Risk, Security, Safety and Resilience Newsletter - Week of 10 Nov 22
Ridley Tony
Experienced Leader in Risk, Security, Resilience, Safety, and Management Sciences | PhD Candidate, Researcher and Scholar
The following is a summary of security, risk, safety and resilience articles, topics and issues ending the week of 3 Nov 22.
Key themes for this week include:
---------------------------
Defence-in-Depth is an extremely popular security and risk management expression that rarely achieves the universal, unassailable and reliable safety or security outcome the concept evokes or it fails to effectively deliver on the promise of a shroud of multi-layered protection for people, data or assets. That is, many 'defence-in-depth' assertions are symbolic statements or?in name only?as the various layers and measures are not synchronised nor required because 'once you're in...you're in!'.
I'm still catching my breath. I feel like I've run a marathon. I have! A decades-long marathon that culminated in what was yet another career capstone event and professional milestone ?? . In contrast, the 'false crest' finish line on this particular project was that of a meticulously planned and brilliantly delivered crisis management simulation event that began many, many months and even years prior—primarily studying the trade and practice of geopolitical analysis, threat intelligence, security risk management, business continuity, transnational commerce, operational resilience and executive management ???? ??. Front row, accountable seating. Not balcony, commentator or observer seating. Skin-in-the-game stuff, not books and detached academia ??. To then begin diagnosing, mentoring, advising and guiding a multinational client through a complex, detailed and standards-informed continuity/resilience program, supporting domestic and international interests ??. Not a 'drive by' consulting project by any means. Really embedding with the client, culture, commercial and operational demands of their business. Coupling with other professionals, experts and practitioners. Supporting the CFO, CSO, HR and Operational teams. Running workshops and engagements. Contributing to the exhausting final sprint, the stellar crisis management emersion and simulation event run over an entire working day. Non-stop! Fantastic stuff. At every moment, challenged, engaged, informing and developing the next generation of experts and professionals. I loved every minute of it. ??However, this is just the rehearsal. We all have many, many more miles to go before this race is done ?? ???? . This is the world of international operations, transnational safety, security and risk management. What a profession. What a life. Enough chat, the next marathon starts any moment now. Have to go ??
"Organizations spending less than 5% of their technology/IT budget on?#cybersecurity ?are in the absolute minority. Our research shows that just under half (49%) are allotting between 6%-10% of this budget for these purposes, and 41% are directing upwards of 10% to security measures."
The reality of exposure to known and adaptive, changing threats has supplanted the veneer of protection. This includes technology, supply lines, regulation, infrastructure, human resilience and community preparedness factors. When exposed to emergent threats, duress or cascading failures, many seemingly robust or resilient organisations, industries, and systems have been found to be brittle, fragile or in advanced states of decay. While some remain 'cautiously optimistic', reluctant to acknowledge prevailing and realised resilience deficits, the gap between what is needed and current conditions of vulnerability remains considerable with industries, services and systems failing businesses and communities with alarming frequency. Hence, resilience debt remains a bonafide catastrophe, maturing at different rates and scales within locations and systems. They are often concealed behind unsubstantiated claims, assurance, controls and quasi-scientific methods and reporting. In short, vulnerable inner workings are concealed in seemingly hardened exteriors.
Travel Safety & Security for Travelling Abroad
"Individuals from all parts of the globe look to broaden their outlook and obtain a sense of adventure when traveling abroad for either vacation or business purposes. Unfortunately, travelers from different cultures find themselves as targets to aggressors who excel at studying vulnerable targets. This training examined statistics and? #safety ? and? #security ? techniques that will keep travelers safe until returning home."? #travelsfafety ? #travelsecurity ? #travelriskmanagement
"Nearly all aspects of society now rely heavily on technology and cyber connections. From phones and communications systems to home appliances and security systems, to transportation systems, medical systems and utility services, nearly everything in communities relies on cyber connections to communicate and operate. Although this increased interconnectedness provides better and more efficient services in many ways, this ever-expanding reliance on technology and cyber connections also means that cyber incidents may have far-reaching and devastating impacts. An interruption in one organization or system, whether from a natural hazard, human error, equipment failure or?malicious attack, may have widespread impacts across the network. In the worst cases, this puts lives at risk and causes significant economic challenges. For this reason, it is increasingly important that organizations and jurisdictions have a cybersecurity program in place to protect against disruptions and a cyber incident response plan in place to enable quick, effective resolution when an incident occurs."?
