This dinner was the first in a new series for senior risk and security leaders. Our aim was simple, we wanted to bring together people who face the same challenges, talk honestly about what convergence really means, and start building a community that sets the standard for converged resilience.
We held the dinner under the Chatham House Rule, so while the themes and insights can be shared, individual comments and organisations are not identified, creating space for people to speak frankly about their experiences and challenges.
Here’s what was discussed.
What convergence means to us
We began by asking what convergence meant to the audience, and how converged their organisation is today.
Whilst the language still very much varies – some say converged, others say holistic, or integrated, while others talked about building partnerships, interoperability, or collaborating between departments – everyone agreed that convergence is about bringing together cyber, physical and people security, seeing them as one picture of risk rather than separate parts. Indeed, all agreed convergence is closely tied to risk management and is key to developing resilience.
There was a wide range of organisational risk maturity across the room. Some organisations are already highly aligned, with shared policies and regular cross-domain meetings whilst others are still developing those connections. It was also discussed at this point of the evening that convergence is often strongest in heavily regulated sectors, where compliance drives collaboration.
People felt strongly that convergence is about culture, cooperation and communication between teams. Where those relationships are strong, they felt that convergence happened naturally and if they were not then progress was too personality driven and when those people left, so did the momentum.
Several guests said that convergence required security teams to have a shared language. There are so many specialisms now that no one can be an expert in them all, but for convergence to work everyone should understand the basics and be able to speak to each other in the same terms. Speaking the same language will then help communicate to the board who need to hear one clear story about risk. If finance, operations, and security are not talking the same language, convergence will always struggle.
It was also said that convergence needs to grow from the grassroots of security, not just from the top. It should start with the way teams collaborate day to day and build upwards, supported by leadership but driven by shared ownership.
What convergence looks like in practice
The second question asked what convergence looks like in practice and where it works well or not so well.
Across the room, the examples were wide-ranging, but a few clear patterns emerged. Where convergence works, it can be seen in how teams operate every day. Cyber, physical, and people security work from the same plan, share intelligence, and take part in joint risk assessments. They run working groups between the CISO, CSO and HR teams, review incidents together and align their reporting so that risks are discussed in one conversation rather than several separate ones.
Merging standards and policies was seen as a practical marker of success. Where organisations have brought frameworks together, overlaps and gaps are easier to spot.
When convergence breaks down, it often comes down to communication. In some organisations, teams still operate in silos and only come together after something has gone wrong. That lack of regular interaction leaves space for risk to build quietly in the background.
People security was raised several times as an area that still needs attention. Many organisations underestimate how small pieces of public information, such as staff profiles, building details, or corporate social media posts, can be pieced together over time to expose individuals or assets. It shows that convergence cannot just focus on technology; it must include people and awareness too.
Insider risk was another example where convergence can succeed or fail. Some organisations are using cross-functional teams to identify and support individuals in higher-risk roles, providing training or even home security measures. Others still treat insider risk as a disciplinary issue rather than a shared responsibility. Several people said security should work more closely with HR so that these conversations become part of culture, not just compliance.
Everyone agreed that today’s threats are fully blended. Drones were given as a strong example. They are often seen as a physical threat, yet they can also be used for cyber attacks or data collection. AI and data privacy risks are following the same path. Many organisations still have little visibility of what happens to their data once it enters external systems, and that creates new areas of exposure. These next-generation threats are forcing leaders to rethink where the boundaries of security sit and that’s another reason why convergence is so important.
When convergence is strong, risk feels owned and understood. When it is weak, it depends on individuals to keep relationships going. As one guest put it, convergence has sometimes been built around people rather than processes. It works while those people are in place, but it is not sustainable. The goal is to create a structure that lasts beyond individuals, built on clear governance, shared accountability and a proper understanding of who owns the risk.
Who owns the risk
This question came up again and again. In many organisations, nobody really knows. Cyber owns one part, physical another, HR another, and the full picture sits in the gaps.
The ideal model was discussed as one senior leader who owns all areas of security and risk and has a direct line into the board. This enables decisions to be made faster, as the board gets a single consistent story. However, industry research discussed on the evening shows that only about 15% of organisations have this structure today.1
Where that model does not exist, convergence can still happen, but it relies heavily on people bridging the gaps which is risky. As one guest put it, “there are risk owners out there who don’t know they own the risk” and without clear accountability, the same problems resurface again and again.
How we move forward
The final question looked to the future; how do we drive converged resilience forward as an industry?
Everyone agreed that progress will only come through continued dialogue, shared examples and genuine collaboration. Industry gatherings like this are vital to keep ideas moving and to show what convergence looks like in practice.
Storytelling came up throughout the evening. Boards don’t want technical detail, they want to understand what is at stake, what has been done and what could have happened if no action was taken. A real example, told plainly, lands better than any risk register as once it feels personal, people understand it and pay attention.
Several people said we need to talk more about success. Convergence is often only discussed after an incident, but there are plenty of positive stories where joined-up working has prevented harm, saved money or strengthened reputation. Shining a light on those moments helps others see the value in the investment of convergence.
The conversation turned to leadership several times throughout the night. It was discussed that the ideal structure to drive resilience forward is for one senior leader to be responsible for all areas of security and risk, reporting directly into the board. However, this is still very rare today, but where it exists, it works.
It was agreed that whilst leadership gives direction, it’s culture that keeps it alive. Convergence also needs champions at every level so people who can cut through the noise, build connections and make things happen.
We talked about driving convergence through the next generation of security leaders too. The future will need people who can move between disciplines easily. They don’t have to know everything, but they need to see how everything connects. A cyber expert should understand physical risk, and a physical security specialist should understand cyber, and everyone needs to grasp the human side of risk.
The next generation will also need to communicate better. They’ll need to talk to boards, regulators and colleagues in plain English and explain why convergence matters for the whole business, not just for compliance. Early-career professionals should have chances to work across functions so they can see where the overlaps and dependencies really are.
The group also discussed what drives convergence from the top. Regulation can help, but most felt that cultural change matters more. Convergence should not be something organisations do because they are told to, but because it makes them stronger. Money, reputation and resilience all play a part, and when leaders see that convergence protects value and supports growth, it stops being seen as a grudge purchase.
Keeping the conversation going
By the end of the evening, there was a clear sense that this cannot be a one-off discussion. Convergence is not a new concept, but it has never been more important. It is about people, trust and communication. It is about joining up disciplines and finding common language so that risk is understood and owned across the business. Importantly, security cannot be the responsibility of just a few when it affects all parts of the business. As one guest put it the attacker will often seek to exploit the pathway of least resistance but to do so multiple pathways will be tested for exploitation.
Doing convergence needs to be part of the grassroots of security, built into daily practice rather than driven only from the top and as next-generation threats continue to blur the lines between physical, cyber and human risk, that joined-up approach will only become more important.
If we keep sharing real experiences and learning from each other, convergence will stop being something we talk about and start being something we do.
If you would like to join this growing community and take part in future discussions, please get in touch.