Physical and Cyber Security Convergence: Building an Integrated Corporate Programme

Security threats do not arrive with labels identifying them as either physical or digital. A well-planned corporate espionage operation may begin with a phishing campaign, proceed to credential theft, and conclude with physical access to a facility to install listening devices. A kidnap targeting a senior executive may start with months of OSINT collection and social media monitoring before any physical surveillance begins. The attack surface is unified. The response, at most organisations, is not.

This article examines why the convergence of physical and cyber security matters, how sophisticated adversaries exploit the gap between siloed disciplines, and what a coherent integrated programme looks like in practice.

The Historical Separation

The organisational separation of physical security and information security has historical roots. Corporate security – managing access control, guarding facilities, protecting executives – developed from private policing traditions. IT security evolved separately, growing out of network administration and data protection concerns that were largely technical in nature.

For most of the 2000s and 2010s, these disciplines operated in parallel with little structured interaction. The corporate security director reported to the COO or a legal function. The CISO reported to the CIO or, increasingly, directly to the board. They shared little intelligence and had few formal protocols for joint operations.

This separation worked acceptably when threats were also relatively siloed – opportunistic physical crime on one side, virus and network intrusion on the other. It has become a significant liability as threats have evolved.

How Adversaries Exploit the Gap

Modern adversarial groups – whether criminal, nation-state, or activist – operate across the physical-digital boundary as a matter of standard tradecraft.

Ransomware pre-positioning. The Mandiant M-Trends 2025 report noted that sophisticated ransomware actors increasingly conduct physical reconnaissance of target organisations before deploying malware. This includes identifying the physical location of backup systems, understanding facility access procedures, and in some cases placing operatives inside target organisations as short-term contractors or cleaning staff to gain initial network access.

Supply chain access. Third-party contractors and vendors with physical access to facilities represent a convergence risk that most organisations manage poorly. A contractor who has legitimate badge access to a server room has physical access that can be used for cyber attack. The 2020 SolarWinds compromise, while primarily a software supply chain attack, illustrated how trusted vendor relationships create exposure across both physical and digital dimensions.

Social engineering with physical follow-through. Nation-state actors associated with China, Russia, and Iran have been documented using social engineering campaigns – typically business email compromise or LinkedIn-based approaches – to establish contact with target employees, followed by requests for physical meetings, site visits, or document sharing that creates physical intelligence or access (NCSC Annual Review 2024).

Close protection and device compromise. Targeting an executive’s close protection team is a documented tactic. An operator who is recruited as a source, coerced, or compromised can provide detailed information about the principal’s schedule, security arrangements, and digital habits. In several documented cases, operators have unknowingly enabled device access by allowing third parties to interact with principal devices during events or travel.

Access Management: The Convergence Failure Point

In most corporate environments, the single most common convergence failure is access management. Physical access (badge access, key fobs, visitor passes) is managed by facilities or corporate security. Logical access (network credentials, system privileges) is managed by IT. These two systems rarely communicate in real time.

The consequences are predictable:

• An employee who is terminated may have their network credentials revoked immediately but retain physical badge access for days or weeks
• A contractor who completes a project retains physical access to a facility long after the contractual relationship has ended
• A visitor who is given an unescorted pass to an executive floor has physical access to networked devices, documents, and conversations without any IT security review
• A new hire in a sensitive role may be given network access before their background check has cleared

ASIS International’s Physical Security Convergence Working Group (2024 report) identified access management integration as the top priority for convergence programmes across 340 surveyed organisations. Despite this, fewer than 30 percent had implemented a unified access management protocol covering both physical and logical access.

The Threat Intelligence Gap

Equally significant is the intelligence gap. Physical security teams and IT security teams collect different types of threat intelligence and typically do not share it systematically.

A corporate security team may be aware of a threat actor conducting physical surveillance of a facility – but this information does not reach the IT team, which would recognise it as potentially indicative of a pre-attack reconnaissance phase. Conversely, the IT team may identify indicators of compromise suggesting a targeted intrusion campaign against the organisation – information that the corporate security team needs to assess whether they should increase physical security posture for executives.

