Convergence, as discussed by Andres Andreu, refers to the essential integration of traditionally fragmented functions like governance, risk, and compliance (GRC) with active cybersecurity operations. Historically, these areas have operated in silos, leading to disconnects and inefficiencies. The aim of convergence is to unite these functions to manage risk holistically across an organisation, moving away from a “throwing things over the fence” mentality to one of shared responsibility and proactive problem-solving. This alignment is no longer optional; it is crucial for an organisation’s future-proofing and survival in the face of evolving cyber threats.

The convergence of governance and active security is crucial now due to several environmental drivers. Firstly, there’s increasing stakeholder pressure from boards, regulators, and insurers who are demanding more integrated views of risk. Cyber insurance questionnaires, for example, have become much tougher, reflecting a desire to see cyber risk quantified and aligned with business priorities. Secondly, many businesses still fail to treat cyber threats as fundamental business risks, often isolating them within IT or finance. However, incidents like ransomware attacks demonstrate widespread impacts, affecting shareholder confidence, regulatory compliance, and exposing leadership gaps. Lastly, a significant challenge is the communication gap; CISOs, GRC leaders, and business professionals often “speak different languages”, hindering effective collaboration and setting up organisations for governance failure during crises. Bridging this gap with shared metrics and collaborative exercises is paramount.

The cases of Uber and Maersk provide stark contrasts regarding the impact of convergence. Uber, despite having an extensive and well-documented GRC apparatus, has experienced multiple breaches. This indicates an operational disconnect between their theoretical GRC framework and actual cybersecurity implementation, highlighting the risks of siloed approaches. The “paper compliance” did not translate into effective operational security. In contrast, Maersk demonstrated successful convergence during a major cyber incident, recovering in just 10 days from an event that should have taken months. Their leadership fostered immediate, forced collaboration across various functions to solve the problem, rather than allowing traditional silos to impede recovery. These examples underscore that success in managing cyber risk is less about tools and more about aligned leadership and a collaborative mindset.

Operational convergence within an organisation means shifting from a focus on structure or tools to behaviour and organisational culture. Practically, this can manifest in several ways:

• Joint Committees: Establishing a joint Governance Security Committee that reports directly to the board, ensuring unified oversight.
• Integrated Dashboards: Creating dashboards that combine operational and compliance risk data, presenting a single, cohesive view of risk to board members.
• Cross-functional Tabletop Exercises: Regularly conducting simulated incident drills involving privacy, legal, security, communications, and business leaders to foster real-time collaboration and preparedness.
• Elevated CISO Role: CISOs gaining visibility and decision-making capability at the board and business levels, moving beyond being “buried under IT.”
• Understanding What to Protect: Organisations actively understanding the value of their assets and data, ensuring that security measures are intentional rather than merely compliance-driven.
• End-to-End Oversight: Establishing an entity or process that oversees the entire journey from risk identification to remediation, breaking the “throwing things over the fence” cycle.

Organisations typically fail in achieving convergence by mistakenly assuming it’s a tooling problem rather than a leadership and organisational culture issue. Silos persist because priorities are misaligned; compliance teams focus on reports and audits, while security teams chase active threats, often without shared goals or a common language. This creates communication gaps and “turf battles” over budgets and responsibilities. An inactive approach to addressing this fragmentation becomes extremely costly, especially during an incident when existing cracks widen. Another common failure is a lack of trust between different functions, as illustrated by auditors lacking practical experience yet being tasked with making recommendations. Leaders who accept the status quo and the existence of silos prevent the necessary collaborative pursuit of solutions.

CISOs must actively lead the shift towards convergence by leaning into the business leadership space, even if initially unwelcomed. Key steps include:

• Building Joint KPIs: Develop shared Key Performance Indicators (KPIs) across risk, governance, and cybersecurity teams to foster common goals.
• Continuous Board Training: Regularly educate board members on the meaning of security within the broader context of governance and protection, sending unified messages rather than fragmented ones.
• Embedding Security in Design: Advocate for security to be an integral part of system and process design from the outset, rather than an afterthought. This demonstrates the CISO’s influence capability.
• Influencing Peers: Foster a culture where peers want to collaborate, understanding that imposing demands is ineffective.
• Strategic Scenario Planning: Collaborate on scenario planning exercises that are subjective and strategic to the organisation’s specific weaknesses, ensuring the simulations yield valuable insights for improvement.

Identity risk intelligence serves as critical “connective tissue” between governance and security within the convergence model. Modern threat actors primarily exploit identities (e.g., through phishing, synthetic identities, credential abuse, or info stealer leaks that bypass MFA). Real-time visibility into identity exposure is crucial because it informs not only protective mechanisms but also policy development. Without this intelligence loop, organisations remain blind to a significant portion of their attack surface, hindering effective convergence. Since every part of an organisation involves identities, this intelligence brings together siloed information, sitting at the apex of the convergence zone to provide a holistic view of risk.

AI and automation should be leveraged as enablers of convergence, not just operational accelerators. They can significantly aid by:

• Translating Signals: AI can translate large volumes of technical security signals into understandable business risk language far more effectively than humans, mapping threat activity to compliance posture in real-time.
• Strategic Insight: By understanding the environment and having intentional design, AI models can be trained to cut through data noise and provide strategic insights, aligning security and GRC on specific outcomes.

To engage boardrooms, who often view security as a cost centre, CISOs must:

• Understand Their Language: Recognise that board members speak a different language (often financial) and learn to translate security concepts into their terms.
• Reframe the Narrative: Present cybersecurity not merely as a defensive function or overhead, but as a strategic differentiator and a vital component of business resilience.
• Quantify Risk Financially: Use concrete business examples and cyber risk quantification (CRQ) to demonstrate the financial impact of potential breaches. This means presenting risks in terms of monetary costs if actualised, and the financial benefits of investing in protection, directly addressing their profit-maximisation mindset. By tying metrics, risk, and business continuity to money, CISOs can gain the necessary buy-in and support.