For instance, under Section 404 of Sarbanes-Oxley, executives at publicly held companies are required to attest to both the physical and logical controls they have in place for data centers where sensitive financial information is processed and stored, says Chris Pick, vice president of corporate strategy at Houston-based NetIQ Corp., a provider of integrated systems and security management tools.

Another regulation that may be helping to drive convergence is the Gramm-Leach-Bliley Act, which requires that financial services firms notify customers if there are any breaches in the security of customer information. The law has led physical and logical security groups at banks, brokerages and insurance companies to work more closely together to address threats to privacy, such as the theft of a laptop containing customer information or a hacker gaining access to sensitive customer data, says Dave Cullinane, president of the Information Systems Security Association.

But while some security managers see a connection between regulatory compliance and convergence, others downplay it. "I haven't seen regulations drive changes in behavior" between the two constituencies, says Mark Lobel, a partner in PricewaterhouseCoopers' process improvement practice in New York.

Most likely, regulatory requirements have reinforced security convergence one company at a time. For example, at Waste Management, the regulations have raised the risk level and "have highlighted security in everyone's view," says Anne Rogers, director of information safeguards at the company.

At the very least, regulatory requirements such as Sarbanes-Oxley are prompting security professionals in each camp "to open up a dialogue about what's needed, with each other and with their legal and audit divisions," says Vish Ganpati, senior associate of enterprise resilience at Booz Allen & Hamilton.