Shared threat intelligence does not require sophisticated technology. A weekly joint briefing between senior physical and IT security personnel, with a shared log of significant events, is a more effective starting point than an expensive technology platform with no agreed process for using it.

Integrating Close Protection into the Digital Programme

For organisations running executive protection programmes, convergence has direct operational implications.

Close protection operators spend significant time with principals in contexts that create digital exposure: commercial aviation security queues, hotel business centres, conference venues with public Wi-Fi, meetings with external parties. An operator who is not trained to basic digital security standards creates a gap that a technically equipped adversary can exploit.

At minimum, close protection operators and their team leaders should understand:

Device security basics. The principal’s devices should never be left unattended in public spaces or handed to unknown individuals. Charging from unknown USB ports is a documented vector for device compromise (“juice jacking”). Public Wi-Fi requires VPN use. These are not advanced technical requirements – they are behavioural standards that operators can enforce.

Communication security. Where the security of communications is important, the team should use end-to-end encrypted messaging (Signal is the current standard). Operators should understand why secure communication channels are used and what information should not be transmitted over standard channels.

Social engineering recognition. Operators may be approached by individuals seeking information about the principal’s schedule, security arrangements, or personal details under various pretexts – journalist, conference organiser, building management. They need to recognise these approaches and report them through the appropriate chain without engaging.

Digital anomaly reporting. Unusual device behaviour, unexpected contact from unknown individuals claiming to be from the principal’s organisation, or suspicious requests for information should be reported to the security operations function. Close protection teams are well-positioned to observe anomalies; they need a clear channel to report them.

Building a Convergence Programme

Effective convergence does not require merging the physical and IT security functions under a single chief, though some larger organisations have done this with a Chief Security Officer role spanning both domains. It does require:

Joint governance. A security committee or working group with senior representation from both physical and IT security, meeting regularly, with a shared risk register and joint escalation protocol.

Unified access management. A shared process for granting, reviewing, and revoking both physical and logical access – ideally integrated at the technology level, but at minimum with a cross-functional review process for joiners, movers, and leavers.

Shared threat intelligence. A common format for recording and sharing threat intelligence across both functions. Incidents and near-misses should be reviewed jointly to identify whether they have implications for both domains.

Joint incident response. When an incident occurs, both physical and IT security should be at the table from the start. A physical security incident may have digital dimensions that are only apparent with IT security input, and vice versa.

Training across disciplines. Physical security personnel benefit from basic digital security awareness training. IT security personnel benefit from understanding physical threat vectors. Neither group needs deep expertise in the other’s domain – but each should understand enough to recognise cross-domain implications.

Technology Platforms

Several technology vendors offer convergence platforms that integrate physical access management with IT security monitoring. These include Lenel, Genetec, and CCURE. These platforms can provide real-time correlation between physical access events and network activity – flagging, for example, when a badge access event occurs outside normal working hours at the same time as a large data transfer.

Technology platforms add value but are not a substitute for process and governance. An organisation with an integrated convergence process and no specialist technology is more secure than one with an expensive platform but no joint working protocol.

Summary

Physical and cyber security convergence is not a theoretical aspiration – it is an operational necessity for any organisation facing sophisticated adversaries. The separation of these disciplines is a historical artefact that modern threat actors exploit systematically.

The starting point is not organisational restructuring. It is joint threat intelligence sharing, unified access management, and close protection teams that understand digital exposure. These steps are achievable without significant investment and deliver immediate improvements to the integrated security posture.

For further reading, see our articles on corporate security programme design, data centre and critical infrastructure physical security, executive digital security on international travel, and security for banks and financial institutions – where the physical-cyber interface around server room access and trading floor security presents a specific convergence challenge. For the physical access control, insider threat, and operator vetting considerations specific to colocation and hyperscale data centre environments, see our data centre and technology facilities security guide. For the telecoms infrastructure layer where physical and cyber security converge most directly – including the Electronic Communications Security Act 2021, Volt Typhoon pre-positioning in UK and US networks, submarine cable sabotage risk, and the physical security of tower estates and network operations centres – see our security for telecom infrastructure guide.

James Whitfield is a Senior Security Consultant with 20 years of experience in corporate security, executive protection, and integrated security programme development.