A major responsibility of enterprise security executives is anticipating and mitigating emerging risks. New security threats develop and appear in the threat landscape constantly, and it’s up to security professionals to anticipate those risks and reduce potential harm.
Among current emerging risks in the security industry itself, there’s legislation that impacts law enforcement, supply chain shortages of equipment and uniforms and the ever-present staffing challenges, says Anthony Brown, CPP, Director of Emergency Management at Gonzaga University and Principal at s5 Risk Management. “There’s a lot of opportunity for security in an uneasy environment,” Brown says.
Understand the Big Picture
The first step to determining emerging risks is to have a deep understanding of what the entity that you’re protecting does, according to Peter Hunt, Vice President of Security, Brand Protection and Resiliency at Flex. Asses your enterprise by asking questions such as:
- How does the entity run its business?
- What are its primary goals and objectives? How does it accomplish these?
- Where does it operate and where does it have physical presence?
- What is the network configuration and connections?
- Who does it partner with?
- What is the supply chain?
- How does the entity go to market, make its money and engage with suppliers, partners and customers?
“It’s a lot of upfront work, but mitigating risk really has to be through the lens of that particular company,” Hunt says.
Consider Survivorship Bias
It’s important to cast a wide net, says Brown. “I make sure that I’m looking at different industries and different levels, such as federal and international, and that I’m accounting for survivorship bias,” Brown says. In other words, he looks for what’s missing.
Brown refers to World War II, when the U.S. military studied aircraft to determine how to reinforce them better. A statistician, Abraham Wald, realized that rather than reinforcing the areas on aircraft that received the most hits, the military needed to reinforce the areas that weren’t hit. The reason? Planes that had been hit in these areas, including the engine and fuel supply, weren’t the ones coming back to be studied. This concept is now known as survivorship bias.
Stay Current on Crime Statistics
Brown clarifies that this includes both local and national crime statistics. “You can see a bigger picture of what’s going on in the state versus the nation versus the local area and mix that with the trends happening in law enforcement legislature,” Brown says. Having recently started working in Washington state, he says law enforcement powers are far different than they were in Texas, where he was previously employed. “That really shapes how a security professional can expect response to happen and to what incidents law enforcement will respond,” he says.
Capitalize on Resources
Authority reports from federal resources such as the Department of Homeland Security and the National Threat Assessment Center (NTAC) are helpful, according to Brown. He also recommends associations such as the Overseas Security Advisory Council (OSAC), ASIS and the Professional Risk Managers’ International Association (PRMIA).
For those working in higher education, Brown says United Educators puts out thorough annual reports of the top risks in higher education. He also likes the University of Oregon’s Disaster Resilient Universities (DRU) Network. “They’ve got some great surveys of practitioners that are really telling and help you see emerging risks,” he says.
“We’re always scanning the horizon, but we also follow the news with open-source intelligence to see what’s going on from a trend perspective, along with our networks of people,” says Herb Ubbens, CPP, PSP, President of Paratus Consultants Group, Inc. and President of Crowdguard US. He believes that involvement in national and international industry organizations is also key in being vigilant. “I find the true value in these organizations from the networking,” he says.
“Local associations and partnerships also help, and more on a principle, it’s about relationships,” Brown agrees. “Statistics only go so far. It’s knowing who to talk to, having relationships to find out what others are dealing with, and then assessing if that can impact me in my world.”
Be Clear on Organizational Purpose and Goals
“Prioritization is more about what the company is intending to do than the risk itself,” Hunt says. “The first lens is always where’s the company going, what is it trying to do and where are you already.” For instance, if your organization is looking at expanding operations to open in a market with a rough neighborhood for financial transactions and fraud, “you probably have some work to do,” says Hunt.
He reiterates that the aforementioned upfront assessment based on what your company is trying to do is necessary before you can even start thinking about mitigating risks. “If that’s not done, lots of money can get put in the wrong places that has no impact at all because you won’t have an understanding of what those specific risks are, how they might impact you as an enterprise and what you may be able to do to do mitigate them,” Hunt says.
