By Kathleen Kotwica,PhD, EVP and Chief Knowledge Strategist, SEC; Principal Analyst, Security Leadership Research Institute, and Herb Mattord, PhD, CISM, CISSP, Kennesaw State University - Department of Information Systems
The convergence of corporate and cyber security is often said to enhance resilience by broadening the view of risk, providing more rapid detection of threats and response to emerging events, and improving intelligence sharing. But are these preconceptions about convergence accurate in practice?
How is convergence actually occurring in organizations, and how has it changed? What are the real, experienced benefits and drawbacks of it? What metrics are useful in measuring its effectiveness or impact?
At this time, the security industry has no hard data to help us answer any of these questions. That's why the SEC's Security Leadership Research Institute (SLRI) and Kennesaw State University are jointly conducting a study to provide new insight into the evidence on convergence in practice.
Why Is Collaboration Increasing?
About a year ago, the SEC conducted a Security Barometer poll that asked about interaction and cooperation between cyber and corporate security. Sixty percent of respondents said cooperation had increased, and
69% stated the reason for this was "issues that emerged of joint interest" – most likely COVID-19.
Corporate security leaders have told us of increased collaboration in securing home offices and recovering company assets if work-at-home employees leave. Corporate security has been involved in assuring that off-site workers are where they say they are, and they've been involved in health checks. Also, executive management seems more aware of cyber and corporate security interactions and how increasing interaction could benefit the company.
The Continuum of Convergence
Most existing literature on corporate security and cybersecurity convergence concentrates on where a converged department reports, to whom, and at what level the organization sits. This focus tends to create turf wars. We believe it does not have to be so clean-cut.
Convergence can occur along a continuum, from the structure we traditionally think of when we say "converged" – one combined team, headed by one leader – to two organizations that routinely collaborate, to two functionally separate entities that collaborate on an as-needed basis. Each one of these examples constitutes convergence at some level and may bring the benefits we tend to expect from collaboration.
Does the level of convergence impact the benefits gained? Is the impact of collaboration consistent across industries, for different sizes of company, in various corporate cultures? Are there good reasons not to converge? We hope our research can begin to answer questions like these.
Goals and Participation
With the help of participating security leaders, this research will
- build an improved model of how security convergence is occurring in organizations and how it has evolved,
- identify benefits or drawbacks that come from security convergence,
- determine how benefits of convergence can be effectively measured, and
- determine the variety of ways that convergence comes together in organizations or why it does not.
The first phase of this research has been completed. See the results here.