How are you moving to a more holistic security risk management approach in your organization?

In increasingly complex operating environments security managers are recognizing the need to move beyond handling just “guns, guards and gates”, and start to work more holistically with their organizations.

This involves delivering security knowledge and expertise right from the outset of strategic decisions and projects, and working with teams to avoid risks that lower the chance of delivery.

It also means communicating in the language of business performance to ensure stakeholders are aligned on the value of security, not just the costs, and information sharing that helps the organization work more productively.

Holistic security risk management

How are you addressing human behavior as a security vulnerability?

We reached back through the archives this week to a piece from 2016 on the role of people in avoiding security risks. You can read the article here.

 

Security technology has improved significantly over the past few years, but most organizations have lagged when facing what is likely their biggest vulnerability - people. Regardless of the many policies and procedures we produce, it’s often an individual’s behavior that makes the difference between avoiding a security risk, such as a social engineering attack, and becoming the victim of one. 

 

And human behaviour is not something that can be changed easily. There are three crucial principles to keep in mind when designing behavioral interventions in your organization.

 

Get their Attention: First you need to make sure you’re actually getting people's attention, which is difficult in this era of overwhelming internal communications and demands on employees’ time.

 

Make it Relatable: Second, you have to give people a reason to listen to you by convincing them that whatever is on your agenda (such as avoiding a cyber-attack) is directly and immediately important to them.

 

Keep it Simple: Third, you need to introduce simple, easy-to-remember and easy-to-use tools that will help them avoid threats, and decrease the overall likelihood of threats occurring.

 

Want more security risk management knowledge straight to your inbox? Sign up for our newsletter here

Does security risk management in your organization suffer from a silo problem?

The Enterprise Security Risk Management approach is built on the foundation of taking a holistic view of organizations and the varied risks they face. This requires cross-functional communication and collaboration to adequately assess, mitigate and manage security risks. 

 

Unfortunately, many people still see their organization as lacking sufficient knowledge sharing and collaboration between different departments. This has significant consequences to business operations, with silos leading to communication and productivity problems and failures. 

 

The problem is particularly pronounced for security risks, with the increasing complexity of threats organizations are facing, and the impact of those threats growing exponentially due to our interconnected world.

 

How is your organization reducing functional silos and increasing collaboration?

Security Risk Management Silo Problem

Make company standards easy to follow and implement with Human Risks

Human Risks makes it easy for companies to put their security risk management policies and procedures into action with:

  • Standard templates

  • Rating definitions

  • Automatically suggested threats and treatments

  • Implementation tools

Want to see how much better your security risk management could be? Sign up for a free trial today

How do you begin to understand your security risk culture?

As the old adage goes, “culture eats strategy for breakfast”. A great security risk management strategy will go nowhere if your organization doesn’t have the right culture to implement it.

So how do you go about understanding what your culture is, and what the gaps are between this and where you want to be? Chances are, you’ve already got the data you need to back up what you’ve seen from your experiences and conversations. You can use this data to highlight behaviors, outcomes, trends and hotspots in your organization’s security risk management.

 How have you addressed understanding and changing security culture in your organization?

culture data.png

As terror threats grow in complexity organizations need to continuously revise their security analysis and measures

Findings from Europol’s recently-released 2019 EU Terrorism Situation and Trend Report underline the continuing need for organizations to keep their responsibility as employers at the forefront.

 

Typically, duty of care is mostly discussed in the context of employee travel, but we believe it needs to be a larger part of all security conversations as organizations improve and revise their current mitigation measures. The threat from terrorist attacks in the EU remains high, as perpetrators have shifted focus away from conflict zones. The most disturbing finding of the report is that terrorist capabilities seem to have grown to include the use of CBRN weapons.

 

While the total number of attacks (foiled, failed and completed) has dropped from 2017 to 2018, the increased complexity of the threat, the growth in right-wing terrorism and the shifting power balance between Islamic State and Al-Qaeda demands attention. To combat these future threats organizations need to conduct continuous intelligence analyses and revise current mitigation measures to ensure the safety of all employees and assets.

You can read the full report here

Are you using data operationally, or are you using data to improve business performance?

New research from Marsh and RIMS shows the majority of Risk Managers are using risk management data for operational tasks such as insurance renewal decisions, providing data to external parties and for ad-hoc enquiries and situations. Only a minority are using data to support strategic planning, improving long-term operational performance and making adjustments to risk management strategy.

How do you use risk management data in your organization, and does it align with your security risk management goals?

Risk management data use.png

Cloud-based solutions are delivering growth and improved security

This week we’ve been reading McAfee’s latest research report on the benefits businesses have derived from using cloud-based solutions.

We were excited to see the results showing that cloud infrastructure is leagues ahead of on-premise performance!

The survey covered 1000+ enterprises in 11 countries from March to May this year and found that the vast majority of companies (87%) experienced a form of business acceleration from growth, productivity gains and time to market improvements. In fact 41% experienced a direct link between business growth and their use of cloud services.

What stuck out most to us were the security improvements that many businesses experienced. Microsoft and other cloud hosting providers are investing heavily in security, often significantly more than the businesses they serve. We see a clear benefit for companies to leverage these services and take advantage of this enhanced security, especially to address growing cybersecurity threats. Indeed, 52% of the businesses surveyed experienced improved security, 44% had improved collaboration and 57% reduced IT spending by using cloud-based services!

 

You can read the full report here 

Image Courtesy of McAfee

Image Courtesy of McAfee

How successful is your organization at having data-driven security conversations?

Security management questions may seem straightforward, but quickly and accurately responding to them often involves a lot of behind-the-scenes manual data gathering, processing and analyzing.

Organizations are dealing with more security data than ever before, which can easily overwhelm these manual processes and make it even harder to use data to drive security risk management decisions. A more streamlined approach using cloud-based management platforms would actually enable your organization to make the most of the growing amount of data, perform quicker analyses and provide a more immediate and accurate overview.

What’s holding your organization back from taking a more data-driven approach to its security risk management?


Security risk management and data management


The evolving role of the Security Manager

This week we’re reading Angus Darroch-Warren’s piece about how the role of the Security Manager is changing.

(You can read the piece here

This article has some great analogies of how security managers are forced to evolve and adapt as the world is increasingly interconnected, with old silos breaking down.

Building on this, we’ve highlighted three focus areas that will help security professionals win in this complex environment.

  1. Understand your business. It’s been said before and is certainly easier said than done. However, it is crucial to know what drives value and cost in your organization. Who are your customers, where are they operating, what are their needs, who are your competitors and how is the landscape changing? Understand this to gain better insight into what and how you should protect and add value to your business’ customers. A business course will likely add significantly more value than a security course for any security manager today.

  2. Continuously review and adjust. The times they are a-changin’ – and so is the old game of cat-and-mouse. The days are gone where you could review your security assessments once a year, wait for an incident, or not review at all. The world is increasingly unstable, and threats are growing more complex and technologically advanced. This forces you to continuously review risks and mitigation measures to stay ahead.

  3. Simplify your communication. You must be able to explain to a non-security colleague what you are doing and how it supports the business in 2 minutes. That is the only way to get the buy-in and awareness that can change behavior, which is usually the most effective way to manage risks.