How do you begin to understand your security risk culture?

As the old adage goes, “culture eats strategy for breakfast”. A great security risk management strategy will go nowhere if your organization doesn’t have the right culture to implement it.

So how do you go about understanding what your culture is, and what the gaps are between this and where you want to be? Chances are, you’ve already got the data you need to back up what you’ve seen from your experiences and conversations. You can use this data to highlight behaviors, outcomes, trends and hotspots in your organization’s security risk management.

 How have you addressed understanding and changing security culture in your organization?

culture data.png

As terror threats grow in complexity organizations need to continuously revise their security analysis and measures

Findings from Europol’s recently-released 2019 EU Terrorism Situation and Trend Report underline the continuing need for organizations to keep their responsibility as employers at the forefront.


Typically, duty of care is mostly discussed in the context of employee travel, but we believe it needs to be a larger part of all security conversations as organizations improve and revise their current mitigation measures. The threat from terrorist attacks in the EU remains high, as perpetrators have shifted focus away from conflict zones. The most disturbing finding of the report is that terrorist capabilities seem to have grown to include the use of CBRN weapons.


While the total number of attacks (foiled, failed and completed) has dropped from 2017 to 2018, the increased complexity of the threat, the growth in right-wing terrorism and the shifting power balance between Islamic State and Al-Qaeda demands attention. To combat these future threats organizations need to conduct continuous intelligence analyses and revise current mitigation measures to ensure the safety of all employees and assets.

You can read the full report here

Are you using data operationally, or are you using data to improve business performance?

New research from Marsh and RIMS shows the majority of Risk Managers are using risk management data for operational tasks such as insurance renewal decisions, providing data to external parties and for ad-hoc enquiries and situations. Only a minority are using data to support strategic planning, improving long-term operational performance and making adjustments to risk management strategy.

How do you use risk management data in your organization, and does it align with your security risk management goals?

Risk management data use.png

Cloud-based solutions are delivering growth and improved security

This week we’ve been reading McAfee’s latest research report on the benefits businesses have derived from using cloud-based solutions.

We were excited to see the results showing that cloud infrastructure is leagues ahead of on-premise performance!

The survey covered 1000+ enterprises in 11 countries from March to May this year and found that the vast majority of companies (87%) experienced a form of business acceleration from growth, productivity gains and time to market improvements. In fact 41% experienced a direct link between business growth and their use of cloud services.

What stuck out most to us were the security improvements that many businesses experienced. Microsoft and other cloud hosting providers are investing heavily in security, often significantly more than the businesses they serve. We see a clear benefit for companies to leverage these services and take advantage of this enhanced security, especially to address growing cybersecurity threats. Indeed, 52% of the businesses surveyed experienced improved security, 44% had improved collaboration and 57% reduced IT spending by using cloud-based services!


You can read the full report here 

Image Courtesy of McAfee

Image Courtesy of McAfee

How successful is your organization at having data-driven security conversations?

Security management questions may seem straightforward, but quickly and accurately responding to them often involves a lot of behind-the-scenes manual data gathering, processing and analyzing.

Organizations are dealing with more security data than ever before, which can easily overwhelm these manual processes and make it even harder to use data to drive security risk management decisions. A more streamlined approach using cloud-based management platforms would actually enable your organization to make the most of the growing amount of data, perform quicker analyses and provide a more immediate and accurate overview.

What’s holding your organization back from taking a more data-driven approach to its security risk management?

Security risk management and data management

The evolving role of the Security Manager

This week we’re reading Angus Darroch-Warren’s piece about how the role of the Security Manager is changing.

(You can read the piece here

This article has some great analogies of how security managers are forced to evolve and adapt as the world is increasingly interconnected, with old silos breaking down.

Building on this, we’ve highlighted three focus areas that will help security professionals win in this complex environment.

  1. Understand your business. It’s been said before and is certainly easier said than done. However, it is crucial to know what drives value and cost in your organization. Who are your customers, where are they operating, what are their needs, who are your competitors and how is the landscape changing? Understand this to gain better insight into what and how you should protect and add value to your business’ customers. A business course will likely add significantly more value than a security course for any security manager today.

  2. Continuously review and adjust. The times they are a-changin’ – and so is the old game of cat-and-mouse. The days are gone where you could review your security assessments once a year, wait for an incident, or not review at all. The world is increasingly unstable, and threats are growing more complex and technologically advanced. This forces you to continuously review risks and mitigation measures to stay ahead.

  3. Simplify your communication. You must be able to explain to a non-security colleague what you are doing and how it supports the business in 2 minutes. That is the only way to get the buy-in and awareness that can change behavior, which is usually the most effective way to manage risks.

Taking an integrated view of assessing political risk

A recent article in Risk Management magazine focusing on using insurance to mitigate political risk prompted a conversation about the growing complexity of risks in our modern age.

(you can read the article here)

When assessing risks and their potential impact on your organization you have to address them from an integrated and holistic viewpoint. For political risks it is correct that instability, trade wars and barriers can potentially have an enormous financial impact, and insurance might be a good way to mitigate that uncertainty.

But looking more broadly, the potential impact of political risks on the safety of your employees and suppliers is not only financial but also reputational. This is because political risks can strike at the heart of your organization’s moral obligation to provide safe environments for the people it is responsible for.

Your organization might suffer economically, but we all know that the reputational damage can be irreparable if an organization does not live up to its moral obligations. Modern communications ensure a high level of transparency and global opinion that has to be taken seriously.

These challenges are not something you can mitigate with insurance, and there are several examples of companies that have never fully recovered after a reputational setback. 

The complexity of risks is growing as our world is even more interconnected and transparent, which is why integrating the way you evaluate risks and mitigation is more important than ever.

Is your risk management robust enough to be included in strategic planning?

Senior executives don’t see their organizations’ current risk management approaches as mature, and there are concerns about the quality of risk reporting.

This contributes to the strong perception that risk management doesn’t add strategic value. Given that the general view is that the number and complexity of risks on the horizon are growing, how is your organization addressing this, and how is your security risk management team supporting strategy development and planning?

Risk Management and Strategic Planning

With Human Risks you have all the information you need at your fingertips. Our platform enables Security Managers to:

  • Recommend mitigation measures for potential threats

  • Give an overview of current and residual risk levels

  • Understand the risk profiles of new and potential locations using external data feeds

Do you have a systematic way to protect your company from surprises?

A high number of organizations have experienced an operational surprise in the past 5 years.

As a result, executive managers have placed a priority on identifying risks early, before they grow into problems. How are you meeting this challenge given the complexities of managing multiple sites, assets and activities?

Early Risk Detection.png

With Human Risks you are always updated. Our platform enables Security Managers to:

  • See a total overview of risk incidents and assessments across the business

  • Quickly report (and respond to) incidents using the mobile and desktop apps

  • Integrate external risk incident data feeds