Matters that may result in?risk?present in many and varied forms.
Notwithstanding, in practical terms, what could be reasonably considered 'risk' is both visible and invisible to an enterprise, departments and professionals charged with risk management, mitigation and resilience. This includes security.
Moreover, risk will influence or affect the enterprise?differently, along with being documented and controlled?differently?by each department, most 'at risk', affected or 'risk owner'.
In other words, an enterprise may be surrounded by a landscape or environment of risk, but matters of risk will be identifiable, documented, treated and mitigated in differing ways by differing functions within an organisation, which invariable results in gaps, short warning times and long cycles of threat accumulation that may only be recently visible but take weeks, months or years to manifest, thwarting static, ritualistic risk management practices such as registers, matrices and formal/scheduled review rhythms.
In sum, a handful or detailed list of risks are in reality only a small, "top of mind" snapshot of a suite of independent, complex, networked and accumulated risk(s)
"This in turn will create multiple benefits, including: 1)?#risk ?governance will be improved through the strengthening of transparency and accountability in the acceptance, mitigation and/or transfer of residual risk between and across the three levels of Government 2) specific areas can prioritise their resources, based on localized assessed risks robust, scientifically-based riskassessments can be used for applications for resources and funding towards mitigation strategies and betterment projects 3) all levels of government and community will have greater assurance through and confidence in scientifically underpinned risk based planning 4) stake holders will have improved confidence in State level coordination and support across all levels of Government, supported by State Government guidance and prioritisation of hazard risk disaster management networks will be strengthened and better aligned.?"
Safety, security, risk management and resilience are endlessly personal, public and corporate pursuits involving individuals systems of interest (SoI) and systems of systems (SoS).
That is, as threats, hazards, danger, infinite, and peril remain persistent, adaptive, evolving and potentially infinite realities of life, business and survival.
However, unlike other games and leisurely pursuits, there is no agreed conclusion, scheduled finish or 'rules' of engagement or prescribed duration.
"How your control room works will be largely determined by the people within the control room and the type of guard force you use. An employed guard force may cost more, but have higher vetting levels, understand your business and potentially make more relevant decisions. A contract guard force may be cheaper and able to cover sick leave, but may only have basic training and have inappropriate Key Performance Indicators. Where your security officers are based is also a factor: 1)?#Security ?officers in an on-site SCR (Security Control Room) may have better situational awareness and quicker response times. 2) A guard force in an offsite SCR will have reduced situational awareness and an extended response time. 3) An ARC (Alarm Receiving Centre) will only monitor and respond to what it is paid to monitor, and will be covering a number of sites and businesses.?"
The critical problem with?#security ?choices and alternate models is that they are rarely visualised and compared with alternates.
Moreover, these choices, preferences, pros/cons are rarely presented to non-security executives to aid in decision-making or clarify the various strengths and weaknesses of each model and choice.
These visuals serve to provide these comparative choices, mapping the respective relationship between asset, protector and threat.
"Programs using Agile software development methods require the ongoing collaboration and commitment of a wide array of stakeholders, including business owners, sponsors, users, developers, and?#cybersecurity ?specialists. One way Agile promotes commitment and collaboration is by having teams work closely together, in one physical location when possible, to facilitate continuous communication among the team members.?"
Security?remains a catch-all expression for many things, people, feelings, actions and terms.
With so many taking refuge under this umbrella term, how do you know what is really?security... or not?
Even in every day conversation,?security?is routinely used. Job-security, portfolio security, national security, home security, cyber security and many other quasi-security?expressions such as community safety, crime prevention, etc.
The only constant among these expressions is that?security?is rarely defined and routinely assumed as meaning the same thing from context to context, person to person and culture to culture.
If only that were true.
Even more concerning is the routine justifications of control, discipline, power, restrictions, punishment, exclusion, surveillance and preferential treatment in the name of?security.
Security for whom, when and how?
Security Operating Overseas: how to assess and mitigate risks in emerging markets
"As business brings opportunities to higher?#risk ?emerging markets, organizations find themselves struggling to understand the?#risk ?posed to their overseas operations and enact the proper measures to protect its employees. Learn from?#security ?professionals with extensive experience in high and extreme risk locations on how to address the various challenges presented in securing overseas operations. From conducting a deliberate assessment of the risk environment to meeting the stringent mitigation measures in post-conflict and conflict regions. Take away methods for comprehensive threat mitigation, including, identifying and addressing stakeholder needs, vendor management, resiliency and effective security escalation management."? #securityriskmanagement ? #travelrisk ? #travelsafety ?#travelsecurity ?#travelriskmanagement
Formulas, mathematical calculations and algorithms are increasingly becoming 'the norm' within risk, safety and security assessments or analysis.
