Leadership

How are you moving to a more holistic security risk management approach in your organization?

In increasingly complex operating environments security managers are recognizing the need to move beyond handling just “guns, guards and gates”, and start to work more holistically with their organizations.

This involves delivering security knowledge and expertise right from the outset of strategic decisions and projects, and working with teams to avoid risks that lower the chance of delivery.

It also means communicating in the language of business performance to ensure stakeholders are aligned on the value of security, not just the costs, and information sharing that helps the organization work more productively.

Holistic security risk management

Does security risk management in your organization suffer from a silo problem?

The Enterprise Security Risk Management approach is built on the foundation of taking a holistic view of organizations and the varied risks they face. This requires cross-functional communication and collaboration to adequately assess, mitigate and manage security risks. 

 

Unfortunately, many people still see their organization as lacking sufficient knowledge sharing and collaboration between different departments. This has significant consequences to business operations, with silos leading to communication and productivity problems and failures. 

 

The problem is particularly pronounced for security risks, with the increasing complexity of threats organizations are facing, and the impact of those threats growing exponentially due to our interconnected world.

 

How is your organization reducing functional silos and increasing collaboration?

Security Risk Management Silo Problem

How do you begin to understand your security risk culture?

As the old adage goes, “culture eats strategy for breakfast”. A great security risk management strategy will go nowhere if your organization doesn’t have the right culture to implement it.

So how do you go about understanding what your culture is, and what the gaps are between this and where you want to be? Chances are, you’ve already got the data you need to back up what you’ve seen from your experiences and conversations. You can use this data to highlight behaviors, outcomes, trends and hotspots in your organization’s security risk management.

 How have you addressed understanding and changing security culture in your organization?

culture data.png

The evolving role of the Security Manager

This week we’re reading Angus Darroch-Warren’s piece about how the role of the Security Manager is changing.

(You can read the piece here

This article has some great analogies of how security managers are forced to evolve and adapt as the world is increasingly interconnected, with old silos breaking down.

Building on this, we’ve highlighted three focus areas that will help security professionals win in this complex environment.

  1. Understand your business. It’s been said before and is certainly easier said than done. However, it is crucial to know what drives value and cost in your organization. Who are your customers, where are they operating, what are their needs, who are your competitors and how is the landscape changing? Understand this to gain better insight into what and how you should protect and add value to your business’ customers. A business course will likely add significantly more value than a security course for any security manager today.

  2. Continuously review and adjust. The times they are a-changin’ – and so is the old game of cat-and-mouse. The days are gone where you could review your security assessments once a year, wait for an incident, or not review at all. The world is increasingly unstable, and threats are growing more complex and technologically advanced. This forces you to continuously review risks and mitigation measures to stay ahead.

  3. Simplify your communication. You must be able to explain to a non-security colleague what you are doing and how it supports the business in 2 minutes. That is the only way to get the buy-in and awareness that can change behavior, which is usually the most effective way to manage risks.

Is your risk management robust enough to be included in strategic planning?

Senior executives don’t see their organizations’ current risk management approaches as mature, and there are concerns about the quality of risk reporting.

This contributes to the strong perception that risk management doesn’t add strategic value. Given that the general view is that the number and complexity of risks on the horizon are growing, how is your organization addressing this, and how is your security risk management team supporting strategy development and planning?

Risk Management and Strategic Planning

With Human Risks you have all the information you need at your fingertips. Our platform enables Security Managers to:

  • Recommend mitigation measures for potential threats

  • Give an overview of current and residual risk levels

  • Understand the risk profiles of new and potential locations using external data feeds

I didn't Invent the Wheel...

…But I am suggesting security professionals replace spreadsheets with a better way - I've been the caveman to the right for too long.

When managing security risks three things are important:

  1. Keep it simple – and help your organisation understand the “why” through involvement

  2. Link risks to mitigating measures. Keep it simple and scalable, and

  3. Put effort into implementing those measures. This is where you add value and reduce risk

We are trying to give security professionals an updated overview across multiple sites and allow you to involve the organisation (back to the “why”) by delegating and measuring on the implementation of measures in one single platform. If you are curious about how we do that please contact us for a demo at www.humanrisks.com or send me a message.

Lucky for us, not all say “No thanks!” One of our customers - a major player in the food industry with sites in most parts of the world – said this about Human Risks in a recent interview:

» Human Risks enables us to decentralise the security risk management process, which helps us empower local management to take ownership. It increases the effect of what we are doing and reduces our costs substantially.

Sometimes it feels like being a caveman suggesting his peers try something new…

Sometimes it feels like being a caveman suggesting his peers try something new…

How To Create Value In Security Risk Management?

helmetasmeasure.jpg

Mitigating measures that support the objective

Security risk management is ultimately about prioritising available resources. All the hoops security professionals go through to assess threats, vulnerabilities and risk levels are at the end of the day for them to be able to single out what threats should be countered by which measures in which order.

It is a very positive tendency that the security risk management community increasingly has been focusing on "enabling". An attempt to ensure that one's own effort is in line with the organisation's strategy and objectives and that you support and strengthen rather than limit. In other words, the security manager can go from being the "naysayer" to saying "yes we can do that - if..." and even add competitive edge through how security risks are managed; the footprint you leave, the international standards you comply with, the ability to integrate with your customers' organisations (how can we add value to our customers' customers?) or the information you are able to deliver - the possibilities to enable and strengthen the organisation are many. 

Involvement & collaboration!

Involvement & collaboration!

 

That is why two of my areas of focus has always been to:

1) involve relevant stakeholders (get inspiration on the "how" with the power-interest grid by Eden & Ackerman, 1998)  in security risk management, even though it takes time and you have to accept that you will not look as efficient to sr. management as you could - in the long run, you'll have a much greater impact. Remember that "effect = involvement x quality" and if you have to change how people work - involvement is key. 

AND

2) prioritize implementing the mitigating measures you have evaluated as worthwhile during in the security risk assessments. It is a trap to get deeply fascinated by the colours of your heat maps and details of your risk register that you tend to forget what it's all about - implementing measures that impact the level of risk your colleagues (& customers?) are facing. It is the basic discipline in business "Project Management" that will change things "where the metal meets the meat" or in business language - where you meet your customers' needs. 

To keep it short; put effort into identifying and implementing the mitigating measures that support your organisation and prioritise the involvement of relevant stakeholders.

The author is the CEO & Founder of "Human Risks" - an online platform for security risk management where identification of mitigating measures, management and involvement is in focus. Read more on www.humanrisks.com