Converged Security Risk

What is Converged Risk?

Converged risk combines IT and physical security risk into one over-arching risk landscape.

Converged risk recognises that the cyber domain has now developed to become a more effective and attractive route to attack an organisation, that physical security can be undermined by cyber means, and that cyber defences can be circumvented in most cases when attacked from within.

Converged risk assesses the combined risk, rather than domains in isolation, in order to mitigate multiple and simultaneous threats.

Converged risk recognises the key role of interdependencies, both internally to critical infrastructure operations, and with other external organisations that can threaten physical and information assets.

By bringing together IT and physical security, a converged risk approach considers vulnerabilities dynamically across the three recognised dimensions of physical risks, people risks, and process risks across infrastructure, operations, and specific events.

Why do organisations need to adopt a converged risk approach now?

This approach is being driven by the convergence of systems technology: as physical security systems are increasingly networked and more IT dependent, IT & network security is now crucial to the integrity of these systems, and is forcing a conceptual and organisational convergence.

We advocate this converged approach to considering how security measures are organised, which combines technology, processes & safeguards, and management setup & systems, into a single security risk framework that integrates IT and physical security. This approach is a major component of our Blue Team services and is supported by our FAIR Methodology in deliver of our Security Strategy Consulting.

Our converged approach highlights key elements in reconfiguring the security risk organisation. The three dimensions of technology, processes, and management are entirely interdependent, and each requires focus, resources, and accountability to build strength in depth, recognising:

  • Technology is increasingly critical, but is only effective when processes are in place to keep it effective. Cyber and physical security systems are critical to mitigating internal and external sources of risk.
  • Processes & training are critical to ensuring security-awareness, and are priorities to build effective prevention, detection & response. Processes are entirely dependant upon staff’s implementation of policy, so strict adherence to system and human processes are required to mitigate the risk of a breach and to test rigorously.
  • Management of the converged approach needs to be more ‘strategic’ to be led at the highest level to ensure effective integration, oversight & budget allocation.

What are the benefits?

  • Risk-informed decision-making requires complete and unbiased vulnerability & impact assessments covering IT & physical security.
  • The integrity of management decisions requires an appreciation of converged threats, and effective security capabilities against them.
  • Ensure appropriate investment, directed towards the right priorities, to provide suitable defence against converged risk.
  • Develop appropriate emphasis for both the staff and the security processes they follow.
  • Position information security appropriately within the security risk landscape to support the company’s overall risk appetite, and broader business goals.
  • Reconcile contentious or conflicting views between cyber and physical security.
  • Incorporate intuitive issues, when qualifying risk, through a judgement-aided metrics-based process.

Converged Risk Flyer

  • Please complete your details below and we will email you a copy of our Converged Risk Flyer

Converged Approach Flyer

  • Please complete your details below and we will email you a copy of our Converged Approach Flyer