Risk, Security, Safety and Resilience Newsletter - Week of 29 Dec 22
Ridley Tony
Experienced Leader in Risk, Security, Resilience, Safety, and Management Sciences | PhD Candidate, Researcher and Scholar
The following is a summary of security, risk, safety and resilience articles, topics and issues ending the week of 29 Dec 22.
Key themes for this week include:
"The?sudden emergence?of the Three Lines of Defence framework could be seen as symptomatic of the increased emphasis of the regulatory focus on?risks?within?firms"
"...suggest that three lines of defence (TLD) is heavily driven by the idealised work of auditing (and risk management) professions, potentially attempting to define and give themselves a role. " p.151
Zhivitskaya, M. (2015). The practice of Risk Oversight since the Global Financial Crisis: Closing the stable door?, Thesis, Doctor of Philosophy, London School of Economics, p.151
Hostile Environment Awareness Training (HEAT) has become the international rights of passage and mandated course participation for volunteers, journalists, Non-Government Organisations (NGO's), select corporate employees and international travellers the world over for the better part of the past two decades.
A bespoke (ad-hoc, arbitrary and subjective) curriculum of 'life safety and security' measures, topics, scenarios and thought exercises usually delivered with accompanying 'war stories', role play and a growing montage of 'how things happened' in Syria, Iraq, Ukraine, Somalia or similar environments by those who have lived to tell the tale or have seen 'action'.
Shouting, mass causality scenarios, balaclavas, kidnap reenactment (often legitimised by a former kidnap survivor), fake blood, lessons in military tactics and ordinance, mission planning and various other 'survival' subject matter.
In short, quasi-militia training for the adventurous, 'prone to capture', fearful, insured, groupies (cosplay, fanboys, etc.) and next-generation 'deployable assets'.
The vast majority of the curriculum (commonly lacking legitimate adult eduction structure and objective certification, derived from open source, military/police service, storytelling or other vague, subjective terms of reference) has been created and sold by middle aged, heterosexual, Caucasian, Western males or their approved disciples.
"...boards are setting their?#riskappetite ?too low by over emphasising threats and not giving enough consideration to the opportunities that come with?#risks . They felt this type of approach would not be suited to addressing the challenges the future board will face.?"
Opinion-based philosophies, practices and ideologies remain persistent factors across risk, security, safety and resilience.
That is, specific perspectives, views, strategies, controls, methodologies and preferences that aren't clearly identifiable or traceable to a specific body of knowledge, source or authoritative content.
This includes a number of 'club' references, standards (that reference themselves or other standards. ie: a standard that is a summary of a bunch of other standards), training materials, books, industry guidance, 'influencers' and self-titled thought leaders.
These normative practices and behavioural traits represent as extremely concerning for many specialist roles, professions and disciplines, but perhaps none more so than safety, security, risk, resilience and the collective 'enterprise' application of all these disciplines.
"#Security ?breaches of any kind can result in loss of revenue, productivity or share price; they can damage an organisation’s reputation; they might result in confidential data being leaked; or worse, they can result in physical harm to staff members or the public.
We all need to think and act in a security-conscious and collaborative manner, as well as to take personal responsibility for our actions, so that we can help prevent incidents and breaches from happening.?"
"Risk" visualisation, risk communication and related rituals of verification, prioritisation and threat, hazards, danger, adversary and peril ratings have become an ever-increasing elaborate form of storytelling, cultural practice, delusion and even deception.
Contributing to a widespread theatrical process, consistent with artisan performances and marketing/ advertising norms to compel an individual, government or organisation to 'act', or buy, change or invest.
That is, if you can create a compelling enough, visceral image to promote your particular views and preferences associated with 'risk', you get the outcome and behaviour you want or desire.
This practice contributes to risk 'theatre', whereby the practice, effort and body of knowledge are measured by the community-preferred or celebrated image you create, not the efficacy, rigour or depth of analysis informing the visual, ranking or associated graphic.
领英推荐
"...the first and second lines (3 lines model) encompass operational management,?#riskmanagement , and compliance functions; and in the third line, internal?#audit ?(IA) “provides independent and objective assurance and advice on the adequacy and effectiveness of?#governance ?and risk management.”
Security across and within digital or cyber environments has become the rockstar headline of 2022, but there are many more problems and issues associated with cyber security than just a skills shortage and knowledge deficit.
That is, security, including cyber, remains a complex, networked and systems challenge and solution, including human factors. As a result, checklists fall well short of the requirement and compound many of the associated issues and flaws.
Regulators, auditors, executive management, entry level practitioners, standards devotees and the ever growing industry/specialist groups love a good checklist. Principles, processes and 'evidence' of safety, security, risk and resilience.
However, intelligent, adaptive and malevolent action by one or more criminals, curious teens, terrorists, organised crime, state-actors and systemic vulnerabilities within the digital and cyber supply chain doesn't lend itself well to linear, sequential and fixed checklists of any kind.
"Enterprises entrust the protection of their crown jewels—their customer data, their reputation, their finances, and their business availability—with third parties. A breach of your third party is a breach of your enterprise, so you need to know: Are they trustworthy? Why? Why not? What should be done about it? These questions are yours to answer and act on.?
Third-party risk management is hard. It requires deep transparency, strong accountability, and effective collaboration. Third-party risk has to achieve this position with hundreds and even thousands of organizations while being an outsider to every organization. Additionally, third-party risk has to solve this with limited personnel and resources.?"
"Consequence. The term “consequence” is not well-defined in the Critical Infrastructure Protection (CIP) literature. While ISO defines consequence as the “outcome of an event affecting objectives”, this general definition does not distinguish between consequences for the system or?#criticalinfrastructure ?itself, for people, for the environment, or for the economy. Such distinctions are required because in the meaning of the European Critical Infrastructures (ECI) directive [4], assessment of consequences for people, the environment and the economy is needed according to the cross-cutting criteria. Moreover, the consequences?of cascading effects to other infrastructures may need to be also distinguished and assessed. For this reason, in this document we will try to clearly distinguish between the various forms and types of consequences.?"
“….despite?an increasing cyber spend by government and business, government entities are?a long way off baseline standards?of?cyber security, while many businesses are also behind in their?resilience?against?rapidly shifting risks. “
Actuaries Institute (2022)?Cyber Risk and the Role of Insurance, Green Paper, Sep 22.p.6
Risk, Safety, Security, Resilience & Management Sciences
Project Manager
1 年Excellent post. A must read for all Data Managers. It's my firm belief we are now working and operating in the next phase of the Industrial or should I say the 'Digital Revolution''. Now more than ever expenditure and awareness is of paramount importance. #resilience #microaggressions #dell-technologies #microsoft365 #microsoftazure #microsoftpowerbi #compliancemanagement #databreach #encryption
Next Trend Realty LLC./wwwHar.com/Chester-Swanson/agent_cbswan
1 年Well said.