key: cord-0078046-7x16yxyx authors: Schneller, Louisa; Porter, Cody Normitta; Wakefield, Alison title: Implementing Converged Security Risk Management: Drivers, Barriers, and Facilitators date: 2022-05-12 journal: Secur J DOI: 10.1057/s41284-022-00341-6 sha: c49f52ce35caf391b92231146c37a4476c25e1d1 doc_id: 78046 cord_uid: 7x16yxyx Converged security risk management is an approach that addresses interdependencies between security-related business functions that have traditionally been managed by separate departments within organizations. It is a more effective means of addressing organizational security risks and threats than tackling physical and information security challenges separately, given that the boundaries between the two are frequently blurred. However, fully converged security remains the exception rather than the rule, leaving organizations increasingly vulnerable as their adoption and reliance on digital technologies accelerates. Through interviews with eight senior security professionals, this research identified key factors critical to effective converged security risk management, expressed as ‘drivers,’ ‘barriers,’ and ‘facilitators.’ The practitioners’ accounts illuminated how the modern threat landscape continues to drive further the need for such an approach, while the traditional separation of corporate security departments from the information security function in organizations remains a barrier. A greater focus on training and education, as well as soft skills, were identified as key priorities in the drive for an effective converged approach. The professional security community has actively promoted a 'converged' approach to organizational physical and information security management for around two decades, at the time of writing, which might reasonably be expected to have reached maturity by now. Reasons contributing to this apparent lag and how it may be alleviated are explored further below. Some of the earliest references to convergence are now difficult to source. For example, it was a recurring theme of the American periodical the IOMA's Security Director's Report going back to at least 1999, according to later editions (Seivold 2007 (Seivold , 2012 . The movement gained momentum in 2005, when the security associations ASIS International, ISACA and the Information Systems Security Association formed a coalition called the Alliance for Enterprise Security Risk Management, to promote such an approach and its recognition at organizations' board level. In order to examine the impact of convergence on global enterprises, the Alliance commissioned research from consultants Hamilton (2005) , which conducted a survey and interviews with senior security professionals representing US-based global companies with revenues ranging from $1 billion to more than $100 billion. The findings depicted an ongoing shift from the functional separation of these two dimensions of security management, to one in which such activities were integrated to improve the value of the business. They reported the key drivers of these developments as being the rapid expansion of the enterprise ecosystem, value migration from physical to information-based and intangible assets, new protective technologies blurring functional boundaries, new compliance and regulatory regimes, and continuing pressure to reduce cost. In their research for the ASIS Foundation, Beck et al. (2019, p. 3) defined convergence as 'security/risk management functions working together seamlessly to address security holistically and to close the gaps and vulnerabilities that exist in the spaces between functions.' In practical terms, this means that 'fully converged functions are generally unified and interconnected, reporting to one security leader,' often having 'shared practices and processes, as well as shared responsibility for security strategy,' so that they 'work together to provide an integrated enterprise defence.' The US government Cybersecurity and Infrastructure Security Agency (2021, p. 2) employs a more concise definition that draws attention to the inadequacies of an insufficiently collaborative approach, describing convergence as the 'formal collaboration between previously disjointed security functions.' Convergence forms part of an enterprise-wide approach to the management of risk (often referred to as 'enterprise risk management') and, within such a framework, the management of security risk ('enterprise security risk management') (Deloitte and Touche 2006; CSO Roundtable 2010; Willison and Sembhi 2017; Allen and Loyear 2019) . When the advent of computers marked the beginning of the journey from the industrial age to the information age, computer usage in organizations was mostly limited to data centers and their protection was focused on securing the physical infrastructure (Mutsaers et al. 1998; Vermeulen and Von Solms 2002) . Technically, in the earliest days of organizational computing, converged security was the norm. The development of personal computers, new types of personal software and the expansion of chip technology (Mutsaers et al. 1998) led to their growing ubiquity in organizations from the early 1980s, increasing the potential damage of attacks and making organizational security much more complicated. The protection of IT systems required additional technical security measures, and it was from this point that information security began to evolve as a distinct business function and professional specialism (Vermeulen