Convergence Bandwagon CollapsingBy Ethan Ace, Published on Jan 23, 2012
For years, pundits have declared the imminence of convergence. Now, a recent Information Week survey declares to the contrary, "The wheels have officially come off the security convergence bandwagon".
This survey asked 334 technology professionals a number of questions about convergence in their organization. In this update, we'll take a look at some of these findings, and give our take on the results.
84% of respondents listed themselves as being part of their organization's IT staff, across a wide variety of company sizes, vertical markets, and income ranges. While issue can be taken with some of the tone of the report, which tends to look down upon security and building management staff, it does offer some insights into IT department concerns in physical security systems. Users may refer to the 29 page survey report for full information.
IP-Based Security Concerns
One of the most interesting questions in the survey was regarding IT's biggest concerns regarding IP-based security systems, seen in this chart:
As we found in our Fall 2011 survey, most respondents (76%) answered that they do not use the company LAN for IP security system traffic, opting for a dedicated network instead, citing concerns about bandwidth, responsibility, and dealing with IT staff. The above confirms some of our findings, with bandwidth being the biggest concern. With 20% of these survey respondents having concerns about the security department's knowledge levels, it's safe to assume that the IT staff has concerns about working with security staff as well. While technical issues are a major concern, the impact of political issues cannot be denied.
Integration of Information and Physical Security Teams
With obvious concerns about IT and security staff working together, one of the most surprising findings of the survey was this, regarding whether information security and physical security were part of the same department:
A total of 44% of respondents worked in organizations with integrated security departments, with an additional 6% answering that it would be done this year. With a total of 50% integrated or integrating their operations, one would expect that political issues would not be as much of a concern as they are.
IT Approach to Security
One striking thing in this survey is the difference in IT's approach to physical security, compared to what we are accustomed to in the physical security realm. IT staff, in approaching physical security, tends to apply a heavy-handed methodology, applying protection where it is not most needed, or without real risk assessment being performed. For example:
- "Where respondents fall short is in use of newer technologies. Biometric controls, for ex- ample, are used by just 10%" The tone of the article suggests that this is a bad thing just because biometrics are newer. Proximity cards have remained in use because many users have not seen a justification to change to biometric readers. Especially when card readers are in use elsewhere in an enterprise, there's little reason to change unless higher security is demanded, which most often is not the case.
- In discussing retention period for surveillance systems: "We recommend keeping six months of footage at minimum, more if you have the storage. It can take months for a crime to come to light, and when an investigation starts, you want to make sure the video is available." To make this recommendation across the board, without knowing the user's business practices, is absolutely wrong. The number of systems using a six month or greater retention period is very small, simply because most can't justify the extra cost when the vast majority of incidents are known and investigated much sooner than six months.
There are even more examples of this on topics such as tying network sign-on to access credentials, locking out users based on geographic location, and more, which likely will see little adoption in the real world.
The Culture Difference
We may be inclined to agree that the wheels have come off the convergence bandwagon, but for reasons different from those discussed in the report. Reading this, one thing is obvious: Information and physical security professionals still have a tendency to see each other as adversaries instead of allies. While 50% work in an integrated department, "security people" and "IT guys" are two very distinct groups with methods rooted in their respective disciplines. This convergence of people is still a young concept, only occurring in the past few years, as well. We expect that in the next few years, given time and management of integrated deparments, convergence will have better chances.
Other Surveillance Topics
The survey also covered the following topics relating to surveillance.
The results here are suspect. While it shows that IP camera adoption has grown, it claims that analog adoption has held steady and, much less believable, that more users do not have cameras now than they did in 2009.
The increase in those who have reviewed footage or provided video to law enforcement is substantial. Though reasons are not given, we expect this may be due to more sophisticated users or broader adoption of surveillance systems.