Writing about ‘converged security’, or ‘security convergence’, has tended to be an exercise in frustration over many years, writes Nicholas Dynon, but the emergence of a new entity has – all of a sudden – made things interesting.
We’ve been talking about ‘converged security’ for the better part of two decades. In 2005, ASIS International, ISACA, and ISSA together co-founded the Alliance for Enterprise Security Risk Management (AESRM), which commissioned two Booz Allen Hamilton research reports: Convergence of Enterprise Security Organizations (2005) and Convergence of Enterprise Security Organizations: International Views (2006).
At that time, while the idea of security convergence largely centred around the convergence of physical security and information (cyber) security in the context of technological developments, the definition has undergone various iterations. In addition to the original physical-digital dichotomy, subsequent definitions have included additional domains, such as business continuity, health and safety, and many others.
There’s also been shifts in focus on the dynamics of convergence, with some descriptions focusing on converging risks faced by organisations, and others focusing on converging security functions within organisations or converged security solutions.
While the AESRM appears to have become defunct at some stage, ASIS International has continued its drive to position itself at the forefront of converged security research.
In 2019, the ASIS Foundation published The State of Security Convergence in the United States, Europe, and India, which combined a survey of 8,000 senior level professionals and insights from respected security industry leaders to present a snapshot of the state of security convergence within organisations.
That study found that just 24% of respondents had converged their physical and cybersecurity functions despite “years of predictions about the inevitability of security convergence”
In 2024, the US Security Industry Association (SIA) published Security Convergence 2024, a review of organisational drivers and approaches for converging cybersecurity, physical security and risk management, noted that convergence had been a buzzword for decades but had “sometimes been slow to produce results and may look different now than we originally envisioned.”
“Analysis of how convergence was promoted and applied in the past reveals that despite the topic being novel, concepts that were presented fell short on value, were too challenging to execute or both,” states the report.
Having written about and worked within the converged security space for many years, it certainly appears to me that the ‘converged security’ buzzword has tended to fall short in all but the most innovative of mission-critical settings where a small cohort of organisations are operating blended cyber-physical teams or converged security operations centres.
For the rest of us, the idea of converged security has remained, well, just an idea.
That was the case, I thought, until I recently stumbled across the work of the so-called Converged Security Institute (CSI).
In September, the CSI published ST-CSF.001 Converged Security Framework, a standard, it says, “that provides best practices for implementing unified risk management through converged security frameworks,” including defining “the requirements for integrating cybersecurity, physical security, and operational technology security into a cohesive organisational approach that addresses hybrid, systemic, and cascading risks.”
By its scope and detail, it’s the first substantial attempt I’ve read to create a meaningful standard for security professionals around implementing converged security. And it’s not the only document of its type that this entity has published recently.
Just last month, the Institute released ST-CSF.RMA.001 Converged Security Risk Management and Assessment Standard: Comprehensive Strategic Excellence Framework.
This standard establishes converged security risk management protocols, strategic assessment methodologies, and unified governance frameworks that organisations “must implement to achieve measurable operational superiority and competitive advantage across all security domains.”
It shall provide specific requirements for implementing unified risk assessment, comprehensive threat analysis, and integrated compliance management within the abovementioned ST-CSF.001 Converged Security Framework.
Offering professional education and certification in converged security systems and cyber-physical infrastructure, the Institute is led by Dr. Vladimir Bunic who, states its website, is “a leading authority in cybersecurity and digital resilience, with over two decades of experience designing and implementing integrated cyber–physical security solutions.”
“While others are still preaching slides and holding “high-level” discussions without truly engaging with the substance of converged security, the Converged Security Institute is doing the work,” stated Dr Bunis in a recent LinkedIn post.
“We don’t stop at theory. CSI delivers strategic standards for unified risk management and organisational resilience, operationalised across 22 critical domains,” he continued. “These domains are not abstract – they are mandatory, measurable, and aligned with real-world threats: hybrid, systemic, and cascading risks.”
In addition to a range of professional certifications for individuals, the CSI has launched the CSI Trustmark Program, which is a certification that validates an organisation’s commitment to industry-leading security practices and standards.
“This is not about slides,” stated Dr Bunic. “This is about clarity, capability, and standards that transform organisations and products alike.”
The Institute appears to already have delivered training and certification to a range of customers, including reputable organisations in the global security industry.
While I am yet to road test and analyse the offerings within the CSI catalogue, its entry onto the converged security stage is long-awaited. At the very least it will have turned out to have been a worthwhile contributor to the production of converged security knowledge, and at best it may well turn out to be the catalyst for a new and important chapter in the so far underwhelming story of converged security.
