Strategy

How are you moving to a more holistic security risk management approach in your organization?

In increasingly complex operating environments security managers are recognizing the need to move beyond handling just “guns, guards and gates”, and start to work more holistically with their organizations.

This involves delivering security knowledge and expertise right from the outset of strategic decisions and projects, and working with teams to avoid risks that lower the chance of delivery.

It also means communicating in the language of business performance to ensure stakeholders are aligned on the value of security, not just the costs, and information sharing that helps the organization work more productively.

Holistic security risk management

Are you using data operationally, or are you using data to improve business performance?

New research from Marsh and RIMS shows the majority of Risk Managers are using risk management data for operational tasks such as insurance renewal decisions, providing data to external parties and for ad-hoc enquiries and situations. Only a minority are using data to support strategic planning, improving long-term operational performance and making adjustments to risk management strategy.

How do you use risk management data in your organization, and does it align with your security risk management goals?

Risk management data use.png

How successful is your organization at having data-driven security conversations?

Security management questions may seem straightforward, but quickly and accurately responding to them often involves a lot of behind-the-scenes manual data gathering, processing and analyzing.

Organizations are dealing with more security data than ever before, which can easily overwhelm these manual processes and make it even harder to use data to drive security risk management decisions. A more streamlined approach using cloud-based management platforms would actually enable your organization to make the most of the growing amount of data, perform quicker analyses and provide a more immediate and accurate overview.

What’s holding your organization back from taking a more data-driven approach to its security risk management?


Security risk management and data management


The evolving role of the Security Manager

This week we’re reading Angus Darroch-Warren’s piece about how the role of the Security Manager is changing.

(You can read the piece here

This article has some great analogies of how security managers are forced to evolve and adapt as the world is increasingly interconnected, with old silos breaking down.

Building on this, we’ve highlighted three focus areas that will help security professionals win in this complex environment.

  1. Understand your business. It’s been said before and is certainly easier said than done. However, it is crucial to know what drives value and cost in your organization. Who are your customers, where are they operating, what are their needs, who are your competitors and how is the landscape changing? Understand this to gain better insight into what and how you should protect and add value to your business’ customers. A business course will likely add significantly more value than a security course for any security manager today.

  2. Continuously review and adjust. The times they are a-changin’ – and so is the old game of cat-and-mouse. The days are gone where you could review your security assessments once a year, wait for an incident, or not review at all. The world is increasingly unstable, and threats are growing more complex and technologically advanced. This forces you to continuously review risks and mitigation measures to stay ahead.

  3. Simplify your communication. You must be able to explain to a non-security colleague what you are doing and how it supports the business in 2 minutes. That is the only way to get the buy-in and awareness that can change behavior, which is usually the most effective way to manage risks.

Is your risk management robust enough to be included in strategic planning?

Senior executives don’t see their organizations’ current risk management approaches as mature, and there are concerns about the quality of risk reporting.

This contributes to the strong perception that risk management doesn’t add strategic value. Given that the general view is that the number and complexity of risks on the horizon are growing, how is your organization addressing this, and how is your security risk management team supporting strategy development and planning?

Risk Management and Strategic Planning

With Human Risks you have all the information you need at your fingertips. Our platform enables Security Managers to:

  • Recommend mitigation measures for potential threats

  • Give an overview of current and residual risk levels

  • Understand the risk profiles of new and potential locations using external data feeds

Extra Extra - Read All About It!

This month’s International Security Journal focuses on “Critical Event Management” and interviewed me about how managing security risks can help prevent a critical event and prepare an organization to manage it and come out on the other side (psst - it’s on page 36…). Download the article here

Article about Human Risks in this month’s  International Security Journal

Article about Human Risks in this month’s International Security Journal

How To Create Value In Security Risk Management?

helmetasmeasure.jpg

Mitigating measures that support the objective

Security risk management is ultimately about prioritising available resources. All the hoops security professionals go through to assess threats, vulnerabilities and risk levels are at the end of the day for them to be able to single out what threats should be countered by which measures in which order.

It is a very positive tendency that the security risk management community increasingly has been focusing on "enabling". An attempt to ensure that one's own effort is in line with the organisation's strategy and objectives and that you support and strengthen rather than limit. In other words, the security manager can go from being the "naysayer" to saying "yes we can do that - if..." and even add competitive edge through how security risks are managed; the footprint you leave, the international standards you comply with, the ability to integrate with your customers' organisations (how can we add value to our customers' customers?) or the information you are able to deliver - the possibilities to enable and strengthen the organisation are many. 

Involvement & collaboration!

Involvement & collaboration!

 

That is why two of my areas of focus has always been to:

1) involve relevant stakeholders (get inspiration on the "how" with the power-interest grid by Eden & Ackerman, 1998)  in security risk management, even though it takes time and you have to accept that you will not look as efficient to sr. management as you could - in the long run, you'll have a much greater impact. Remember that "effect = involvement x quality" and if you have to change how people work - involvement is key. 

AND

2) prioritize implementing the mitigating measures you have evaluated as worthwhile during in the security risk assessments. It is a trap to get deeply fascinated by the colours of your heat maps and details of your risk register that you tend to forget what it's all about - implementing measures that impact the level of risk your colleagues (& customers?) are facing. It is the basic discipline in business "Project Management" that will change things "where the metal meets the meat" or in business language - where you meet your customers' needs. 

To keep it short; put effort into identifying and implementing the mitigating measures that support your organisation and prioritise the involvement of relevant stakeholders.

The author is the CEO & Founder of "Human Risks" - an online platform for security risk management where identification of mitigating measures, management and involvement is in focus. Read more on www.humanrisks.com

 

When an organisation decides to implement a structured approach to managing risks this is what happens!

OK - the list is just some of the observations I have made and is of course not complete - but hey what don't you do for a catchy headline?

These are some of the positive (side) effects that I have seen come from implementing a structured approach to managing risks:

Awareness - The increase in awareness you can create internally in an organisation is the most important gain. People start discussing what makes a threat and how dangerous it really is (risk). How the organisation's objectives are tied to potential risks and how managing them can either allow them to reach their objectives or even gain competitive advantage by doing so. Awareness is still one of the most important factors if you want to manage risks because it all comes down to affecting human behaviour and when people gain an understanding of potential risks based on facts and feel they are heard and involved in a "bottom up"-approach they are much more likely to adapt their behaviour and embrace "corporate policies" because they are partly their own.

yesno.png

Resources - Mapping potential risks and discussing which to counter to which degree is basically a discussion about prioritising resources. The process gives organisations a clear picture of what is at stake both in terms of impact (people-assets-reputation) financially and in terms of business strategy, which allows them to make informed decisions on what risks to take and how to mitigate them. The decisions should be compared to the objectives of the business and either support reaching them or setting new ones.

workworkwork.jpg

Focus - When you are making an effort to know your current and emerging risks and how to handle them it gives a calm and overview that allows the organisation to focus on their key objectives - delivering the services and products to their customers, which to my best knowledge risk management is all about supporting! 

What are your experiences? Any points I have blatantly left out? (Read the comments on LinkedIn)