Where is ‘security’ in your resilience or management of risk strategy?

The absence of ‘security’ in enterprise risk management strategies typically results in fragility, not resilience.

In short, pursuits in the management of risk or resilience without security inclusion and consideration are unlikely to achieve either objective of resilience or mitigation of risk.?

Moreover, they are likely to convey false confidence and assurance to the majority of stakeholders.?

"Security means the protection, guarding or defence of persons, property (real and/or intellectual) or the Realm from threats posed by crime, terrorism, or business malpractice. It is the business of dealing with the risks presented by such threats and the creation of a response and/or defence to them. It will encompass everything that works towards the provision of protection, guarding or defence, including intelligence gathering, research and information technology."?

Register of Chartered Security Professionals?The Security Institute

Security addresses the intentional, intelligent, adaptive and persistent threat of humans.?

That is, adversaries that are deliberately trying to cause harm, steal, circumvent controls, climb fences, derive personal gain, break the law and countless other methods seeking to prevail over an individual, organisation, community or government.?

Threat actors may be individuals, groups, organised crime, terrorists, motivated individuals, your neighbour, your co-worker, a stranger, a government official or anyone.?

But threat actors are NOT everyone.?

Distinction is made by professional knowledge, experience and measured preparations and security risk management.?

Therefore, culture, social norms, criminal justice, psychology, risk sciences, criminology, management, context and security sciences all play a role and requirement.?

The absence of these influences, practices and understandings mean that controls, management, responses and punitive measures are applied arbitrarily by the wrong people with the wrong skills and experience.?

Therefore, even more risk is manufactured, amplified and produced within systems.?

As a result, the management of risk is undermined, ineffective and in many circumstances, blind.?

The outcome is not resilience.?

Reflective questions for organisations, departments and individuals.?

"Corporate security encompasses those managers who address the preventive ‘likelihood’ and the resilience ‘consequence’ elements of risk management and seek to secure the business from a wide range of hazards, including criminals, issue-motivated groups, terrorism, cyberattacks, environmental events, natural disasters, espionage and supply-chain disruption. Our approach to national security planning should now include key companies and their supply chains: it’s time to rethink our national security approach in a more complex, dynamic and interconnected world. Our corporate sector is now a key component of our deterrent posture against a range of threats."

From board room to situation room: Why corporate security is national security, Australian Strategic Policy Institute?https://lnkd.in/gf4vVBFw

Does security have a seat within the C-Suite??

Not just cyber, information and data, but ALL facets of security.?

Is security a clear, measured and monitored aspect of your risk culture??

Are all resilience initiatives, plans, assessments and risk evaluations inclusive of security??

Not a parallel practice and discipline, but seamlessly integrated, using the same language, processes and disciplines??

Are your security representatives experienced and qualified to the same level of professional and academic qualifications as the other C-Suite and executive management representatives??

A short-cut to evaluate the efficacy of resilience and management of risk systems?

Look for ‘security’ in the table of contents, chapters and index.?

If you don’t find it, or it is a vague, limited reference throughout the documentation and structures.?

Therefore, you are likely to have neither resilience nor adequate management of risk.?

This includes systems where security and safety are used interchangeably or across contexts.?

Safety and security are not the same, but they are closely related and overlap.?

Distinctions, boundaries and relationships are required.?

In sum, security remains a key ingredient in organisational resilience and enterprise risk management.?

The absence of security is therefore conspicuous and concerning.?

Moreover, the absence of adequate security may conceal significant vulnerability or a lack of adequate knowledge on the intelligent, adaptive and deliberate actions or intent of threat actors and adversarial elements.?

In other words, an organisation does not adequately understand the threats and iterations of harm.?

As a result, controls, mitigation, protection and management of risk is designed and implemented arbitrarily, without consideration for specific threats, methods, harm and vulnerability.?

These outcomes are not the hallmarks of either resilience or management, or risk.?

Current change and uncertainty across communities, countries and organisations will expose these oversights, if not already.?

The next few years will genuinely determine resilience and the management of risk.

Security will play a pivotal role in both.?

Tony Ridley, MSc CySP MSyl

Security, Risk & Management Sciences