The third panel in our evolving risk series brought together leaders from across the security industry to explore how global risks are reshaping the way we think about threats and why converged security must be a cornerstone of organisational resilience. This panel was run in partnership with Corps Security.
We kicked off the panel by asking the room and the panellists – what does convergence mean to you.
The answers reflected the complexity of the challenge. Some saw convergence as the fusion of cyber, physical and people security. Others talked about it as a shift in mindset moving away from working in silos and instead having people, processes, and technology all pulling in the same direction.
One voice captured it simply as:
“It’s the cyber and physical teams going down the pub and having a good chat.”
One panellist suggested:
“The need for interoperability between all business functions with security responsibilities”
Another framed it more directly:
“Convergence is the ‘so what’ to your business plan and what does it really mean in practice?”
What became clear from the outset is that converged security is a necessary evolution in how we think, collaborate, and prepare for risk in an increasingly interconnected world.
Rethinking risk in the 5th industrial revolution
As the panel expanded the conversation to the bigger picture, focus turned to how risk is evolving in what’s being called the Fifth Industrial Revolution. The pace of change is accelerating from geopolitical volatility and AI-enabled threats to the deepening entanglement of physical, digital, and human vulnerabilities. Traditional, linear security models are struggling to keep up.
One panellist remarked:
“Never mind the last decade, look at how much has changed in the last 10 days.”
This comment describes a fundamental imbalance between attackers who are agile, coordinated, and often backed by powerful nation-state resources, and organisations who are still operating in fragmented silos. That gap between the speed of the threat and the pace of organisational response is where resilience begins to break down.
What does convergence really mean?
In the past, convergence was largely understood as the blending of cyber and physical security bringing two often separate teams together to coordinate efforts. It was a relatively narrow focus, aimed mainly at integrating technologies and operations within those domains.
But as the threat landscape has evolved, so has the meaning of convergence. Today, it’s not just about cyber and physical security working side by side. It’s about breaking down silos across the entire organisation connecting people, processes, and technology into a seamless, converged approach.
This broader view reflects a shift from isolated efforts to a shared strategic framework, whether that’s adopting standards like ISO 27001 or creating unified internal plans. It’s about eliminating duplication, aligning priorities, and collaborating across all security and risk functions.
As one panellist put it:
“There’s no such thing as a convergence expert. There are just people pulling in the same direction.”
For some, convergence represents a fundamental strategic shift. For others, it's a change in mindset that prioritises proactive resilience over reactive response.
“It’s not just about having a framework,” one contributor explained. “It’s about asking - what does this actually mean for our business?”
At its core, convergence is less about structure and more about synergy unifying disciplines, eliminating ego-driven turf wars, and creating a common language across your organisation for security, risk, and resilience.
A new threat paradigm
The panel made it clear that threats today don’t fit neatly into old categories. Increasingly, state-backed actors and criminals are working in ways that overlap and blur lines. One example shared was how simple crimes, like theft, can actually be part of bigger, coordinated campaigns supported by nation-states. This kind of activity challenges how we’ve traditionally thought about risks.
But it’s not just about technology or physical attacks anymore. The panel also talked about how misinformation and social division have become powerful tools for attackers. The goal is often to split communities and sow distrust, weakening society from within.
As one speaker said:
“You don’t need a bomb if you can divide people with an algorithm.”
This shift in threats makes it clear that security can’t work in isolation anymore - everything needs to come together.
Practising convergence
The panel didn’t just discuss theory; they explored real-world implementation. One case study that was shared involved a major ransomware attack that paralysed operations. The response revealed a lack of cohesion between IT, OT, and human systems. The result? Disjointed recovery efforts and missed opportunities to respond effectively.
In contrast, the panel shared that organisations they’ve worked with that had embraced a converged resilience strategy were better equipped to manage incidents, respond with agility, and ultimately recover faster.
Live exercises and simulated attacks were highlighted as powerful tools to break down silos as these simulations force cross-functional collaboration, helping teams understand one another’s roles, strengths, and limitations. One speaker quoted “Simulate the attack, so people can see the chaos and understand the value of convergence.”
Skills, talent, and the human factor
Convergence isn’t just about connecting technology, it’s about people. The panels agreed that the security profession must do more to attract, train, and retain talent. There’s a need for individuals who can think broadly but also bring deep expertise. “We don’t need mile-wide and inch-deep,” one participant stated. “We need L-shaped people broad collaborators with deep capability.”
However, barriers remain. Recruitment processes sometimes filter out good candidates who may not have specific qualifications due to rigid algorithms, and career paths in areas like physical security often lack visibility. Apprenticeships, clearer skill pipelines, and changing how the industry presents itself were suggested as ways to tackle this.
As another speaker said,
“Hire for attitude, train for aptitude.”
Who owns the risk? Accountability and responsibility across the business
A consistent and important theme throughout the panel was the question of accountability. When it comes to risk and organisational resilience, who really owns it?
The discussion made it clear that while many people across the business have responsibility for different parts of security and risk management, there needs to be one person who is ultimately accountable. This individual, often a senior leader or executive, needs to have the authority and commitment to push convergence efforts forward and make sure they don’t stall or fall apart because ownership is unclear.
Without strong leadership support from the top, efforts to break down silos and bring security together usually remain patchy and disconnected. Converged security cannot succeed if it is treated as a side project or kept within one department. It has to be a core business priority.
This means security and resilience need to be part of the main conversations at the board level, not an afterthought pushed to the side. The panel urged organisations to create a clear line of accountability that runs from the boardroom down to the operational teams. If security leaders don’t already have a seat at the table, it’s important they find ways to get one, whether by building relationships, showing the business value, or speaking in the language that executives understand - the language of risk.
The panel also stressed that accountability isn’t about blaming people. It’s about taking ownership, being clear on roles, and sharing responsibility. Everyone in the organisation has a part to play in managing risk, but without someone who owns the bigger picture and holds teams accountable, convergence efforts will struggle to gain momentum and deliver real results.
The growing role of regulation
Regulation is playing an increasingly important role in shaping how organisations approach convergence and accountability. With new frameworks like DORA, AI act, Martyn’s Law, and NIS2 regulators are not only setting standards but also creating opportunities to clarify who is responsible for what. These rules reinforce that while managing risk is everyone’s job, certain leaders and teams must carry heavier responsibilities. The panel emphasised that organisations need to champion these regulations proactively, not just as compliance checkboxes, but as tools to strengthen resilience and accountability across the business. Ultimately, regulation should be woven into the fabric of the organisation’s culture and strategy, driving meaningful change from the top down and influencing people of influence throughout the business.
The call to action
The message at the close of the panel was the convergence needs to be at the foundation of modern resilience and as security professionals we need to lead that revolution.
Key takeaways
- Convergence is mindset - Align frameworks, language, and teams to operate as one.
- Leadership must own the strategy - Without buy-in at the top, efforts stay fragmented.
- Simulate to integrate - Live exercises expose gaps, build trust, and turn policy into action.
- Build the next generation - Invest in pipelines, challenge C-suite inertia, and champion convergence as a profession.
- Stop thinking in silos - Attackers don’t, so as security professionals we need to be leading the converged revolutions.
Currently, only about 20% of organisations truly practice convergence. That number must grow.