“When I first arrived on the job (at the City of Vancouver),” Tyson recalls, “I asked the physical security manager when was the last time the camera system servers had been patched. His response was: ‘What’s a patch?’”

On the flip side, IT security experts are often blind to physical security systems, or don’t consider them part of the overall IT picture. “We hired one of the Big Four consulting companies to come [to Vancouver] and do an IT threat and risk assessment,” Tyson recalls. “Nowhere in their report do they even discuss the physical security systems.”

Such glaring disconnects lead some to take the long view. “I don’t think real converged security is going to happen any time soon,” says Geoff Hogan, senior vice president of business development and product management at Imprivata. “When you get right down to it, physical security doesn’t want to own the network log-in, and IT doesn’t want to own the door responsibilities.”

Even at IBM, Hampapur says the Smart Surveillance System isn’t operationally linked to any access control systems at any IBM site or customer, although the company has demonstrated an in-lab prototype of such a system to a major U.S. airport.

“It’s at the stage that people see what’s possible and doable. But you need to tie it back to the business case to support it. Is this a $5,000 problem with a $50,000 solution, or vice versa?” says Sam Docknevich, IBM’s national practice leader for security services.

So far, larger companies and early adopters are pushing vendors such as IBM and Tyco the hardest on security convergence, requesting ways to tie in employee provisioning with security management systems such as C-CURE, Boriskin says.

At IBM, the focus is more on linking video surveillance to biometrics and access control. The company is also seeing a surge in requests for proposals on RFID and asset tagging to prevent theft from the retail sector, as well as utilities looking to protect remote sites, Docknevich says.

Converged security today
So when will converged security go mainstream? To start, companies must come up with a sober assessment of their security needs based on risk management. At many firms, this has already happened.

“When you talk to large companies, you find that they’re re-examining the organization of security around risk management. Very often they talk more in terms of risk management and what are the component pieces,” Contos says.

Often, taking a risk-based approach means doing less, not more, and focusing on a few core assets, rather than big, expensive solutions that touch everything, Ray O’Hara, SVP at Vance says. “You can have the best access control system and cameras all over the world, but is your focus on the crucial information? Maybe that camera in Beijing is necessary, but you need to study the validity of having it there first,” he says.

Rather than chasing off after facial recognition systems, Jon Gossels, president of System Experts says companies adopting a risk-based approach might focus first on telephone rooms and computer datacenters — and make the physical security around those top notch. Or they might audit basic access security at branch offices, which are often easy prey for criminals and social engineers.