.com/ ineffectiveness-siloed-cyber-security-thinking-123464723/.
Information and Physical security: Can they Live together?
  • Gregg Laroche
LaRoche, gregg. "Information and Physical security: Can they Live together?" Information Systems Security, n.d. Accessed july 19, 2017. http://www.infosectoday.com/Articles/convergence.htm.