The biggest risk to the security industry
In this post I’m going to discuss what I consider to be the single biggest risk facing the security industry today. It isn’t cyber terrorists, ultranationalists, rogue nation states, climate change or technological advance. Sure, all those things are major concerns, but none of them have the ability to derail the professionalisation of the sector quite as much as language.
I recently posted a question to my network asking people what they thought was meant by the term ‘risk tolerance’. Now this wasn’t exactly a buzzing thread (there are pictures of road signs that have far greater engagement), but there was some discussion. What became immediately apparent was that the vast majority of people had their own interpretation of this terminology, some of it inaccurate enough that I felt compelled to publicly correct them. I felt that I needed to ensure that anyone else reading these descriptions would not assume them to be correct, since their misuse could lead to significant confusion or embarrassment at the very least. I considered I had done this gently, however apparently this made me look like an arrogant arse. Not for the first time, not for the last I suppose. Listen, how I look is not what is important here. Facts do not care about feelings, after all. This isn’t about people being right or wrong, either come to think of it. It is far bigger than that.
In the past I will admit to having made up security risk terminology in meetings just to see what happened. (For clarification, I do know what I’m talking about so this was not me trying to blag it. I was being mischievous.) Nobody challenged me, nobody asked for clarification and in a meeting a few days later, I heard my invented term used by someone else who was trying to appear informed. So some of this is possibly my fault.
Let me be clear here. I see this as an artefact of an industry that continues to encourage uneducated people to hold their 'experience' in higher regard than a blend of operational experience and academic study. If this continues unchallenged the industry will never progress towards professional status. What is clear is that there are people in the industry (and I am not specifically referring to anybody on that thread but rather to my wider experiences and conversations) who clearly do not know what they are talking about. This is not to say that they do not understand security or are bad practitioners but rather that they do not understand the words they are using to describe their knowledge and experience. They might be brilliant security thinkers, but if they sound like idiots, it doesn't get them very far. The resulting risk to them as practitioners and to their clients goes a lot further than ‘looking silly’.
Consider any other recognised profession. We do not hear medical doctors making up their own names for body parts, illnesses or treatments. And yet in security risk it is perfectly acceptable for people to make up their own interpretation of a term that they see rather than go to the effort of finding out exactly what it means. I am tempted to suggest that the cabal of individuals who have been pushing for the formal recognition of the sector as a profession for the last decade or so are about 50 years too early. If we cannot agree on the language we use, we clearly aren't ready.
There is an assumption that I have seen time and again, both from security practitioners and from other disciplines within organisations that security is simple and obvious. This is reflected in the way language is used. The fact that security is an incredibly complex social science is ignored in favour of what looks right and what sounds right. Not what IS right.
The absence of a formal lexicon for the security risk industry presents a significant challenge to the ways in which we communicate both our value and our concerns to our clients. This is a recognised problem with its roots in the risk management industry. Despite there being international standards and myriad certification schemes, there is still no formally agreed upon lexicon in risk management. In some cases, certification bodies will present multiple meanings of a single term, much to the consternation of people studying for their exams. In the courses I taught, I made a point of highlighting terminology that has different potential meanings and I encourage the delegates to confirm with people they speak to which of these they are referring to. By doing this, everybody learns something and the risk for confusion is minimised. Our job is to provide clarity, to reduce uncertainty, to increase confidence. We will not be able to do this if we are all making it up as we go along.
It is absolutely worth recognising that language constantly evolves. This does not in any way excuse security professionals from understanding the language that is currently in common and accepted use. This comes back to previous content I have shared in relation to the softer, wider skill set that we need to develop. The ability to communicate with the business in a clear and consistent manner is potentially far more critical than our understanding of any particular security doctrine. We have a hard enough time demonstrating our value to the business without making it worse.
We need to overcome our fear of being 'wrong'. We need to park our ego and our ‘many years of operational experience’ and remember that there is always something to learn. We need the courage to ask people who use terminology that we do not understand to clarify their meaning. We might learn something new, or we may learn that the people we are talking to have an imperfect understanding of whatever they are discussing. Together, we may even come to a new understanding. In any case there is value for us and for the wider industry.
In the past I have been described as a ‘thought leader’. If that is the case (and the jury is still out), I would not be doing justice to the term if I did not challenge and then try to help to correct issues as fundamental as this.
Now how about we all ensure that our Scooby-Doo’s are encapsulated for risk hysteresis purposes?