and Von Solms 2002) . While the main benefits of IT advancement were initially to organizations' internal effectiveness, it became increasingly central to the realization of strategic business objectives, for example, enabling the integration of the systems of suppliers and customers, and a matter for top management (Mutsaers et al. 1998) . Through the 1990s, information and the IT systems to support it came to be recognized as critical business assets and gave impetus to the development of information security practices and standards (Vermeulen and Von Solms 2002) . The ISO 27000 family of international standards for information security (ISO/IEC 2018) has its origins in the British Standard BS 7799, first published in 1995 by BSI Group, and has adapted to increasing legal and regulatory requirements associated with the protection of data in a fast-evolving information landscape. Since that time, computing power has multiplied many times over (see Schaller 1997 on Moore's Law); the increasing ubiquity of digital devices has offered companies new ways of interacting with customers; and digital innovations like cloud computing, the Internet of Things (IoT), and artificial intelligence technologies are reconstructing how businesses function. A global survey of executives undertaken by McKinsey and Co. in July 2020, early in the COVID-19 pandemic, suggested that the challenges it had presented organizations, and necessary adjustments like the rapid expansion of home working, had already accelerated the adoption of digital technologies by several years. These factors have made organizations increasingly information-driven and transformed the nature and extent of the threats being faced. The pandemic required numerous adaptations to organizational security (Jie et al. 2020) , including the designation of frontline security operatives in the UK as critical workers (Security Industry Authority 2020). Today, IoT technologies are transforming society through the proliferation of smart platforms (e.g., homes, buildings, infrastructure, and cities) and the integration of digital, cyber-physical, and social systems. At the same time, however, they present profound risk management challenges due to their complexity and the limitations of existing risk management models and practices (Nurse et al. 2017) . The concept of Industrial IoT (IIoT) has entered the business lexicon to refer to its application to manufacturing and industrial processes, taking the risks to critical infrastructure to a new level. This urgency has been recognized by the US government, which established a Cybersecurity and Infrastructure Security Agency (CISA) in 2018, and in CISA's publication of a convergence guide in 2021. The guide advocates '[a]n integrated threat management strategy' reflecting 'in-depth understanding of the cascading impacts to interconnected cyber-physical infrastructure' (p. 2), and views '[a] culture of inclusivity' as being 'vital' to the successful convergence of security functions and 'fostering communication, coordination, and collaboration' (p. 3). The potentially disastrous outcomes should the security of such systems fail was illustrated in the cyber-attack on Silicon Valley start-up Verkada Inc. in March 2021. The hacktivist group claiming responsibility wished to show the ubiquity of surveillance in modern life and, in doing so, exposed sensitive footage from within hospitals, prisons, and 222 cameras within Tesla warehouses and factories, claiming to have footage from all Verkada customers (Turton 2021) . The potential for misuse of the available footage is significant, and the hacktivists highlighted not only the omnipresent nature of surveillance in today's society but also the vulnerabilities in modern networked security systems. In the contemporary risk climate, it is unsurprising that an international survey of chief executive officers (CEOs), chief information security officers (CISOs), and chief security officers (CSOs) found that the CISOs were receiving more attention and funding than CSOs (Cilluffo et al. 2019) . The arms race between information security practitioners and cyber criminals has arguably now reached fever pitch. The fact that there are now thought to be 4.19 million cybersecurity professionals worldwide evidences the scale of demand for cyber security expertise, and it is estimated that a further 2.72 million additional professionals are needed globally to enable organizations adequately to defend their critical assets ((ISC)2, 2021). It might reasonably be expected that the historic silos between physical and information security would by now have significantly broken down. However, the extent of the problem that remains was highlighted in the World Economic Forum's (2016) Global Risks Report 2016, which observed that 'While there are many "C" level owners (CISO, CFO, CEO, CRO, Risk Management), each of these owners has differing but related interests and unfortunately often does not integrate risk or effectively collaborate on its management' (p. 78). The ASIS Foundation research (Beck et al. 2019) suggested that organizations, particularly large ones, have generally been slow to do this, constrained by confusion over who owns these risks and, therefore, whose role it is to manage them. It reported disappointingly low rates of what it termed 'full convergence' in the accounts of just 19% of over 1000 executives from the United States, Europe, and India who responded to the survey. Although the