Security used to live in the back office. Compliance checkbox. Cost center. Door alarms and badge readers. That era is ending (albeit not as quickly as we’d like) and the security leaders still operating in it are getting passed over for the ones who can connect security to revenue, resilience, and customer trust.
The shift isn’t simple. It means breaking down silos that exist for political reasons, not technical ones. It means translating risk into language the C-suite already cares about. And it means being honest about the gap between the integrated security operations most organizations claim to have and the ones they actually have.
In a recent panel discussion, “Beyond compliance: Driving business value through integrated security operations,” hosted by Steve Lasky from SecurityInfoWatch, panelists dug into that gap: What’s broken, what’s working, and what it actually takes to evolve. The conversation featured insights from:
- Mark Kelly, Global Security and Risk Executive
- Don Hough, Vice President of Public Sector at COSECURE
- Ben Hopkins, Enterprise Account Executive at OpenEye
- Ryan Schonfeld, Co-Founder & CEO of HiveWatch
Here are nine takeaways from the conversation and what each one means for organizations trying to build security programs that earn their seat at the table.
1. Speak the business’s language (or get ignored)
Mark Kelly opened with a fundamental truth. Making the case for integrated security operations starts with cross-functional alignment. Security leaders need to step out of their silo, understand how other teams operate, and quantify the value they’re delivering in terms the business actually cares about.
Mark used supply chain logistics as an example. If your integrated security approach can address pain points around shipment arrival times or in-transit risk, you’re solving a business goal, not just a security one. His advice was clear: find a pain point you can fix, fix it, and quantify the impact.
What it takes: Security leaders fluent in the language of business outcomes. Controls and compliance frameworks aren’t enough on their own.
2. Stop leading with tools. Lead with outcomes.
Don Hough communicated that when you’re talking to the C-suite or the board, the metrics that land are the ones executives already track: reduced downtime, business continuity, operational resilience.
His advice was direct. Stop leading with tools. The conversation isn’t whether you bought the right technology. It’s whether the business can operate effectively with what you have. That reframe changes everything.
What it takes: Security narratives anchored in continuity, resilience, and operational performance. Not product names.
3. “Beyond compliance” means surfacing risks the business didn’t know it had
Ben Hopkins offered a useful reframe of what “beyond compliance” actually means: expanding the scope of risk management itself. Every vertical has different risk profiles, and the technology already deployed, including video, is sitting on insights nobody is using.
Most surveillance footage is never reviewed. But buried in it are tripping hazards, OSHA violations, customer experience issues, HR concerns, and operational inefficiencies. With AI-powered analytics, organizations can surface and act on those risks, as well as generate ROI from systems originally bought for active threat assessment.
What it takes: A willingness to treat security technology as a multi-purpose source of business intelligence, not just a defensive control.
4. Security has earned a seat at the table, and now it has to keep it
Ryan Schonfeld described how security has shifted from back-office function to business enabler and force multiplier. A series of high-profile events, including the UnitedHealthcare CEO shooting, recent civil unrest and looting, the rise in organized retail crime, and the 345 Park Avenue shooting that brought forth the complexities of multi-tenant occupancy, have reshaped how organizations think about security. CSOs and security leaders finally have a seat at the executive table.
But that seat comes with a tab. Boards aren’t asking whether security feels better. They’re asking what the spend produced. Investments need to generate return, and that return needs to be expressed in language business leaders already understand.
What it takes: Security leaders who can demonstrate ROI in the same terms used by finance and operations. The bar for “business-relevant” has moved.
5. Convergence is a people and governance problem, not a technology problem
This was the most consistent theme of the panel. Mark put it plainly: organizations treat convergence as a tech integration problem, but the real failure points are ownership and decision-making. Nobody is responsible for assembling the full picture.
Insider risk is the textbook example. The signals are rarely in one place. HR sees conduct or performance issues. A manager notices behavior changes. Cyber sees unusual logins. Physical security teams see badge anomalies in places people shouldn’t be. Each team escalates differently. Without alignment, the lack of integration becomes the risk.
Ryan was even more direct. He’s been part of fusion center conversations where the technology turned out to be the easiest part. The hard part is getting the right people to the table and getting them to agree. He said, “The real fights are over escalation paths, data ownership, egos, and empire building. Most teams don’t lose to a missing API. They lose to politics.”
Don added the structural piece. Organizations that perform well in a crisis have a clear governance and decision-making model, real-time situational awareness, and the discipline to exercise their plans against real-world risks, not static documents on a shelf.
What it takes: Defined ownership, governance models, escalation paths, and the political will to put the picture above the territory.
6. Compliance is the stick. Culture is the carrot.
Don drew a useful distinction between compliance-driven security and culture-driven security. Compliance is the stick… you have to meet it. But the organizations that thrive create incentives that make security a cultural priority, not just a regulatory one.
