Q. What should senior management be asking their CSOs considering recent high risk events including acts of terrorism in the news?
A. In this Faculty Advisor column, we have two of our experts weighing in on the question. First up is Bob Hayes, Managing of the Security Executive Council, followed by Francis D’Addario, Security Executive Council Emeritus Faculty member.
There are always several questions we wish management would ask or at least take an interest in. But considering recent events, there are a number they should be asking. From a strategic perspective, they should be asking Security what has changed in the operational risk picture and should the company be responding to recent risk changes? One company we have worked with created a position in Legal for an attorney who is assigned to and specializes in operational risk and emerging risks. This reflects the newer senior management focus on risk. The security leader we were working with said management is continually reviewing risk and the company’s response to it. They know there are significant risks that they must be aware of and must react to.
However, in general, management has placed their focus on the enterprise risk assessment, and specifically on the 10-20 most significant risks from that assessment. Resources are assigned and risk mitigation is reviewed. Senior management should be asking, which of the remaining risks from the ERA list have security implications and should be Security’s responsibility? The last five years has told us with terrorism, lone wolf acts, duty of care failures, global travel security requirements, etc., that the operational risks of security can have significant impact on the organization
One of the things that has changed is the employee’s expectations for security in the workplace or while traveling on company business, and awareness/fear of being a victim. The proliferation of 24-hour news, the sensationalism of crime and terrorism, global use of social media, news feed apps and alerting apps allow employees to share situations or incidents in real time. This has had a significant impact on the employee confidence levels in their safety.
In the 1982, a report titled “America Afraid: How Fear of Crime Changes the Way We Live” documented the American peoples fear of crime. One startling revelation was that in people who live in very safe areas and are exposed to crime through the media only often have a higher fear level than people who live in the areas where the most crime is committed. The Figgie Report defined the most significant fear level of crime as concrete fear. Concrete fear makes you change the way you live your life. Senior management should be asking Security if the employees of the company are confident that adequate steps have been taken to keep them safe in the performance of their duties? Has the travel security program given employees the confidence to travel where their jobs take them without undue fear? Can we make employees as safe as possible without hampering their ability to get the job done?
Another impact of media is how much cybercrime is being covered. Because of this, Board members are talking about it more than ever and regulatory authorities are even indicating that every Board should have a member who is responsible for or knowledgeable in cyber security. This is like a trend 20 years ago where it was thought that every Board member should be knowledgeable about reading financial statements.
What other questions should management be asking? Should a survey be conducted to assess the confidence employees have for security? Are the concerns employees /customers have about security risks known? What are the biggest occupational security risks and what is being done to mitigate them? Is it enough – or not enough?
Senior management should also be asking: Can Security quantify the corporate security risk score or the security mitigation strategies score? Can they quantify the residual security risk level our employees and the company face? What is the risk appetite of the Board and senior management who are the true risk owners? Or whether the organization’s risk mitigation spending is in line with the risk score?
Leadership, and in particular C-suite officers, are increasingly tasked to ask and answer security confidence questions emanating from Boards, compliance agencies and other stakeholders. Business continuity and brand reputation outcomes often depend on how executives think about protecting personnel, assets and critical processes before, during and after newsworthy high-risk events.
The critical questions after an event from management usually include:
- “Are our people OK?”
- “Are our partners OK?”
- “What are the business impacts?”
- “Who in the company is responsible for managing such incidents?”
Strategic questions that senior management should follow up with their CSOs include:
- Is our insider/outsider threat diligence persistent enough to detect and nimbly respond to risks, threats and vulnerabilities?
- Is our risk picture changing? Have we sufficiently documented operational mitigation opportunities?
- What are the “lessons learned” from this or more recent events or near misses?
- Are we prepared to deter, detect, respond, mitigate and/or recover from a similar event that directly impacts us? How will we innovate for incremental performance?
- How do current risk intelligence assumptions affect our strategic plan?
- What is our confidence that we are equipped, trained and resourced for continuously improving outcomes from increasingly foreseeable threats? What should we look like tomorrow following a significant event or near miss today?
Name your catastrophe: cyber breach, earthquake, pandemic, severe weather or terrorism. Operational security leaders must anticipate both these events and the strategic questions that may follow. Answers require honest evaluations of capabilities and gap alignment identification for preparedness, emergency response, critical incident management and business recovery resources. Allocating existing resources to better align with more predictive risk forecasting may often be pre-planned for more effective assurance and confidence building.
Many of the practitioners we work with are either slowly evolving all-hazard risk frameworks or more quickly transforming from traditional protection modes to nimbler, intelligence-based all-hazard oversight operations and governance.
Culture remains an important consideration for pace of change. Security leaders who have engaged their key stakeholders for risk perceptions and confidence feedback seem to have traction. They have proactively created an opportunity to transform for organizational needs of the future without necessarily being invited to do so. Importantly, their cross-functional contemplation of risks and remedies now influence how they will look and work tomorrow after a hit or near miss today.