convergence of either physical or cyber security with business continuity management-the planning and preparation undertaken by organizations to enable them to restore their business functions following disruption-was more commonplace, reported in nearly half of the organizations surveyed. The report's authors suggested that the lack of a singular definition or understanding muddied the findings. The research noted varied responses when security professionals were asked what the term meant to them. Indeed, a one-size-fits-all approach to convergence may not be effective or even possible (Hamilton 2005), given the varying requirements of different markets, industries, and professions (Willison and Sembhi 2017) . It needs to be customized to meet the requirements of unique organizations within specific lines of business (Aleem et al. 2013; Beck et al. 2019 ). Gill and Howell (2016) emphasized that more research is required to move the conceptual into practical, particularly in understanding the different convergence approaches or models that may be employed. Related to this is the importance of security practitioners regularly updating their learning, in new approaches to security risk management in general, and convergence approaches specifically (Aleem et al. 2013) . Beck et al. (2019) cited confusion over roles and responsibilities, reporting lines and communication, as well as conflict among converged staff, as continuing barriers to the effective implementation of convergence. Recruiting people with the right skill sets was identified by Beck et al. as being crucially important. Their findings suggested, however, that leadership of converged efforts could be based on 'culture, personality, relationships or even happenstance' (p. 12) rather than leaders necessarily possessing the required business skills and soft skills ('the intangible, nontechnical, personality-specific skills that determine one's strengths as a leader, facilitator, mediator, and negotiator,' according to Robles 2012, p. 457) . In earlier research on corporate security, leadership and strong communication skills were identified as essential means to ensuring organization-wide buy-in of the management solution (Briggs and Edwards 2006) . In its Chief Security Officer (CSO) Guideline, ASIS International (2013) emphasizes that, at a strategic management level, strategic, business, organizational positioning, and interpersonal abilities are more critical than technical security skills. Brooks and Corkill (2014) also recognize practitioners' business understanding as being key to converged implementation, while a business-driven approach also ensures that the value-creating activities of an organization can continue (Aleem et al. 2013 ). The implications of failure are grave, as Beck et al. (2019) underscored, presenting the risk of missing key threats and failing to achieve full awareness of the organization's total risk position. To gain a closer, qualitative understanding of the benefits and challenges in implementing an effective converged approach to corporate security, semi-structured interviews were conducted online via the Skype and Zoom platforms between February and March, 2020. Eight senior corporate security professionals from Europe, Australasia, and the Middle East (six male and two female) were interviewed, as detailed in Table 1 . All of the candidates, bar one, who was approached directly, were selected from responses to a call for participants published on the professional social networking sites Linkedin and Twitter. Collectively, the participants were specialists across the fields of IT security, physical security, and business continuity. They represented both the private and government sectors, and a wide range of industry experience including logistics, energy, cyber security and information technology, automotive, and national defense. One participant was also active in conducting research into practical security convergence. The participants were either responsible for actively setting up and/or maintaining converged approaches within their organizations, or they recognized that the principles behind convergence were present in their organization even if this approach had not been formalized. Their interviews were audio-recorded and then transcribed verbatim to allow for in-depth analysis. The research findings emerging from the participants' accounts were grouped into three main categories termed the 'drivers,' 'barriers,' and 'facilitators' of security convergence. 'Drivers' refers to the primary security and risk challenges that prompted or influenced the participants and their organizations to consider or implement a converged approach. 