Convergence "is quite capable of being done," says Joe McDonald, an ASIS board member. "Some people want it, but that doesn't mean their organization does." Most executives find convergence unrealistic because very few security professionals have sufficient skills in both realms, according to the report.
Security headhunters are already seeing a sharp increase in requests for security executives with a broad range of skills, especially in the last three years. "Quite frequently hiring managers are saying 'We want somebody who can work collaboratively, who has a certain baseline of knowledge [about physical and IT security] and the ability to understand and advance both programs," says Kathy Lavinder, executive director and founder of SI Placement in Bethesda, Md. "But a lot of organizations haven't gotten to that point and are still struggling with it. It's very much a work in progress."
Today the relationship between information and physical security is often described as adversarial by industry executives, with one team feeling threatened that the other side is taking over its responsibilities.
Experts agree that the problem will likely play itself out in the next decade or two as tech-savvy college grads reach the executive levels of security, but today's threats require companies to break down silos and make security more seamless right now. What's more, changes must be implemented from the top down.
Industry leaders on both sides of the security spectrum offer best practices for uniting information and physical security teams toward a shared goal.
One easy starting point that is often overlooked is basic communication. "Both sides must communicate what their tasks are and why they are important, says McDonald, who is also CSO at data center company Switch in Las Vegas. In his position, McDonald oversees both physical and IT security, with VPs specializing in each discipline handling daily operations.
"There are more similarities than there are divergence between the two roles. They just have different tool boxes," he says. Instead of walking a site, information security staff is looking at data logs for anonymous data packet loads. "That's no different from physical security staff looking at an access control system" to see why somebody tried to use the same reader four times at an entrance door they shouldn't be using, he explains.
Once the overlapping tasks have been identified, "it takes a lot of good policies and procedures to bring people, technology and processes together to make it work," he adds.
Much of the rivalries and misunderstandings come down to how the industry defines security, says Tim Williams, CSO and director of information risk & enterprise security at Caterpillar Inc.
"In any company you have a multitude of definitions of security" for people with security in their titles. "If we could change our titles to 'risk' and say we're both trying to mitigate security risks in the corporation, it's a much better platform for discussion because it can be translated into concepts that both sides can understand."
Sign up for CIO Asia eNewsletters.