Katie Barnett, Director of Cyber Security and Gavin Wilson, Director of Physical Security and Risk from Toro Solutions discusses what convergence means in the face of business resilience.
Every organisation talks about resilience, but not everyone means the same thing.
For some, it is about recovery, getting back to normal after an incident.
For others, it is about continuity, staying operational when disruption hits.
In practice, resilience is both – the ability to adapt, absorb pressure and keep critical functions moving in changing and challenging conditions.
It is a cultural mindset where risk is the responsibility of all and not just a select few. That strength is not built from technology or plans alone.
Resilience depends on how well people, systems and processes work together when it matters most and that’s often when the gaps start to show.
Most businesses still operate in silos. Cyber manages systems, physical security protects buildings, HR handles people and operations keep services running.
Each has its own expertise and reporting line, but threats do not respect those boundaries.
Modern attackers move fluidly across domains; they often seek the pathway of least resistance.
If they cannot breach your network, they will target a supplier. If that fails, they might use social engineering or exploit weaknesses in physical access, they only need one route in.
Inside the organisation, warning signs often appear in different places. IT might spot a spike in failed logins. HR may notice unusual staff behaviour. Facilities could flag strange access patterns.
Each signal on its own may seem minor. Together, they could reveal something serious but if no one is joining the dots, that pattern goes unnoticed.
Convergence is not about cyber and physical security departments working more closely together, reorganising departments or merging teams under one label.
It is about taking a more holistic approach to risk management, connecting expertise so that information flows freely and interoperating between that expertise so that the context is shared.
Cyber, physical and people security remain distinct, as does HR, finance and operations, but they start speaking the same language and start working towards common goals.
It’s not about creating generalists but translators, experts who can explain how their world connects to others.
A cyber analyst might not understand employment vetting in detail, but they can explain how a phishing attempt links to a recruitment scam.
When those conversations happen naturally, you stop seeing isolated incidents and start seeing whole stories.
One client’s biggest breakthrough wasn’t new technology but linking cyber and physical incidents in the same system.
A spike in phishing emails, a lost access card and a late-night alarm suddenly looked like one campaign – that’s the power of convergence.
Many organisations approach resilience as a technical exercise focused on processes, platforms and recovery plans.
But when a harmful event such as a crisis hits, success depends on people, not just paperwork.
Communication breaks down faster than systems do and decisions get delayed because no one is sure who owns them.
The most effective resilience programmes are those that recognise human behaviour and capability as the centre of response.
Plans matter, but practice matters more. Afterall, responses relying on plans and tooling in the digital domain will hit a problem if they cannot be accessed when needed.
Regular cross-functional exercises, not just within a single team, build the confidence and relationships that make coordination work under pressure.
Importantly, they expose weaknesses that lead to improvements, develop memory that leads to less reliance on documented plans and create companionships where in a real-life scenario those support mechanisms become so vital.
At Toro, we see this repeatedly, when different departments train together, barriers drop.
Cyber teams learn what physical responders need from them. HR understands how insider risk connects to wider threat intelligence. It’s through practice that communication becomes instinctive.
In one recent exercise, a simulated data breach forced both technical and customer-facing teams to coordinate their responses.
While IT worked to contain the incident, the communications team had to manage a flood of client queries with limited information.
The first attempt was messy, but by the next round coordination had improved dramatically.
After all, it’s far better to find the flaws in your plan during practice than when the consequences are real.
A team that has rehearsed together and knows what works will always outperform one that is opening the plan for the first time in the middle of an event.
That’s what resilience really is, not a document but a shared confidence built through experience, communication, a common language and shared expertise
Convergence needs leadership from the top. Without senior support, collaboration stalls when priorities compete.
Leaders need to model the behaviours they want to see – openness, accountability and trust.
Leaders must also redefine success – not by silo metrics like uptime or compliance, but by collective outcomes – how well we share intelligence, make decisions and protect people and operations together.
This shift will not happen by accident. It requires clear ownership and commitment. Someone must connect those threads, whether under security, risk or resilience.
The goal is coordination and interoperability, not control.
A converged approach also brings better visibility. Risks that once seemed unrelated start to make sense when viewed side by side.
A data breach and a physical intrusion may share a cause. A staff grievance might link to insider threat indicators.
A supply chain issue might expose both operational and cyber dependencies.
When those patterns become visible, the organisation can act earlier and with more confidence.
That is the real advantage of convergence, not more data, but better insight.
It also supports smarter business decisions. Security and resilience are not separate from performance; they underpin it.
When leadership sees risk clearly, they can prioritise resources, plan strategically and recover faster.
In that sense, convergence not only improves resilience it strengthens competitiveness.
Technology plays its part, but culture decides whether convergence succeeds. If staff see security as someone else’s job, blind spots will reappear.
If processes feel impractical, people will find workarounds.
A strong security culture works for the people who live it.
When staff understand why it matters and see that it helps them do their jobs better, they become part of the defence rather than a weakness.
Culture cannot be dictated; it must be lived.
It shows up in how people respond to uncertainty, how quickly they communicate and how much they trust one another – when that is strong, resilience follows.
Today’s threats are faster, broader and more interconnected than ever.
The only effective response is one that mirrors that complexity with coordination, interoperability and shared expertise.
Convergence will not eliminate risk, but it will make it visible and more manageable.
This article was originally published in the December edition of Security Journal UK. To read your FREE digital edition, click here.
