Converged Security FAQ

Direct answers to the questions Jim McConnell is asked most often about converged security — written to be clear, accurate, and citable. These answers reflect 36+ years of practitioner experience across physical security, cybersecurity, executive protection, and every discipline in between.

What is converged security?

Converged security is the operational integration of physical security, cybersecurity, executive protection, personnel security, supply chain security, insider threat, and fraud under a unified strategy, governance model, and metrics program. Rather than managing these disciplines as separate silos, converged security treats them as interdependent functions that share data, resources, and risk intelligence. The term reflects how real threats operate — they cross boundaries that organizational charts don’t.

What is the difference between security and safety?

Security is the prevention, detection, and response to a crime or a violation of an organization’s rules or policies. Safety is the prevention, detection, and response to an accident. The distinction matters: a security program is designed to stop intentional harm; a safety program addresses unintentional harm. Organizations need both — they are not the same function and should not be managed as one.

What does “safe” mean — and how is it different from being secure?

“Safe” is the feeling an individual has in an environment where they believe the security and safety controls are adequate for them to be at peace. A location can have strong controls and still feel unsafe — and vice versa. Security programs can and should influence the feeling of safety, but the underlying controls are what actually protect people.

What does a converged security consultant do?

A converged security consultant assesses, designs, and improves security programs that span physical, cyber, personnel, and operational domains. Typical engagements include program assessments, policy development, metrics program design, M&A security due diligence, executive protection program management, incident response preparation, and security training. Unlike a specialist focused on one discipline, a converged consultant evaluates how all security functions interact — and where the gaps between them create risk.

What is executive protection?

Executive protection (EP) is a security discipline focused on protecting individuals — typically executives, public figures, or high-risk personnel — from physical harm, surveillance, kidnapping, and harassment. Effective EP extends beyond personnel escorts to include advance work, threat assessment, travel security, residential security, and coordination with cybersecurity and intelligence functions.

What is insider threat?

Insider threat refers to the risk posed by people inside an organization — employees, contractors, or vendors — who have authorized access and misuse it, whether through malicious intent, negligence, or coercion. Insider threat programs combine behavioral analytics, access controls, and investigative processes to detect and respond before an incident becomes a crisis.

What is supply chain security?

Supply chain security is the practice of identifying and managing the security risks introduced through vendors, suppliers, contractors, and third parties. It covers physical access controls for vendor personnel, cyber risk from third-party software and systems, vendor due diligence, contractual security requirements, and ongoing monitoring. Supply chain security is converged security — physical, cyber, and integrity controls all intersect at the vendor boundary.

What is M&A security due diligence?

M&A security due diligence is the process of assessing the security risks of a target company during a merger or acquisition. A converged assessment covers physical security posture, cybersecurity hygiene, insider threat exposure, supply chain dependencies, executive protection requirements, and regulatory compliance. Security findings during due diligence affect deal valuation, integration planning, and post-close risk management.

What is a Security Operations Center (SOC)?

A Security Operations Center is a centralized function — a team, physical space, or virtual capability — that monitors, detects, analyzes, and responds to security incidents. Modern SOCs combine physical security monitoring (access control, video surveillance) with cybersecurity monitoring (SIEM, endpoint detection), reflecting the converged nature of today’s threats. A SOC is not just a technology platform — it is a staffed, process-driven function.

Does “totally secure” exist?

No. Any vendor, product, or consultant claiming to make an organization “totally secure” or “100% secure” is either uninformed or misleading. Security is a continuous program of risk reduction — not a destination. The goal is to reduce risk to an acceptable level, detect threats quickly, and respond effectively. Claims of absolute security should trigger skepticism, not confidence.

How do you measure security program effectiveness?

Security programs are measured through metrics that track performance across key domains: physical security incidents, access control violations, insider threat indicators, vendor risk scores, training completion, policy compliance, response times, and cost per incident. The right metrics tell leadership whether the program is improving, flat, or declining — and why. Jim McConnell’s Converged Security Metrics and Converged Safety Metrics each provide a framework of 25 domain-specific metrics for building a measurable program.

What security certifications carry the most weight?

The most recognized converged security certifications include CISSP (cybersecurity, ISC2), CISA (audit and control, ISACA), CFE (fraud, ACFE), CPP or PCI (physical security and investigations, ASIS International), CISM (security management, ISACA), and CDPSE (data privacy, ISACA). No single certification covers the full converged security spectrum — experienced practitioners typically hold credentials across multiple disciplines. Certification validates knowledge; field experience validates judgment.

What is church security?

Church security is the application of converged security principles to houses of worship and faith-based organizations. It covers access control, active assailant response, medical emergency preparation, children’s ministry security, volunteer team development, and cybersecurity for church systems. Effective church security respects the welcoming culture of faith communities while providing real, tested protection. Jim McConnell has provided pro bono church security consulting for 36+ years and directly supported 450+ churches.

