The new “business of security” is changing the role security practitioners must play, and increasing
their overall value to the corporation.
Rolling Meadows, IL, USA (10 November 2005) – New threats and soaring costs are two factors driving the “convergence” or integration of traditional and information security functions in a growing number of U.S.-based global companies, according to the results of a new study commissioned by three leading international security organizations, ASIS International (ASIS), ISACA® and Information Systems Security Association (ISSA).
The study, Convergence of Enterprise Organizations (PDF, 1.5 MB), was conducted by Booz Allen Hamilton (BAH) and surveyed chief security officers (CSO), chief information security officers (CISO) and other security professionals representing 36 companies with revenues ranging from $1 billion to more than $100 billion. BAH also conducted 14 in-depth interviews in addition to the surveys. The results of the study indicate that convergence is a trend that impacts not just the security function of a given business, but rather, the business as a whole. Such integration ensures that all functions within the organization work together, and enables the organization to prevent, detect, respond to and recover from any type of security incident.
“In the society we live in today—with the threat of terrorism and a dramatic increase in the number and complexity of other security-related risks such as computer viruses, cyber attacks, theft, extortion and fraud—companies must find a more comprehensive approach to protecting their employees, core networks and facilities,” said Timothy L. Williams, CPP, Vice President of Corporate and Systems Security for Nortel Networks and a member of the ASIS Board of Directors. “Through the convergence model, security professionals have a unique opportunity to elevate their role in the organization, advance the security profession and deliver additional value to the organization through cost savings and related efficiencies.”
As new threats emerge and business transactions become more intricate, adhering to these regulations and compliance guidelines will also become more complex. Sarbanes-Oxley, for example, gives a framework under which risk must be assessed, but does not stipulate how to assess that risk. Business’ desire for security professionals who can examine and assess the risks that organizations face as a whole is one of the driving forces behind the convergence phenomenon, according to the study. The focus on security from an enterprise perspective has led to innovative approaches that emphasize integration—specifically, the integration of the risk side of business into the strategic planning side in a consistent and holistic manner.
Another factor identified in the study as contributing to the security convergence trend is the migration in the types of assets many organizations need to protect. Companies’ assets are now increasingly information-based and intangible, and even most physical assets rely heavily on information. Technology is also now allowing companies to offer more information products. As these products become increasingly intangible, there is a greater need to integrate traditional and information security, as well as security throughout the entire enterprise.
“Organizations rely on their IT systems to provide real value, increase competitive advantage and improve relationships with customers and trading partners,” said Marios Damianides, CISA, CISM, CA, CPA, past international president of ISACA. “The convergence of logical and physical security is a natural progression that enables businesses to better protect all of their assets and achieve significant financial efficiencies.”
The advance of technology itself is blurring the line between traditional and information security, and is a third component driving convergence. Physical access control technology’s merge with network access technology is one example cited in the study. The smart card demonstrates a technology that is integrating once disparate parts of security, by verifying a person’s identity and tracking his or her physical location.
“Over the past year, we have seen a tremendous growth in the number of our members who are either partially or wholly responsible for both information and physical security,” said Dave Cullinane, president of the ISSA. “While this convergence is still only being embraced by a minority of the industry, it is clearly a road map for the future. Information exists in all forms, including the physical realm.”
As the convergence of security functions within organizations continues to increase, the study concludes that the role of security should no longer be viewed as a sunk cost, but rather, a value adding activity. So powerful and important is the integration of security functions within an organization, in fact, that the study predicts that companies embracing security convergence and facilitating its implementation will emerge as leaders not only in their own sectors, but across all sectors.
A webcast about the study will be available at the ASIS, ISACA and ISSA web sites in December. For more information or to download a free copy of Convergence of Enterprise Organizations (PDF, 1.5 MB), please visit the ASIS, ISACA or ISSA web site.
ASIS International (www.asisonline.org) is the preeminent organization for security professionals, with more than 33,000 members worldwide. Founded in 1955, ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management profession to business, the media, government entities, and the public. By providing members and the security community with access to a full range of programs and services, and by publishing the industry’s number one magazine — Security Management — ASIS leads the way for advanced and improved security performance.
With more than 47,000 members who live and work in more than 140 countries, ISACA®® (ISACA®) (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal®, develops international information systems auditing and control standards, and administers the globally respected Certified Information Systems Auditor™ (CISA®) designation, earned by more than 40,000 professionals since inception, and the Certified Information Security Manager® (CISM®) designation, a groundbreaking credential earned by 5,200 professionals.
The Information Systems Security Association (ISSA) (www.issa.org), with more than 13,000 individual members and more than 100 chapters around the world, is the largest international, not-for-profit association for information security professionals. It provides educational forums, information resources and peer interaction opportunities to enhance the knowledge, skill and professional growth of its members. ISSA members are consistently recognized as experts on critical issues in the area of information security, and the Association is viewed as an important resource for small businesses, global enterprises and government organizations alike. Working closely with other industry organizations such as (ISC)2, ASIS and ISACA, and leading worldwide initiatives like the recommended CISO education curriculum, ISSA is focused on providing leadership and maintaining its role as The Global Voice of Information Security.
For ASIS: Chris Flynn, email@example.com, 703.518.1466
For ISACA: Kristen Bertholomey, firstname.lastname@example.org, 847.590.7455
For ISSA: Anne Rogers, email@example.com, 713.287.2488