I note that Convergence is back on the conference agenda, with a keynote panel, chaired by Dr David King, scheduled for the opening morning of next week’s Infosecurity Europe. Keen supporters of this debate issued a press release and a guideline last week suggesting that blended threats demand a converged response. They propose a series of steps based on the acronym ‘SIMPLE’. (Shouldn’t that be ‘simples’?)
Nobody could argue that converged risk assessments are a bad thing. But there’s nothing really new about that. For decades, many leading enterprises have conducted converged risk assessments and crisis response. The underlying implication, however, is that the solution requires a single point of ownership, and hence a single Physical and IT security function. This is the real issue.
Is it the correct approach? The simple answer is that there is no single, ideal structure or programme for security. As I point out in my book “Managing the Human Factor in Information Security“, enterprises have varying legacies, objectives and capabilities. The optimum security organisation depends on many factors, including the nature of the business challenges, the structure of the enterprise, the maturity of its security and governance processes, the experience of staff, the nature of its business relationships, and the organisation of other business and support functions.
This debate is also not new. I discussed the arguments and issues on my Computer Weekly blog three years ago and on my Infosecurity Advisor blog last year. It’s a subject, however, that won’t go away or be clearly resolved in the near future, which is why it’s so attractive to consultants, analysts, institutes and bloggers.