'Barriers' addresses elements identified by the participants as a limiting factor in its effective implementation or continuation. Finally, 'facilitators' represents factors that were identified as supporting the success of convergence. Figure 1 presents a map of the three main themes and the subthemes deriving from the data analysis and associated with each, which are discussed in turn. The future security challenges that most concerned the security professionals interviewed, termed the 'drivers,' included cyber-attack, fraud, information and physical security, organizational reputation, and organized crime. The priority threats identified by the participants varied by their industry, so organized crime, for example, Fig. 1 Thematic Map of perceived converged risk and security management themes and subthemes was a particular concern for just one of the interviewees owing to their involvement in the shipping sector. However, all but one spoke of cyber-attack as an issue requiring more attention, highlighting the extent to which this sphere presents ongoing and increasing security challenges for organizations. The concept of 'evolving risks' was also discussed by the research participants, highlighting the constantly changing risk and threat environment in which security professionals operate, and their need to remain abreast of this. The responses incorporated both simple and more complex articulations, for example: The threats are always changing and that's the way it always is and always will be. (P8) So, I think there is high potential where quantum computing can have a very positive dimension, as you can make multiple tasks in a in a piece of a second but also you can really destroy security codes in the piece of a second (which really are quite secure at the moment.) And we rely on them, and the big question mark that I see as forthcoming is what happens if all these high security codes become insecure in the, let me say, a week or a day. (P7) Such implicit and explicit understandings of the ever-changing risk and threat landscape informed the security professionals' recognition of the need for an efficient way of addressing its management. The final category within the drivers theme was 'separation/gaps in coverage.' This referred to responses in which the security professionals either specifically or unintentionally spoke of scenarios in which the delivery of security had failed, or would fail, due to the complete separation or lack of communication between various departments or organizations. Most security professionals raised such issues, whether it referred to the necessity of closing the gaps or the benefits of such gaps being eliminated. The responses suggested that security professionals are aware of the pitfalls that organizational or departmental separation can cause, and the benefits that rectification of it can reap. It stands to reason, therefore, that the successful management of this separation is still a driving force behind the delivery of an effective approach to converged risk and security management. The second major theme of the research was 'barriers,' representing elements identified by the security professionals that, in their experience, actively contributed to the failure or impediment of converged risk and security management. The identified barriers ranged from traditional organizational roles through to the individual behaviors of those involved in the converged security management process or attempted implementation. Half of the security professionals spoke of what was eventually categorized within the data analysis as the 'difficult initiation process.' They covered topics within these parameters that included the lack of organizational buy-in, and the difficulty in bringing disparate groups within the organization together in the first place. For example, one participant described the challenge of first managing and understanding their immediate role, and then having to bring together separate groups within an organization and externally, stating: This takes time, to understand the bunch of topics that are in your area of control at the moment, and then you need to make a plan to get this done … And then you have a lot of interfaces internally and externally, for example, police, etc., state authorities, and internal, you have a whole bunch of functions like legal, internal audit, production and so on. (P7) Their comments illustrated how the process of implementing converged security management could be a personal challenge. Other interviewees echoed this view, for example, one commented: I expect from my managers that if they have a topic, that they oversee the whole issue, and that they get their colleagues from the same department (but working maybe on different topics) to get on board … But that's also the challenge. (P6) The security professionals also described the difficulty in trying to corral groups and roles within their organizations that were traditionally separated within the organizational culture. The participants intimated that, in their experience, a lack of trust within their organizations had also created barriers to the effective delivery of converged risk and security management. They cited a lack of trust both from within and outside the organizational security department as a barrier to success. For example, one security professional recalled a previous chief security officer's refusal to trust their colleague's abilities and professional specializations. The other one we had before was only on paper, doing the pointing and doing the telling. It does not work like that. (P3) However, it was also clear that this lack of trust extended beyond the security group. Another security professional described how the trust of those within the organization, yet outside the security group, could become a barrier: But this is, I think, the major part, that management could say that "oh this is ridiculous, is the CSO really able to do the cyber stuff? Is he knowledge-wise good enough to deal with a whole bunch of topics that could be a hurdle to overcome?" and then someone has to let loose. (P7) The evidence illustrated how hard security practitioners must work to build trust within their own department and secure the confidence of those outside the