Converged Risk in Practice

Our second converged security session hosted in partnership with Mitie brought together senior leaders from security, risk and resilience to explore a practical question: what does convergence look like when it works and why does it remain so difficult to achieve? 

The session was designed to focus on practice rather than theory. Each panellist was asked to share an example of where convergence is already working within their organisation and what has enabled that progress. 

Held under the Chatham House Rule, we are unable to share specific examples or attribute the following comments. However, here are the key themes.  

What do we actually mean by convergence? 

Early in the discussion it became clear that convergence is still understood in very different ways. Several panellists noted that the term is widely used but lacks a shared meaning, which makes it harder to apply in practice. 

Rather than sitting neatly within cyber or physical security, the risks being discussed cut across people, culture, operations, finance, reputation and wider business decisions. For many in the room, this is why converged risk felt like a more accurate description of the challenge organisations are trying to address. 

How risk is framed matters. When security is positioned as a technical function owned by a specialist team, it is treated as a narrow problem with a narrow solution. One contributor argued that understanding risk requires defenders to also think like an attacker. A purely defensive posture creates blind spots, limits innovation and responsiveness to novel attack vectors. 

Convergence is not about joining up security functions for their own sake. It is about widening the field of view across the organisation so that connected risks are understood, prioritised and addressed before something goes wrong. 

People are the solution 

This reframing led to one of the strongest themes discussed – convergence is ultimately delivered by people. 

While technology and process matter, meaningful convergence depends on leadership, trust and behaviour. The panel reflected on major incidents where success did not come from having the right expertise immediately available, but from leaders being able to operate calmly, make decisions and communicate clearly in a live incident. 

Convergence is not achieved by relying on technical specialists alone. It requires leaders at all levels who understand risk, can maintain a strategic view and are able to bring people together across disciplines. 

Resilience is the word that opens doors 

Contributors noted that when issues are framed purely as security, conversations can close down quickly. Security language often signals restriction, cost and control, which can limit engagement and narrow the discussion. Reframing the conversation around resilience shifts the focus to continuity, performance and the organisation’s ability to function during disruption, making it easier for senior leaders to engage with the issue.  

Knowing what really matters under pressure 

Once that conversation opens, the challenge becomes prioritisation. One panellist referred to the concept of the minimum viable organisation: the core functions that must continue even when everything else is disrupted. These functions are the heartbeat of the organisation. If they fail, everything else follows. Yet many organisations have not defined them properly. When a crisis hits, the instinct is to protect everything, which often results in protecting very little. 

Insider risk is a good test case for convergence 

The discussion highlighted insider risk as a useful way of understanding whether an organisation is genuinely converged or simply structured to look that way. 

Insider risk rarely presents itself clearly or in one place. Signals can emerge through cyber activity, physical behaviour, HR data and personal circumstances, often in combination. Periods of organisational change can amplify this further, creating vulnerabilities that no single function is able to see or assess in isolation. 

Responding effectively requires HR, security, cyber and leadership to work from the same picture from the outset. In reality, that is harder than it sounds. These relationships are often underdeveloped until an incident forces teams together and by then the opportunity for early intervention has usually passed. 

This led to a broader reflection amongst those present. When risk cuts across people, systems and behaviour, responsibility cannot sit with one team alone. Everyone has a role to play and without shared ownership, genuinely converged risk management remains difficult to achieve. 

Security is still being brought in too late 

A recurring frustration was that security and resilience teams are often brought into conversations after key decisions have already been made. 

Live incidents and immediate demands consume capacity, leaving little space to influence decisions upstream. This creates a reactive cycle that reinforces itself. Several contributors highlighted the need for earlier and more structured engagement with finance, HR, procurement and operations, where disruption is often felt first. A crisis should not be the first time responders from different departments meet each other. 

Regulation was seen by some as beginning to shift this dynamic. While not a solution in itself, some felt it is starting to give security a clearer voice by bringing risk conversations forward and creating a stronger mandate to be involved earlier. 

When incidents force convergence 

When something goes wrong, silos usually disappear quickly and people work together whether the organisation is set up for it or not. 

The difference is how well that collaboration holds under pressure. Where teams already know each other and understand how decisions are made, things tend to move faster. Where they do not, time is lost clarifying roles, language and ownership while the incident is already unfolding. 

Clear structure was seen as critical in these moments, particularly the role of gold, silver and bronze command. When applied effectively, it provides clear separation between strategic, tactical and operational decision making. 

The need to keep the right people in the room was also noted. Effective crisis response is not just about technical expertise. It depends on leadership, communication and the ability to maintain a strategic view while others focus on the detail. 

One perspective shared described the shift from siloed to connected working as moving from black and white to colour. It changes awareness, accountability and how seriously the wider organisation engages. They implemented an open channel for Business Units to report all incidents to HQ. This communication provided HQ visibility of day-to-day issues and localised frustrations, and brought security leaders and their managers closer together through shared challenges and empathy. 

If you cannot speak the language of the CFO 

Language ran through the entire discussion. 

Security professionals often default to terminology that makes sense within their own discipline but not across the business. Acronyms and specialist language create distance and limit influence. Clear, shared language is critical. Framing conversations in terms of operational impact, continuity and cost changes how they are received. In practice, language is influence and it shapes whether security is treated as a technical matter or a business risk that warrants attention and investment. 

This is particularly relevant at board level, where security is not always discussed with the same weight as risk or resilience. The language used can determine whether it is heard at all and whether investment follows. 

Convergence is a culture problem 

There is a tendency to treat convergence as an organisational design exercise. Change the reporting lines and the job is done. 

The discussion challenged that directly. Convergence is defined by behaviour, not structure. It is reflected in how information is shared, how decisions are made and how teams work together day to day. An organisation can restructure and still operate in silos. It can also achieve meaningful convergence without structural change if the behaviours are right. 

The threat environment is evolving 

The operating environment is becoming more complex and the pace is increasing. Connected systems, smart infrastructure and new uses of technology are creating new dependencies and new vulnerabilities at the same time. Many organisations have grown their operational footprint faster than their security posture. 

Threat actors have adjusted. Attacks now move across cyber, physical and human domains, often aiming for disruption rather than data theft. These threats exploit the gaps between teams, not the individual systems. 

The discussion made it clear that when systems fail, recovery is rarely just a technical task. It relies on communication, coordination and the ability to work across functions under sustained pressure. This is where resilience becomes real. 

One contributor recommended organisations are presented a single threat assessment that covers the threats across all domains. This converges security leaders to prepare for and respond to a blended threat. 

The question that remains 

Many organisations only achieve convergence during a crisis. When pressure lifts, old patterns return. Most people recognised this. 

The shift in language from converged security to converged risk matters because it better reflects how organisations operate. Risk is shared. Resilience is the outcome. Neither can be delivered from inside a single team. 

The challenge is not understanding this in theory but making convergence part of day-to-day operations rather than something organisations rely on only in a crisis. 

We will keep exploring these topics as the series or converged event develops. If you would like to be part of future discussions, get in touch. 

We are also running a Converged SIG as part of the Security Institute and if you are a member we’d like to encourage you to join.