Senior Research Associate,
National Security and Public Safety
National Security and Strategic Foresight
Organizations are facing an evolving security landscape where the lines between cyber and physical security are becoming increasingly blurred. Hacking, ransomware, and phishing are all low-cost, high-payoff activities that are difficult to prosecute. But cyber attacks can also have real physical security impacts. For example, hackers issued death threats against students by texting their parents, resulting in school closures across several U.S. states. In 2013, drug traffickers hacked into a shipping port system in Antwerp, Belgium, manipulating data on the location and security details of containers to avoid screening and to facilitate illicit drug shipments. Additionally, stolen data can be used to influence or manipulate people and businesses.
When organizations treat cyber and physical security as two separate problems, significant gaps in coverage, which can be exploited by malicious actors, can emerge. How can organizations effectively close this gap between cyber and physical security?
What Is Security Convergence?
Security convergence seeks to streamline an organization’s cyber and physical security functions to provide more coverage to detect, deter, and react to threats. It encourages information sharing and the development of unified security policies across both physical and cyber security.
Achieving convergence does not necessarily mean merging cyber and physical security departments. Ultimately, convergence is about getting cyber and physical security to work together seamlessly to close the gaps and vulnerabilities that exist in the space between the two functions. Models include: completely combining departments; appointing one senior executive that both sides report to; combining resources along policy and operational function lines, rather than splitting them into cyber and physical functions; developing fusion centres that create a link between the two sectors; and simply establishing new policies and practices.
Should Cyber and Physical Security Operate in a Converged Manner?
The Conference Board of Canada’s Centre for National Security and Cyber Security Centre came together on October 24–25, 2017, to discuss the issue of cyber and physical security convergence. Executives from the public and private sectors, as well as law enforcement, discussed a range of issues around security convergence—from an assessment of the converged security threat landscape to case studies of organizations where the cyber and physical security functions were either fully merged or operating as separate entities.
What emerged from the discussions was a clear need for security convergence across the cyber and physical realms. The threat landscape presentations clearly indicated that malicious actors do not see a distinction between cyber and physical security—they simply look for the weakest link and use that to attack the organization.
The case studies where cyber and physical security functions had been merged illustrated many of the benefits for convergence. But even in the case studies where cyber and physical security functions operated separately, there was strong evidence of convergence through information sharing and cooperation. Regardless of structure, the need for security convergence was clear.
During the meeting, the Conference Board also presented a research paper on convergence. In carrying out the background research for the paper, it was noted that the recent literature almost unanimously supports security convergence as the best means to close security gaps and be adaptable in the face of the evolving threat landscape.
Closing Security Gaps Through Convergence
There is no longer a clear distinction between cyber and physical security within the rapidly evolving threat environment organizations operate in today. Yet, many organizations cling to concepts that frame cyber and physical security as separate functions. Threat actors will seek to attack organizations through their weakest link, whether it is through a physical attack to cause a cyber security breach or vice versa. Within this context, organizations need to converge their cyber and physical security operations to close the gaps between the two areas that could be exploited by malicious actors. There is no one-size-fits-all solution to achieve convergence. The choice of which convergence model to adopt and whether to merge the cyber and physical security functions will depend on the unique circumstances of each organization. Ultimately, the aim of security convergence is to ensure a free flow of information and insights across cyber and physical security, regardless of the security structures and governance within the organization.