security department, particularly within departments in which converged security was actively sought. Individual personal factors were also identified as barriers by the security professionals, pertaining both to those trying to implement converged security management, and those with whom they had to work while implementing it. The comments gathered showed how a perceived loss of professional status could affect the engagement of both groups. For example, one security professional spoke of the reticence that may be felt by a chief security officer (CSO) if they are concerned that failure might affect their professional status. They also spoke of a similar feeling in those who did not want to cooperate with the CSO: (P7) And then you've got the physical security people thinking that these cyber people are after their jobs. (P8) Plausibly, the participants may have felt that a fear of the loss in status on both sides could also potentially be a barrier to successful converged security management. The collected evidence regarding barriers shows multiple factors that the security professionals considered important. Traditional groups or silos within organizations can be difficult to break down and the personal challenge required to do this can be considerable. Meanwhile, fears regarding the loss of professional status can plague both the practitioner seeking to implement a converged response and those with whom they seek to work. The security professionals also identified factors placed under the heading of 'facilitators' that, according to the professional's experience, contributed in some way to the success of a converged approach to security. These ranged from desirable personal skills, to how security and risk management are conceptualized and, finally, the practicalities of an effective organizational structure. All the security professionals identified multiple beneficial skill sets. Six of the eight interviews spoke of the need for practitioners to have a strong business understanding to be personally effective, gain support from other areas of the organization, and help mitigate the barriers described above. For example: And then the other side is being part of in part of the business, the advantage is you can get buy-in. You're able to sell stuff to the business. As an important thing. (P4) All the security professionals spoke of the need for strong communication skills, once again identified as being necessary to help alleviate specific barriers. For example, one interviewee referred to the need to be able to communicate convincingly at board level. Strong communication skills were also identified as being essential for the practitioner to overcome a lack of inter-organizational trust, as another participant described: I think you need to present them really the synergies and benefits coming out of that so that they can really weigh it and measure the whole stuff. Then they become most probably convinced. (P7) Another key facilitator identified by the research participants was the concept of collaboration, referring to the need for security practitioners to move beyond the boundaries of their role within the group or organization. As one interviewee observed: You can specialize in one area but must also take into consideration other parts of security specialisms that may not be clear to you, that you're not clearly an expert in but you know where to go to get further information. (P5) The security professionals also noted that the convergence of threats made collaboration an unavoidable necessity, another stating: Other personal skills mentioned both directly and indirectly by the security professionals as mitigating barriers to convergence included flexibility and leadership. These were seen to enable the practitioner to cross departmental boundaries within the organization and secure buy-in. Flexibility was described by one interviewee as providing a way to cross gaps in security coverage and facilitate collaboration and communication: You can specialize in one area but must also take into consideration other parts of security specialisms that may not be clear to you, you're not clearly an expert in, but you know where to go to get further information. (P5) Half of all security professionals discussed leadership directly and emphatically, one elaborating: Having the right leadership regardless of your background and being openminded. I think the days of scaring people are long gone if that's the only tool you have. So, I think it's having that strong leadership. Being able to make decisions and be accountable for your decisions, but at the same time grow the business, whatever business you 're in. (P5) Another highlighted that the removal of strong leadership could have a detrimental effect on converged security. In a lot of companies, it's really depending on the person in charge. For example, if someone who has a converged model leaves the company, there is a big chance that the board goes backwards instead of continuously forward. (P7) Having a single view of risk and threats was identified as both a conceptual and practical necessity in the effective deployment of converged security management and a further facilitator, with two interviewees commenting: Some people do practice it. I've seen people with similar backgrounds to me seeing the threats as one and therefore working out the best way to do it and therefore using all assets, people, infrastructure, etc. to Another factor identified was departmental