Converged Security: Building an Evidence-Based Road Map

Incidents involving cyber-physical systems are increasing , , and are predicted to escalate further in the coming years . Convergence involves the integration of security resources within an organisation; it has been advocated since the early 2000s as a way of helping understand and mitigate vulnerabilities in cyber-physical systems. There is, however, little empirical research exploring converged security, and no clear roadmap for organisations who want to adopt the approach. My research examines the experiences of organisations who have taken a converged approach to security and uses this to develop an evidence-based roadmap for others to follow. I have carried out three studies to understand the implementation of converged security from different perspectives. Firstly, a literature review and a series of pilot interviews with senior security staff helped to identify the scope of converged security and key factors that facilitate effective convergence. These factors were then used to construct a three-round Delphi study with 23 security professionals working within converged security functions across the world. This study validated 22 critical success factors for implementing converged security. The third study comprised fifteen email interviews with senior staff involved in the decision to converge across different organisations and industry sectors. The interviews examined the move to convergence, and the decisions around its implementation. Taken together these studies provide an evidence-base of the activities that organisations need to adopt when deciding how to implement converged security, such as: effective communication to sell the idea, achieve buy-in and support; having a common goal that aligns converged security with business strategy; and the importance of culture, relationships and respect in ensuring collaboration within and between security resources. Grounded in the real-world experiences of a range of security professionals across different geographies and industries it is apparent that while there is no standard approach to convergence there are commonalities across different implementations. The methodological contribution of this research lies in mixed qualitative methods used remotely. The substantive contribution is an evidence-based road map for the delivery of converged security.