Moreover, these 'black box' calculations are becoming even more secretive, with individuals, companies and governments concealing the precise calculations, rigour and formulas that go into seemingly infallible and the unassailable 'science' that informs non-human calculations such as AI, Machine Learning and decision making.
However, in reality and practice, all algorithms carry human bias, preference, concealed preferences or are otherwise elusively judgement laden, which in turn distorts and modifies calculations of risk, safety, threat, and security.
To what degree and in what way remains the challenge and persistent question for practitioners, risk professionals, auditors and governments.
#Cybersecurity ?is a very hot topic at present. Here is a discussion between two highly experienced professionals and qualified experts in their fields? #risk ? #security ? #crisis ? #resilience ?recorded nearly a year ago (2021). Sadly, many of the lessons have not yet been learned, and many of the? #securityriskmanagement ? #enterpriserisk ? and? #enterprisesecurityriskmanagement ?observations have yet to be addressed.
Join the conversation. What are your thoughts and experience?
"Under workers’ compensation law, the employer is both responsible and liable for an employee’s acts of negligence, for the employer’s own gross negligence, and for extraordinary?#risks ?of work. (p.70) ...When you function reasonably and do your job properly, you fulfill your designated and compensated “duty” but also an implied?#duty ?to protect your fellow workers, society, and the environment from reasonably foreseeable?#risk ?and hazard that are readily obvious or deviously occult.(p.3)?"- Cohen, K. S. (2007).?Expert witnessing and scientific testimony: surviving in the courtroom. CRC Press, p.3 & 70
领英推荐
Resilience?is not assured, guaranteed, or dependent upon any one person, system or resource. No matter the threat, hazard, peril, danger or adversary, organisational?resilience?remains a socio-technical systems issue comprised of one or more actors and systems. That is, resilience before, during and after health, safety, security and risk events remains a complex network and collaboration system(s) between various technology, human and community interactions at varying scales and levels.
"Developing and deploying an Enterprise?#Security ?#RiskManagement ?(#ESRM ) program can be an intimidating and seem like a complicated venture. In actuality, you are likely performing many of the core components of an ESRM program, you just may not have viewed it through that comprehensive lens. In this session, we discussed the key pillars of an ESRM program, how to leverage existing organization initiatives and connect into the?#culture ?of your company, in order to become a value-adding resource."
Security is.... well, what? Art, science, profession, or alchemy, mystical artisan solution?
Organisations go to great lengths and detail to create product, supply chain, process and customer maps yet so few apportion the same degree of priority or investment in mapping risk conditions across their business that provides signposts (red flags) that lead to crisis or disaster sometime in the future, long before hero management or response measures are required.
While far from an absolute method, simply considering an entire organisation or sub-entity from an elevated perspective provides insights into vulnerabilities and areas of potential failure/disruption in the event of a stressor incident.
Subsequent risk conditions identified in advance assist organisations and managers make risk-informed decisions, including prioritisation of effort.
"Design for continual dynamic adaptability – Goal 1: provide value-delivery under nominal conditions – Goal 2: sustain value-delivery under adverse conditions?"? #resilience ?#riskmanagement ?#enterpriseriskmanagement ?
The essential elements of corporate, commercial or private sector?security?risk management are often invisible to only those who understand the?required?anatomy, or only becomes visible during the?autopsy?of failure.
In other words, security risk management exclusions, ommissions and inadequacies are glaringly obvious to experienced professionals, with this discovery/disclosure routinely becoming the focus of failure in the wake of bad happenings, catastrophic failures, crisis and other public enquiries.
The architecture for adequate and comprehensive?security risk management?is not measured by policies, procedures, departments or reports.
"41 terms maintained, but 15 definitions have been modified?"? #riskanalysis ?#riskmanagement ?#enterpriseriskmanagement ?#securityriskmanagement ?#enterpriserisk ?#operationalrisk ?#organisationalrisk ?#riskculture ?#ISO ?#iso31000 ?
The concept of white collar crime (WCC) is an incorrect start point for all organisations.
Moreover, the assumption that crime is constrained to exclusively immoral individuals or illegal acts further conflates the real-world issues of crime within an organisational setting, particularly financial-orientated crimes.