organization. No single organizational model was perceived by the security professionals as the sole or best method of practicing convergence, but it was indicated that barriers could be avoided by using a more collaborative organizational approach. For example: What I have also seen is like a hybrid model, let's say, this IT security, this cyber security, we still have the physical security. But you have like a security board where they come together. Discuss the topics with each other, taking partly over or supporting each other, then go out again and do all their own thing again. (P6) Another interviewee expressed a preference for the complete merging of departments, while acknowledging that this may not be possible: While the participants expressed no universal preference for an organizational model, it was clear that whatever method was chosen, including complete merging or a more holistic and collaborative approach, it needed to be clearly defined. This view was evidenced by the following statement: Education and training were identified as a key facilitator by just over half of the security professionals. Their importance in shaping essential business and communication skills in the security practitioner was reflected in the following comments: Those who practice risk management security need to become better educated and portray their message to the board and the budget holders in a way that they describe the problem [and] how they're going to resolve it as being of benefit to the business, they get a return on their investment if you like, and therefore it's much more conducive to being successful to fighting the various threats. (P1) From the data collected related to education, two participants identified a lack of convergence-specific education or training: I think firstly, the whole concept of a converged approach to security and risk management, as you say, is that the way it is taught at the moment and the way it is trained. They are trained in silos. So courses are there to do risk management or business continuity planning, or physical security and access control. They're all taught separately. This concept is not widely understood. (P1) I see a trend and I know, get to know, more and more CSOs who have studied this. But we are still in the big minority compared to the overall populations. A third professional noted a lack of training in keeping with the evolution of modern security. overall. For today's organizations, security threats are increasingly converged and require a converged approach to risk and security management that adopts a single view of risk. The literature highlights the need for effective converged security management in an increasingly complex operational environment (Azeem et al. 2013; Willison and Sembhi 2017; Beck et al. 2019) in which traditional approaches are no longer wholly effective, particularly considering the increasing reliance on IoT and cloud computing technologies and the new risks these present (Nurse et al. 2017) . Recognition of the criticality of managing these convergent threats is not new (Schultz 2007) . However, new security challenges, such as those presented by the COVID-19 pandemic (McKinsey and Co. 2020; Jie et al. 2020) , and recent security breaches, such as the Verkada cyber-attack of March 2021, clearly demonstrate the vulnerability of this increasingly interconnected environment (Turton 2021) , and our findings support this. Senior security professionals participating in the study typically identified the need for a single view of risk encompassing all areas of the organization, and mitigating vulnerabilities caused by increasing interconnectedness and converging threats. All the participants, who were interviewed before the global lockdowns and the changes they brought with them had fully taken effect, recognized multiple security risks to their respective organizations, and acknowledged that the threat landscape was constantly evolving. They viewed converged risk and security management as an essential means to achieving this. Both the literature and our data reflect how, despite widespread recognition of its importance, converged security management is yet to become the norm within organizations. For the better part of a decade, low implementation rates have been reported (Seivold 2012; Beck et al. 2019) , and more research is required to promote this, particularly in understanding the different approaches or models that may be used (Gill and Howell 2016) . This research does not consider convergence to be an unqualified good; rather, the approach has been interpreted as beneficial when deployed effectively. The participants in our research recognized these challenges, identifying multiple practical barriers to its implementation, and key facilitators of success. Significant among the facilitators was strong soft skills in senior security practitioners effectively promoting convergence within their organizations. Leadership and strong communication skills were identified in the literature as means to ensuring organizational-wide buy-in of the management solution (Briggs and Edwards 2006) , and the research of Beck et al. (2019) noted that the lack of it led to confused lines of reporting and even personnel conflict. This was also reflected within our findings, with one security professional describing a scenario whereby, if a strong security leader left the organization, there was no guarantee that a converged security management model