Risk | Resilience | Assurance | Governance
4 年This is a problem across the whole of risk management. Given that there is no universal standard, that what's called the 'standard' isn't actually a standard, that you can become a 'risk manager' after a 5-day course, and that every industry has its own vocabulary around risk, it isn't surprising there is so much confusion and conflict. If you ask n people to define the term 'risk' I would bet money that you'll get n different answers.?
Director | Security Consultant High-Risk Countries.
4 年Richard, As always a good blog - I concur. Throughout all my studies in intelligence/security, a common theme is agreed on definitions. The final part of my thesis idea (still to be confirmed), is the production and communication of risk analysis (once you agree on a term :-)) A great deal of work has been done and implemented within intelligence agencies - transcended to the military and police, with words of estimated probability (WEPs).?For example, check (https://www.app.college.police.uk/app-content/intelligence-management/analysis/delivering-effective-analysis/#writing-clearly).? Intelligence writing is boring a repetitive - yet very clear. No fancy 'jargon and obfuscation' (right-click synonyms), just simple repetitive words which everyone knows. Who cares if you're a Scrabble champion, if people can't understand your report - you have failed.? I find this to be missing largely in the NGO-sector of the security industry and those risk-management companies which provide security services to them. Yes, there is the low-high terms used in many risk-matrixes. However, often it goes no further than the risk-matrix. Phrases such as 'in the short-term, the medium term, the long-term' what are these,1-2 week, 3-6 months, 5-7 years? You need an agreed term. In intelligence writing and production, a good report would display the WEP's (for those unfamiliar with the report) on the opening page with the key judgments, and therefore the recipient would understand exactly what each term means in value (percentage of risk) and time (days, weeks, months, years). The next time you look at a security report and see terms like 'highly unlikely, probably, might, could, short-term,' write the percentages down, the days or weeks and compare with other colleagues. This same test is the foundation of WEP's from 40+ years ago. The variation is as much at 60% on risk (if I remember correctly). This means people have different perceptions of risk and timelines based on terminology alone. I believe a lot of academic and intelligence analyst practice incorporated into security risk management, would aid in communicating risk to stakeholders.? *disclaimer, I am very much the student, albeit an older one* Anyone who is implementing these procedures organisation-wide to overcome how people massively interpret words differently with wide-ranging values, specifically in the NGO high-risk sector, I'd been keen to hear from you. ?
teacher cadets various skills and helping them grow and enjoy their time in the cadets
4 年To me the issue is there is no agreed definition of what the word risk means. Because of this it is up for interpretation. This leads to opinions and then once people dont agree with opinions. I think the biggest risk is two fold. It's one people saying they know it all and are the holder of the only wisdom. The second risk is people not following standard procedures eg not taking in usb pens from unknown source. I am happy to discuss if people disagree with what iv said, what I wont accept is people telling me they know everything as it sounds like they have stopped learning and that is the third risk.
Market Leader @ GHD | Property & Buildings
4 年I saw your post yesterday on risk tolerance / appetite, and I've often also though it has a lot to do with language. But why? This kind of misinterpretation often occurs within our industry - what's going on? There are many recognized professions that rely on more strict and defined education and career pathways. In those professions International Standards (or legislation, or national codes, etc.) exist for reasons of standardizing processes/outcomes/terminology/etc., and are treated as bibles. In contrast, our world of security and risk management lacks some of the same rigor for education and career pathways. So our reality is one of limited standardization and even poor learning and understanding of the fundamentals. Unfortunately it often seems that some of the loudest voices in the industry are professionals / companies out there that think they're inventing better mousetraps by rewriting ISO 31000 (-or insert relevant standard-) with their own "new" terminology and calling it revolutionary. At the same time, the industry is flooded with 1 day masterclasses, 3 day security specialist courses, distance learning modules etc......all presenting slightly different versions of the e.g. ISO 31000 flow chart with some fancy buzzwords and different colors. Not to mention the variations of "well this is how we did it back in....", "my operational experience...." etc. So if you end up in the industry lacking sufficient experience and understanding of the fundamentals, it's very easy to misinterpret concepts such as risk appetite vs tolerance. I don't know what is the best answer to improve here.....sometimes I think simple approaches are best. More focus on the fundamentals. Let's learn from the standards and the body of knowledge we already have. Let's collectively challenge the status quo and let's try to advance our understanding and knowledge - instead of wasting time re-writing or re-presenting existing standards with slightly different terminology. I think we could all do better here.
Cyber Strategy & Transformation Director
4 年"If a lion could talk, we would not understand him."