NEWS

Putting Risk At The Centre Of A Standardised Approach To Security

30/04/2020

Putting risk at the centre of a standardised approach to security

by Paul Mercer, Managing Director, HawkSight SRM Ltd

 

Adopting a standardised risk-led approach to security risk management (SRM) is the current hot topic amongst those responsible for managing security and operational risk. But what’s the driving force behind it? Why are businesses and other organisations now reassessing their approach to SRM?

Much of my work over the last three years has been with organisations (I include business, enterprise, non-government and government bodies in this definition so will refer to organisations throughout), that want to standardise their SRM process.

The reasons why are varied and often also dependent on the who – who is championing the shift and what does it mean to them and their role within the organisation.

My recent experience has demonstrated that the 'why' generally falls into one of four categories. It’s about:

  • Improving understanding within the organisation about what SRM actually means
  • Better justifying the annual security budget/security spending
  • Aligning SRM to existing enterprise risk management processes
  • Elevating the security function within the organisation

So, if, for whatever reason, you are managing security and/or operational risk within your organisation and want to move to a standardised approach, this series of articles is for you. 


In the first, I’ll share what I’ve learned about the challenges you may face and highlight some of the potential pitfalls so that you can avoid them. 

It’s easy to have your efforts undermined before you even begin. So, my advice is don’t try and rush the process, survey the ground and put some foundations in place, before you start. 

Establishing the foundations

One of the biggest challenges that face security professionals is demonstrating an in-depth understanding of the organisation. Not just from a security perspective, but from a business perspective – this applies to for-profit and not for profits alike. So, what do I mean by this?

Historically the security team may have been seen as the ex-military, police or intelligence people who generally say no. Those times are changing and understanding how the role and function of the security department can unlock value for the organisation is often a critical driver in the acceptance and adoption of a standardised SRM approach.

Start by challenging your understanding. What’s the purpose of the organisation, how does it operate, where does it operate? What are its values, mission and vision for the future? The role of SRM is to enable your organisation to thrive in whatever circumstances it operates.

By developing your understanding of those drivers and improving your knowledge of who the key stakeholders are, you can establish whether or not your organisation is ready to take a more business-like approach to SRM. That understanding is your foundation for change, without which your efforts may well be wasted. 

The key is to open up a dialogue across the organisation up to and including senior management. If you can demonstrate that you know and understand the organisation and its goals in the way they do, you are more likely to be able to engage them in discussions about change.

And, if you conclude that the organisation isn’t yet ready to adopt a standardised SRM approach, it will help inform what you need to do to get it there.

Ultimately, without senior management buy-in, your efforts to effect change will fail. So, let’s look at the process in more detail.

Putting the organisation into context

You need to build an in-depth understanding of your organisation and the environment in which it operates. Who has ultimate responsibility for risk (not just security risk, but the risk in its widest, enterprise context)? How is risk reported and who internally is involved in the conversation?

What’s the business plan? What are the key objectives that your organisation needs to meet to be successful? 

The key to communicating with the organisation is to do so in the language of its leadership. This is your starting point to positioning security as a function that can unlock potential rather than inhibit forward progress.

Becoming risk led, as well as compliance led

Moving from compliance led, to a risk led approach that will shape the compliance requirements, requires a subtle but significant change of mindset. It also demands the answer to the question ‘what is a risk led approach?’.

There are several different enterprise-level risk (ERM) guidelines in common use. You need to understand which approach your organisation is taking, and its risk appetite. Then you will be able to align your SRM approach with it. 

Your organisation may not have a mature enterprise risk approach, and that too is fine. By initiating the ERM conversation in its widest sense, it will bring you closer to your decision-makers.

Risk identification sits at the heart of risk led approach and most risk guidelines prescribe a need to understand the following at an organisational level:

  • The priority of critical assets that support it
  • The threats that those assets may be exposed to
  • The vulnerability of those assets to the threats 


That knowledge arms you with the hierarchy of risks to your most critical assets, against which you can focus your mitigation planning. Put simply, it’s about protecting only that which needs protecting.

By demonstrating your in-depth understanding and aligning the security process with your organisation’s overarching approach to risk, you’ll achieve two significant outcomes: closing of the gap between the two and improved dialogue with key decision-makers. 

Remember, as a security professional, you don’t own the risk. In all likelihood, the asset owner owns the risk and you are there to offer specialist advice to enhance their decision making. 

Moving to implementation

  • When you are ready to move to the implementation phase then focus on:

    Communication with stakeholders inside and outside the organisation. Transparency is key. Encourage open and honest debate and information sharing.
  • Reviewing the assets available to you to support the shift to standardised SRM. That includes budget, people and infrastructure. 
  • Training your team in the best way to adopt the change of methodology both initially and overtime – for example, if security risk assessments are only carried out and updated annually, then skills fade is a consideration.
  • Digitisation – in these days of big data, more and more business process require digitisation to be effective, and the SRM process in your organisation may be no different. 

 

Greater governance

Taking a risk led approach and implementing a standardised SRM approach is, I believe, the key to being effective. 

By demonstrating an in-depth knowledge of the organisation and its direction of travel, the security function will build trust and understanding internally. 

Standardised SRM will drive continuity which supports conscious decision making and means that available assets (including money) are used to best effect where and when needed. It also ensures that the organisation can best exploit the opportunities available to it.

Over the next three editions of Security Institute Magazine I’ll provide a complete roadmap to adopting a standardised SRM approach by drawing on several real-world case studies:

  • A detailed look at how to put the foundations for change into place.
  • Identifying the security approach which best dovetails with enterprise risk management - irrespective of where on the maturity scale the organisation sits.
  • A dive into the integration methods that have delivered success.

This article was written for The Security Institute and appeared first in the February 2020 edition of The Security Quarterly. HawkSight SRM has recently launched it's eLearning Methodology Training offer to security professionals. It is also working on supporting businesses in managing their response to the COVID 19 coronavirus pandemic.


11/05/2020

Paul Mercer's article for ASIS International the need for security risk management reset in recovery planning.

"These are unprecedented times for us all. Every business is being tested to its very core. Businesses and organisations across the world have spent the past weeks in firefighting mode, reacting to the impact of the COVID-19 pandemic in an attempt to protect the business and its key assets, primarily its people."