would continue. It seems inarguable that key skills such as leadership, communication, flexibility, and collaboration will aid effective converged implementation. Since no workable single standard model of converged security management exists (Hamilton 2005; Aleem et al. 2013; Gill and Howell 2016; Willison and Sembhi 2017; Beck et al. 2019) , it is perhaps no surprise that soft skills are being relied upon to sell and maintain convergence within the organization. Perhaps moves by government organizations such as the US government's Cybersecurity and Infrastructure Security Agency to recommend cyber and physical convergence (CISA 2020) will promote a more codified approach; however, in the meantime, such skill sets must be actively cultivated by the security practitioner and wider profession to secure organizational buy-in and effectively manage security across often disparate units within organizations. Consistently, interviewees suggested that further training and education could promote wider implementation of converged security management, a point that was acknowledged somewhat in the examined literature (Aleem et al. 2013) . The emphasis placed on business skills within the literature (Briggs and Edwards 2006; ASIS International 2013; Brooks and Corkill 2014; Engemann 2018) was also echoed by six of the eight interviewed security professionals, as it enables the practitioner to speak the language of the board to ensure buy-in. Considering that recommendations made years ago were still highlighted as issues in the interview data, it is evident that the security profession still needs to meaningfully address these factors. Extending training and education in converged security, business understanding, and wider soft skills will be essential for convergence fully to be realized. While a conceptual understanding of a converged approach to risk and security management is prevalent, the practicalities of implementing it still present challenges to its practitioners. From the data gathered and analyzed, it is clear several themes are particularly relevant to security management convergence and its effective implementation. First, the evolving threat landscape, calling for a single view of risk, is making a converged approach to risk and security management more of a necessity. Secondly, strong business skills as well as softer skills such as strong communication, flexibility, and leadership skills are critical requirements for the security practitioner if the approach is to achieve buy-in from all areas of their organizations, particularly the board level. Finally, it is possible that broader implementation has been slow because converged management suffers from a lack of specific training available to practitioners. Silos need to be broken, not just organizationally, but in how security is taught. Practically, the industry might consider hiring from as diverse a pool of candidates as possible to ensure a greater breadth of experience and amending standard job descriptions to have a stronger focus on softer skills. These recommendations may go some way to broadening the industry skill sets and knowledge base required to approach convergence more effectively. Addressing the Weakest Link: Implementing Converged Security Enterprise Security Risk Management: Concepts and Applications Chief Security Officer (CSO) Guideline The State Of Security Convergence in the United States Convergence of Enterprise Security Organizations. ASIS International Conference Corporate Security and the Stratum of Security Management BS7799 Code of Practice for Information Security Management CISA. 2021. Cybersecurity and Physical Security Convergence. Cybersecurity and Infrastructure Security Agency Cyber and Physical Security: Perspectives from the C-Suite Enterprise Security Risk Management: How Great Risks Lead to Great Deeds. A Benchmarking Survey and White Paper The Convergence of Physical and Information Security in the Context of Enterprise Risk Management Developments in Risk Security Tackling Cyber Crime: The Role of Private Security ISC)2 Cybersecurity Workforce Study International Organization for Standardization/International Electrotechnical Commission) Information Security Management. Geneva: International Organization for Standardization/International Electrotechnical Commission Considerations for IT Management in a Covid-19 World How COVID-19 Has Pushed Companies Over the Technology Tipping Pointand Transformed Business Forever The Evolution of Information Technology Security Risk Assessment in Internet of Things Systems Executive Perceptions of the Top 10 Soft Skills Needed in Today's Workplace Moore's Law: past, present, and future Risks due to convergence of physical security systems and information technology environments Security Industry Authority. 2020. Covid-19 and the Private Security Industry-FAQs C-Level Contact is Greater in Merged Security IT/Security Depts. IOMA's Security Director's Value Promised by Physical and IT Convergence Going Unrealized. IOMA's Security Director's Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals. Bloomberg, 9 March The information security management toolbox-Taking the pain out of security management Supporting Enterprise Security Risk Management: How Vendors Can Support ESRM And CSM Strategies The Global Risks Report On behalf of all authors, the corresponding author states that there is no conflict of interest.Publisher's Note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.