DALLAS-At February's TechSec Solutions conference, Dave Morrow, chief security and privacy officer for EDS, moved away from the technical piece of convergence for an hour and focused on a broader view - approached from an enterprise risk management perspective.

EDS, which is the second largest IT outsourcing firm in the world, merged its IT and physical security departments in 2005 under Morrow's leadership and he presented the benefits and challenges associated with this transition in his closing keynote address.

The key is "looking at an organization as an enterprise," but that can be difficult in a business that has traditionally viewed physical and IT security as siloed departments, which was the case previously at EDS.

"There was little in common between these two," Morrow said. "They kind of hated each other."

Morrow's first course of action was to get management to understand that the entire security team must both protect and enable the business.

"We took a look at what we were doing as a department and if these things were not benefiting the business, we weren't going to do it anymore," he said.

Morrow is not just working on this view of convergence at his organization; he is also working with the Alliance for Enterprise Security Risk Management, a group that was formed by ASIS International, ISACA and the Information Systems Security Association and brought together global security professionals with broad security backgrounds and skills to address the increase and complexity of security-related risks to international commerce from terrorism, cyber attacks, Internet viruses, theft, fraud, extortion and other threats.

AESRM released a report titled, "The Convergence of Physical and Information Security in the Context of Enterprise Risk Management" in 2007 that looks at the benefit of a converged view of security in managing enterprise risk.

But there are challenges. When Morrow began merging IT and physical security operations, it was difficult to get both departments to think about the other's main concerns. For example, he asked the physical security department to determine the number of laptops that had been stolen in the last month. The personnel came up with the price per laptop and then multiplied the cost by the number of laptops lost. But what about the value of the data stored on the laptops?

"The departments think differently," he said. "You need to get them using their skills, but thinking on the same level."

Morrow has seen the gap narrow in the past three years, especially when one of his leaders, "a card-carrying CPP" recently earned his CISM certification.

"He is proof that it is possible to bring these groups together, they just need to speak each other's language," he said.

To see video of Morrow's closing presentation, please visit www.securitydirectornews.com/index.php?p=blogs. SDN