Katie Barnett, Director of Cyber Security and Gavin Wilson, Director of Physical Security and Risk at Toro Solutions warn that without clear ownership, organisations struggle to manage threats across cyber, physical and people domains.
Organisations use a wide range of terms to describe the same broad ambition.
Some talk about convergence, others about integrated or holistic security, while many simply refer to closer collaboration between teams.
The language differs, but the goal is usually the same – to understand cyber, physical and people risk as part of a single picture rather than as separate problems.
In practice, however, that ambition often runs ahead of reality. Risks may be increasingly connected, but responsibility for managing them usually is not.
Cyber-risk tends to sit with one function, physical security with another and people-related risk somewhere else entirely.
What is missing is clear ownership of how those risks combine and where accountability ultimately sits.
That gap matters more than many organisations realise.
Most organisations can point to examples of better cooperation. In our experience cyber and physical security teams are starting to talk more than they used to.
HR is becoming more involved when insider threats are discussed and information is starting to move more freely across functions.
These are positive steps, but they are often informal.
They rely on individuals who are prepared to make connections and fill gaps.
Where those relationships are strong, things tend to work but where they are not or where key people move on, we often find that progress quickly fades.
The result is a fragile model. Risks are acknowledged, sometimes repeatedly, but no one is clearly accountable for dealing with them so issues circulate between teams without ever being fully resolved.
Fragmented ownership also makes it difficult to explain risk to senior leadership.
Cyber, physical and people risks are commonly reported through separate channels, each with its own language and measures of impact.
From a board’s point of view, this creates noise rather than clarity.
Multiple reports arrive, none of which show how risks interact or where the organisation is genuinely exposed.
Without a single owner bringing those strands together, leaders are left to piece the picture together themselves.
Boards are not looking for technical detail.
They want to understand what could go wrong, what the consequences would be and whether the organisation is in control.
When each function tells a different story, that understanding becomes harder to reach.
The lack of clear ownership becomes most obvious when threats cross traditional boundaries.
Hostile reconnaissance might begin with physical observation and lead to a cyber compromise.
Insider risk often involves a mix of human pressure, access control weaknesses and data misuse.
Newer threats, such as drones or AI-driven reconnaissance, can create physical, cyber and privacy risks at the same time.
In these situations, each team sees part of the issue.
Without someone responsible for the whole, early warning signs are missed and decisions slow down while responsibility is debated and risk starts to build quietly in the gaps.
People-related risk remains one of the least clearly owned areas of security.
Many organisations underestimate how staff behaviour, publicly available information or everyday working practices can be combined over time to expose individuals or assets.
In some cases, insider threats are still mainly treated as a HR or disciplinary matter, dealt with once a problem has already surfaced.
Organisations that bring security and HR together earlier tend to manage this better, particularly where higher-risk roles are identified and supported rather than simply monitored.
Again, the difference is not policy or technology it comes down to who owns the risk and when they are expected to act.
Collaboration is often presented as the answer to fragmented risk. It is important, but it has limits.
Without structure, collaboration depends on goodwill and personal effort. It can look effective for a time, then fall away as priorities shift.
Clear authority, escalation routes and decision rights matter just as much as cooperation.
Some organisations have addressed this by placing responsibility for all areas of security and risk with a single senior leader who reports directly to the board.
This remains relatively uncommon, but where it exists it tends to reduce delay, simplify reporting and make gaps harder to ignore.
However, in our experience the right structure will not succeed without the right culture.
Convergence has to show up in day-to-day behaviour, not just in reporting lines or strategy documents.
Leadership sets direction, but it is everyday practice that sustains progress.
Shared language, regular interaction and a willingness to look beyond functional boundaries all play a part.
We have found that informal champions are often the ones who keep connections alive and stop threats slipping back into silos.
As risks continue to cut across cyber, physical and people, uncertainty around ownership becomes harder to justify.
Risk that sits between functions is rarely managed well.
Whatever terminology an organisation uses, the underlying requirement is the same.
Someone needs to be accountable for the whole picture. Someone needs to be able to explain risk clearly, make decisions and be answerable when things go wrong.
Until that is resolved, convergence will remain something organisations talk about rather than something they truly achieve.