Given the speed and intensity of today’s risks, figuring out the right carrots; that is, what makes business units actually want to prioritize security, is critical to building programs that scale.
What it takes: Programs that reward proactive security behavior across business units, not just penalize the ones that fall behind.
7. AI is powerful. It’s also not magic.
The panel agreed that AI is changing how security operations work. Ben highlighted the most obvious win: cutting the time spent reviewing footage. AI-powered video search lets investigators find what they need quickly, ramps up newer operators faster (he pointed out that the next generation isn’t going to put up with clunky software), and turns video into an auditing tool for broader business questions.
Ryan pushed back on the silver-bullet narrative. He said that yes, AI is good at taking data and surfacing outcomes (that’s the magical part). But garbage in, garbage out is a cliché because it’s true. If your systems aren’t talking to each other and your data isn’t normalized, AI can’t deliver on its promise at scale or in a real-time crisis. He flagged a second pitfall too: organizations rushing to buy AI tools before they know what problem they’re solving.
Ryan also pointed out that larger enterprises are now standing up dedicated AI compliance teams. They’re evaluating what’s happening with the data, navigating global privacy laws, and figuring out which tools actually scale across markets.
What it takes: Clear use cases, normalized data, and governance frameworks that account for privacy, scalability, and what the technology can’t do yet.
8. Insider risk is bigger, broader, and more connected than most organizations realize
Mark made a strong case for insider risk as one of the most pressing risk categories (and one where integration matters). Insider risk shows up across the entire employee lifecycle, including onboarding, in sensitive role assignments, elevated access, as well as HR conduct and performance issues. It can be elevated when employees start pulling away, when there are resignations to competitors and reductions in force that needs to trigger secure offboarding.
He also pointed to a less obvious dimension. As manufacturing repatriates, with chip manufacturing returning to the U.S., for example, organizations are bringing in outside expertise to fill domestic SME gaps. There are new insider risk profiles that come with that. Addressing the full picture means bringing data streams together across HR, IT, physical, and management. No single silo can solve it.
What it takes: Cross-functional insider risk programs that span the full employee lifecycle and connect signals from HR, cyber, and physical security.
9. More technology doesn’t equal more security
A thread that ran across the panel: the assumption that more tools means more safety is dangerous. Don called it the “more tech equals more safety” trap. Over-investing in tools at the expense of training, people, policy, and operational integration. Technology, he noted, is only as effective as it is simple.
Ryan mentioned that there’s a point of diminishing returns where alerts and data pile up faster than teams can act on them. The result is the worst of both worlds: critical signals get missed because organizations are drowning in data they don’t know how to use. Ben raised the same concern from the analytics side. Real-time alerts need to be reserved for genuine risks to safety, security, and the business. Other data needs to be analyzed and used to focus resources where they matter most, not pushed at humans hoping someone will sort it out.
Ryan named the structural problem nobody wants to talk about. The security industry has had bad APIs for a long time. Even when systems can technically share data, the lack of standardization across manufacturers makes normalization brutal. A door-forced alarm from one system looks nothing like the same event from another. End users have the leverage to push manufacturers to change that. Most haven’t used it.
What it takes: Discipline to evaluate whether new technology actually improves operations. Investment in training and integration. And pressure on the industry to standardize what should’ve been standardized years ago.
The bigger picture: what successful integrated security operations look like
Pulling these takeaways together, a clear profile emerges of what it takes.
It starts with business fluency at the leadership level, including security leaders who can quantify pain points, align to outcomes, and communicate in the language of the C-suite. It requires governance before technology: clear ownership, decision-making models, and escalation paths in place before systems get integrated. It depends on a culture-first mindset, where incentives make security part of how the business operates rather than a checkbox to satisfy auditors.
Underneath all of that sits the data layer. Integrated, normalized data, which is accessible across HR, cyber, physical, and operational systems, is the connective tissue that lets AI, analytics, and decision-making actually deliver value. Without it, more tools just generate more noise.
And finally, it takes disciplined technology investment and cross-functional alignment. The biggest risks today for organizations are insider threats, organized retail crime, supply chain disruption, and crisis response, which all span silos. No single team, system, or vendor solves them alone.
The shift from compliance to business value isn’t about doing more. It’s about doing the right things, together. The organizations getting this right don’t just protect themselves better. They unlock new sources of operational value, customer trust, and competitive advantage.
That’s the bar. The work is figuring out how to clear it.
Let’s chat about how you can integrate security operations into a unified platform.
Jenna Hardie
Jenna is the Director of Marketing and PR at HiveWatch, bringing over 10 years of experience in physical security, cybersecurity, and high-tech. She's the force behind HiveWatch's brand awareness, media relations, and communications efforts.