Clarify the Risk Relevance
Brown starts with a basic risk analysis to pinpoint the biggest risks. “Obviously, one of the filters you look through is the relevance of that particular risk to your operating environment,” he says. “If you’re in retail, right now, smash-and-grabs are a big deal, especially in urban areas. But being in higher education, a smash-and-grab threat is not on my priority list.”
Ubbens prioritizes emerging risk by first considering what’s going to hurt people. Secondly, he considers what’s going to damage the organization to the point that it could be incapacitated. “Damage to the organization can be physical, cyber or reputational,” he says.
Implement a Risk Management Plan
“Number one, you’ve got to have a plan for how to deal with emerging risks,” says Ubbens. “It’s about getting the information, keeping your ear to the pavement to understand what’s coming.” Your plan should be supported by management and have realistic and reasonable parameters. Creating awareness of risks is important, too. “Make the plan attainable so that people are willing to buy into it,” Ubbens says.
Avoid, Reduce, Transfer or Accept
“There are only four principles you can use when it comes to risk: Avoid, reduce, transfer or accept,” explains Brown. Avoiding risk often involves policies, while reducing risk falls more on the procedure side. “Transferring risk usually involves hiring a vendor or a professional contractor to transfer risk to another organization that specializes in managing that risk, so the transfer is big,” Brown says. This includes contract security, insurance and the like.
As for accepting risk, successful companies take smart risks because there is no reward without it. “Every company is going to take risks, they just have to be well informed about the risk assessment and what they’re actually getting into,” Brown says. “When it comes to accepting risk, I’ve found it’s crucial to set very clear thresholds on exactly where that risk ends.”
Have a Multidisciplinary View
Hunt recommends creating a team that’s representative of your enterprise’s functions and business entities to look at the highest level risks, both current and emerging. This is advantageous because a multidisciplinary team knows what the company is doing, as well as where it’s going and where it already is. “Cross-functional, informed teams enable healthy discussion about the specific risks relative to the entity and its initiatives,” says Hunt. “Just going through that process as a team sets up most of the basic elements and fundamental data that are necessary when you begin designing mitigation plans.”
Make a Business Case
Because risk is largely financial, it can be difficult to convince executive leadership to spend money on a possibility. “This requires security practitioners to make an extremely solid business case using pure numbers and statistics,” says Brown. He also likes the “cool head, warm heart” approach. “Whether it’s a response or a project, most organizations can identify with that,” he says. “If you can approach executive level with a cool head and a warm heart, that’s going to fit into their mission and their ethos, which makes it easier to fit in a mitigation project.”
Hunt believes the step-by-step work of creating a plan is essential. “You minimize the impact of an event — reduce severity and shorten duration — by having those boring plans ready to go on the shelf,” he says. “There is real value in the team having created the plans together. No plan will ever cover everything 100%, but the teaming will carry you through unforeseeable events.” A holistic view, despite the heavy lift, pays dividends, Hunt notes. “If we don’t look at our security risk, our environmental risk and our financial risk together, and the whole spectrum collectively, it just cannot be as effective.”
Understand the Opposition
“It’s easy to get frustrated as a practitioner,” notes Brown. Many different viewpoints go into decisions at the executive level, so “it’s critical to understand exactly what the opposition is to your next risk mitigation project and find a win-win. There is always a win-win somewhere,” he says.
The more educated the people around you are about risk, the better they can support you, says Brown. Put together a one-page elevator pitch and “hand those things out like candy on Halloween,” he advises. “Every time I talk to somebody and I get buy-in on a project, I leave them with a one-pager so that they can speak to others about it.”
“We have to be prepared, we have to stay relevant with what’s going on and be involved in organizations that are keeping their thumbs on the pulse of what’s happening across the board,” says Ubbens. “They keep us sharp, they keep us relevant.” Rely on the people in your network for information and expand your network to other areas, too. “You never know where your next opportunity is going to be or what somebody else has experienced,” Ubbens says.