Convergence as a Strategic Security Philosophy: Uniting Cyber and Physical Security

By Luke Bencie, Contributing Author & Host / December 6, 2024 

Luke Bencie is the Managing Director for Security Management International, LLC. He has consulted for the US Department of State, US Department of Defense, Fortune 500 companies, and foreign governments, specializing in strategic and security management assessments, counterintelligence, and due-diligence investigations. Bencie has authored "Among Enemies: Counter-Espionage for the Business Traveler" and "Global Security Consulting: How to Build a Thriving International Practice."

With experience in over 100 countries, Bencie has trained thousands from police, military, and intelligence services on topics such as espionage, border security, and terrorism. Prior to SMI, he was a Senior Security Consultant for Raytheon, focusing on emerging markets, and served on the US Department of State’s Foreign Emergency Support Team. He holds graduate degrees in National Security Studies and an MBA, and has further education from institutions like Wharton and the FBI’s National Training Academy.

Cybersecurity and Infrastructure Security Agency 

In 2018, President Donald Trump signed the Cybersecurity and Infrastructure Security Agency Act, creating the Cybersecurity and Infrastructure Security Agency (CISA). Replacing the National Protection and Programs Directorate that was formed in 2007, CISA’s goal is to lead national initiatives to manage and lower risks to U.S. cyber and physical infrastructure. For example, in November 2024, CISA launched a new learning platform, “CISA Learning”, to enhance cybersecurity training for government staff, veterans, and other stakeholders. 

Convergence 

Some might think the government was simply adding more bureaucracy to the DHS (Department of Homeland Security). However, CISA is different. It unites cybersecurity and physical security professionals as equal stakeholders, putting the U.S. government ahead of the private sector in innovation, disruption, and communication. This joint accountability has led to a new security philosophy called Convergence. 

Cyber and Physical Security 

Convergence is a strategic approach to integrating two traditionally separate disciplines: cyber and physical security. Defined by Price Waterhouse Cooper, it involves identifying security risks and interdependencies within business functions and developing solutions to address them. This means combining cyber and physical security into one department. All security aspects—physical, cyber, insider threats, emergency preparedness, crisis management—are assessed from a unified perspective, aiming for a more cohesive and integral security strategy. Although this is seen as a commonsense strategic approach to melding two very important – yet different – disciplines, these disciplines have historically been nonfriendly with each other. 

Chief Security Officer 

The Chief Security Officer (CSO) was often seen as a security director with a "C" title, lacking the authority of COOs, CTOs, or CFOs. Despite their qualifications, the perception was that a CSO couldn't become a future CEO. The CSO role, not being a traditional business position, was viewed as the peak of a security professional's career. Despite this, CSOs are impressive individuals with significant responsibilities and are usually well-compensated. 

Chief Information Security Officer 

With cyber-attacks at record levels, the Chief Information Security Officer (CISO) protects the organization daily. The old security mantra of "gates, guards, and guns" has evolved into "firewalls, IT specialists, and penetration tests." Like CSOs, CISOs are under immense pressure and are unlikely to become CEOs. Due to burnout or better opportunities, the average CISO stays with a company for only 18-24 months, making collaboration with a CSO rare. 

Conflict 

The historical and ongoing conflict between CSOs and CISOs, between physical and cyber security departments, is a significant issue. Physical and cyber security departments often compete for attention, respect, and, crucially, budget. The global pandemic worsened this struggle. 

Effects of COVID-19 

During COVID-19, many traditional brick-and-mortar organizations sent workers home, reducing the need for physical security. However, this shift increased cybercrimes, as remote workers became more vulnerable to phishing, spyware, malware, ransomware, and social engineering scams. The CISO's role became more challenging, while some argued (unjustly) that the CSO's role became less significant. 

Healthcare Industry 

Consider the healthcare industry. In 2020, over 600 hospitals and clinics faced 92 ransomware attacks, resulting in over $20 billion in losses from impacted revenue, lawsuits, and ransoms. Ransomware attacks on healthcare continue to escalate, with significant incidents in 2023 and 2024 affecting hundreds of hospitals and compromising patient care. In 2024 roughly 67% of healthcare organizations were affected by ransomware attacks. While this might seem like a cyber issue for the CISO, preserving life was also a key part of the healthcare industry's physical security plan. 

Joint Responsibility 

By sharing resources and fostering a cooperative culture across multiple disciplines, healthcare security departments—both physical and cyber—adopted a more proactive approach to addressing threats and vulnerabilities. This joint responsibility for security illustrates the spirit of convergence.  

Merging Expertise and Resources 

By merging the expertise and resources of physical and cybersecurity professionals, the healthcare industry developed "joint task forces" to tackle electronic hostage situations in medical facilities. While IT teams patched firewall breaches, physical security teams provided redundancies and replacements for vital equipment, ensuring patients continued to receive medical attention. 

The Workforce 

The global cybersecurity workforce grew by 8.7% from 2022 to 2023 and demand for cybersecurity jobs increased by 43% over a 12-month period, according to the ISC2 Cybersecurity Workforce Study. In contrast, physical security jobs (e.g., guards, close protection operatives, emergency response planners) have a projected total growth rate of less than 3% between 2018 and 2028. This highlights the disparity in growth between the two fields and underscores the need for convergence. 

Future of the Security Industry 

Cross-training of next generation security professionals who are entering the field of homeland security is essential. This does not mean that an IT person will man a security post or that an explosive detection expert will program code. However, the security professional of the future will most likely have dual master's degrees in Cybersecurity and National Security, speak several foreign languages, and have training in counterintelligence, special operations, and emergency response. Convergence is the future of the security industry. Maybe we owe our thanks to the Cybersecurity and Infrastructure Security Agency (CISA) for that.