As a result, fraud structures and practices that work on sterile or abstract metrics as indicators of WCC are also inherently flawed.
In other words, white collar crime remains a tapestry of overlapping visible and intangible factors that may/may not be geographically criminogenic or illegal.
"Dig into these surprising (and sometimes mind-boggling)?#cybercrime ?statistics to understand what’s going on globally and discover how several countries fare in protecting themselves. The article includes plenty of visual representations of the most important facts and figures in information security today."? #cybersecurity ?#securityriskmanagement ?#securitymanagement
Not only is cybercrime, data exploitation and unauthorised access much EASIER for bad actors, adversaries and automated attack systems but it is now much HARDER for safety, security, risk, resilience and business continuity to protect, make safe, defend and reduce harm to workers, systems and data/information or assets.
Because what?was once (2019) no more than 5-10% of personnel remotely?accessing, interacting, creating, storing and retrieving content from single "fortress" type security systems, strategies, services and departments,?is now?(2021 and continues into 2022 and likely beyond)?dozens, hundreds and even thousands of individual locations and people dispersed over a much, much wider surface area?'telecommuting' or virtually working from home, cafe's, hotels, friends, public spaces or pretty much anywhere they choose...all around the world, across jurisdictions and overlapping with countless other businesses, governments, providers and systems all doing the same thing.
In other words, sentinels, guardians, safety, security and risk folks only had one (or a few) sites and headaches in ensuring a safe, secure and resilient work environment and service. Now they have many, many, many more!
Completing a highly complex, technical, challenging, exhausting, yet highly rewarding project, culminating in a 9-hour?#crisis ?management simulation and validation exercise with multi-layered role players, full client representation, strategic injects and fast-paced, challenging tactical decision-making and capacity building.
What began as a?#businesscontinuity ?uplift and?#resilience ?transformation project, conducted over many months, pouring over contracts, standards, operational practices, national/strategic?#security ?issues and considerable?#risk , resilience, safety and human security matters was consolidated in a half-day business impact and analysis workshop with executives, managers and operational staff. All of these then informed the?#crisismanagement , resilience and resourcefulness, companion, and change management project.
Jointly, we delivered and guided the client's representatives through an immersive, structured, and realistic?#crisis ?simulation. Highly trained, experienced and competent experts production-managed events, information, engagements, horizon scanning and decision-making choices throughout the day. Resulting in one of the best educational, capacity building and knowledge-transfer sessions I've been involved in for a very long time. World-class professionals, meticulous planning, years of preparation and a depth of knowledge acquired in the real world at the front line were highly enjoyable and totally draining.
Thank you to all those involved—sponsors, participants, executives, professionals, administrators, government and non-state actors. I thoroughly enjoyed the project, simulations, and engagements and slept soundly last night ?? as a result.
Security and risk management strategies remain dreamlike visions of the future that may or may not eventuate; if not for the commitment of key individuals and followers.
In other words, strategy (including security and risk management) is a utopian future that is neither guaranteed nor occurs without hard work and coordination across multiple stakeholders for a significant period of time.
Strategy is most assuredly not an elegant speech, pitch or proposal to the board that happens later by magic, despite many a strategy salesperson, consultant and new hire asserting differently.
Risk and security value chains are inherently and uniquely different.
Because, risk and security both co-create value, acts as units of measure/analysis and protect value chain elements and processes.
In other words, when done well, especially within a global context, risk and security is virtually impossible to decouple from value chains due to the ever present and changing influences that both?risk?and?security?have on the creation and production of value within organisations, communities and nations.
"... “new normal” for global?#travel ?considerations across a spectrum of traditional and new?#risks ?in the age of COVID-19. What should? #security ? &? #riskmanagement ? professionals be accounting for in their?#travelriskmanagement ?programs in this fast-paced, evolving landscape driven by COVID-19? What new and emerging risks are appearing on the global landscape? Attendees are provided a comprehensive overview of?#travelriskmanagement ?protection principles, updated with strategies and sources of information in relation to traveler & COVID-19 potential impacts as well as briefed on new and emerging risks to account for moving in 2022 and beyond."
"The effectiveness of plan implementation is a function of staff having the competencies (e.g. information management) and capabilities (e.g. stress?#resilience ) that maintain well-being and enhance performance in atypical and challenging circumstances" - Ibid (p.87)
Security, Risk, Resilience, Safety & Management Sciences
Useful and effective Leaning season