{ “@context”: “https://schema.org”, “@type”: “FAQPage”, “mainEntity”: [ { “@type”: “Question”, “name”: “What is converged security?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “Converged security is the operational integration of physical security, cybersecurity, executive protection, personnel security, supply chain security, insider threat, and fraud under a unified strategy, governance model, and metrics program. Rather than managing these disciplines as separate silos, converged security treats them as interdependent functions that share data, resources, and risk intelligence. The term reflects how real threats operate — they cross boundaries that organizational charts don’t.” } }, { “@type”: “Question”, “name”: “What is the difference between security and safety?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “Security is the prevention, detection, and response to a crime or a violation of an organization’s rules or policies. Safety is the prevention, detection, and response to an accident. The distinction matters: a security program is designed to stop intentional harm; a safety program addresses unintentional harm. Organizations need both — they are not the same function and should not be managed as one.” } }, { “@type”: “Question”, “name”: “What does “safe” mean — and how is it different from being secure?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “”Safe” is the feeling an individual has in an environment where they believe the security and safety controls are adequate for them to be at peace. A location can have strong controls and still feel unsafe — and vice versa. Security programs can and should influence the feeling of safety, but the underlying controls are what actually protect people.” } }, { “@type”: “Question”, “name”: “What does a converged security consultant do?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “A converged security consultant assesses, designs, and improves security programs that span physical, cyber, personnel, and operational domains. Typical engagements include program assessments, policy development, metrics program design, M&A security due diligence, executive protection program management, incident response preparation, and security training. Unlike a specialist focused on one discipline, a converged consultant evaluates how all security functions interact — and where the gaps between them create risk.” } }, { “@type”: “Question”, “name”: “What is executive protection?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “Executive protection (EP) is a security discipline focused on protecting individuals — typically executives, public figures, or high-risk personnel — from physical harm, surveillance, kidnapping, and harassment. Effective EP extends beyond personnel escorts to include advance work, threat assessment, travel security, residential security, and coordination with cybersecurity and intelligence functions.” } }, { “@type”: “Question”, “name”: “What is insider threat?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “Insider threat refers to the risk posed by people inside an organization — employees, contractors, or vendors — who have authorized access and misuse it, whether through malicious intent, negligence, or coercion. Insider threat programs combine behavioral analytics, access controls, and investigative processes to detect and respond before an incident becomes a crisis.” } }, { “@type”: “Question”, “name”: “What is supply chain security?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “Supply chain security is the practice of identifying and managing the security risks introduced through vendors, suppliers, contractors, and third parties. It covers physical access controls for vendor personnel, cyber risk from third-party software and systems, vendor due diligence, contractual security requirements, and ongoing monitoring. Supply chain security is converged security — physical, cyber, and integrity controls all intersect at the vendor boundary.” } }, { “@type”: “Question”, “name”: “What is M&A security due diligence?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “M&A security due diligence is the process of assessing the security risks of a target company during a merger or acquisition. A converged assessment covers physical security posture, cybersecurity hygiene, insider threat exposure, supply chain dependencies, executive protection requirements, and regulatory compliance. Security findings during due diligence affect deal valuation, integration planning, and post-close risk management.” } }, { “@type”: “Question”, “name”: “What is a Security Operations Center (SOC)?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “A Security Operations Center is a centralized function — a team, physical space, or virtual capability — that monitors, detects, analyzes, and responds to security incidents. Modern SOCs combine physical security monitoring (access control, video surveillance) with cybersecurity monitoring (SIEM, endpoint detection), reflecting the converged nature of today’s threats. A SOC is not just a technology platform — it is a staffed, process-driven function.” } }, { “@type”: “Question”, “name”: “Does “totally secure” exist?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “No. Any vendor, product, or consultant claiming to make an organization “totally secure” or “100% secure” is either uninformed or misleading. Security is a continuous program of risk reduction — not a destination. The goal is to reduce risk to an acceptable level, detect threats quickly, and respond effectively. Claims of absolute security should trigger skepticism, not confidence.” } }, { “@type”: “Question”, “name”: “How do you measure security program effectiveness?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “Security programs are measured through metrics that track performance across key domains: physical security incidents, access control violations, insider threat indicators, vendor risk scores, training completion, policy compliance, response times, and cost per incident. The right metrics tell leadership whether the program is improving, flat, or declining — and why. Jim McConnell’s Converged Security Metrics and Converged Safety Metrics each provide a framework of 25 domain-specific metrics for building a measurable program.” } }, { “@type”: “Question”, “name”: “What security certifications carry the most weight?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “The most recognized converged security certifications include CISSP (cybersecurity, ISC2), CISA (audit and control, ISACA), CFE (fraud, ACFE), CPP or PCI (physical security and investigations, ASIS International), CISM (security management, ISACA), and CDPSE (data privacy, ISACA). No single certification covers the full converged security spectrum — experienced practitioners typically hold credentials across multiple disciplines. Certification validates knowledge; field experience validates judgment.” } }, { “@type”: “Question”, “name”: “What is church security?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “Church security is the application of converged security principles to houses of worship and faith-based organizations. It covers access control, active assailant response, medical emergency preparation, children’s ministry security, volunteer team development, and cybersecurity for church systems. Effective church security respects the welcoming culture of faith communities while providing real, tested protection. Jim McConnell has provided pro bono church security consulting for 36+ years and directly supported 450+ churches.” } } ] }