On Feb. 4, 2020, I performed a Google search for the words “Business Risk Management Approach” in news headlines. I got close to 32,000 results from the previous week alone. I am sure I would get a similar number of results no matter when I searched. The risk management approach to business-decision making is a popular topic for executives, and certainly something that looks like it will stick around. The question is, “How should the security industry get on board with the risk-based approach to managing our programs?”
It starts with embracing the inevitable. We ARE expected to speak the business language in relation to our programs. We MUST be able to provide measurable results of risk impact, tolerance and the effectiveness of mitigation strategies. And, we MUST develop new skills and approaches to do that. Those are all part of Rebooting Your Security Program (link) with a risk-based approach and Enterprise Security Risk Management (ESRM) model.
Security is More Than a Tactical Response
Change is never easy and for many of us who have been in the security industry for a while; our comfort zone is in the “nuts and bolts” of our day-to-day tactics. We know our details. We understand PTZ, CPTED, IDS, BCM, WPV, EP and any number of other technical acronyms. We know how the organization can protect people and assets from harm.
But in the world of risk-based business management, it’s the security leader who can show the reasons behind all those tactics, and the impact those tactics will have on the overall risk profile and exposures to the organization who will succeed. It’s that strategic security leader who will successfully shepherd the organization safely into the future as risks and tactics shift on a near daily basis. It is the ability to see the risk landscape holistically, and react with the appropriate mitigation at the appropriate time, that will give us and our security teams the edge in ensuring that we can be ready for the future of security risks.
This doesn’t mean that tactical skills are not important. It’s critical that team members have the ability to carry out the entire spectrum of security mitigation activities. Those tactical skills, however, are simply not enough to ensure that the business understands the need for and supports the implementation of the security program. And that is where new skills are needed for the entire team.
Skills for the Security Leader
The skills needed to lead a risk-management based security program are not much different than the skills most of our business partners leverage in managing their business functions. They are skills that, until the last five to 10 years, have not been strictly required of the security leader. Until recently, security leaders were typically hired to lead organizations because they were highly skilled security tacticians. Why is that a problem? I have had several conversations with incredibly skilled military and law enforcement professionals who struggled with their new environment when they transitioned into corporate security. They were not prepared when they were handed their first budget, or when they had a discussion regarding company financials, or when they were told that the company would not support the enforcement of a basic security requirement.
Acquiring the additional skills necessary to lead a business-focused security organization is not difficult, but this is a situation where a little education can go a long way.
- You should have a comprehensive understanding of the enterprise’s business, assets, business drivers and organizational goals.
- You should understand the business’s footprint, products, services and mission, both at the holistic organization level and at the functional level of your internal business partners. Additionally, be familiar with the market you operate in, so you can discuss both the business and security risks.
- You should work across business lines and understand the individual needs of each strategic partner to more fully understand all aspects of the business.
- You should know how to read the company’s financial reports. A basic business website can give you easy definitions for terms such as PBITA, EBITA, Gross Margin and more. This will have you speaking the same language as your executives very quickly.
- You should have a good understanding of risk models and be competent in the application of risk management principles to your department.
- You can study one of the major risk management models such as ISO’s or ANSI’s, or even specific financial risk management models to be able to confidently discuss the nature of a risk approach. Having the ability to articulate core risk principles and understand their application throughout your business is key to engaging executives in the risk-based conversation.
- You should have the ability to work with stakeholders across multiple departments and functions to ensure that your security projects meet the risk mitigation needs of your stakeholders.
- In the current industry environment of technology-enabled security implementations and networked systems, the ability to work with technical, engineering and IT groups to implement complex security solutions is invaluable. An understanding of project management principles from an organization such as SIA or PMI, or even better, a certification, is a step in the right direction.
Communications and Message Management
- You should have the ability to communicate your security program and its focus on mitigating enterprise risks through protection activities. This will help you ensure a level of understanding of the value of your program at the executive level.
- Reaching both internal and external stakeholders with information about the security program and its results (in terms appropriate to the audience) will help your business partners understand the need for the security program.
- Report writing is a special skill worth acquiring. So much of the activity in security involves communicating incidents, trends and threats. Crafting quality reports is a critical communication skill. So critical, in fact, that it will have a dedicated article in this series later this year. A well-crafted report can:
- Drive the risk conversation forward
- Promote risk discussions within and outside of the security function
- Provide risk and process transparency to ensure awareness of risk thresholds
- Ensure continued follow-up of identified risk profiles
- Provide the basis of executive risk metrics reporting
- This skill is key to enable you and your team to truly move from a task-management security focus to a risk-management security focus. The ability to lead and to demonstrate and model a commitment to change will drive the message home to your team, your business partners and your executives. The risk-based approach is a serious business commitment for your team. It demonstrates your readiness to engage with the business on its terms.
Skills for the Security Team
The business and risk-management skills for the security team are skills for the whole team, including the security functional leader. Team members, of course, need the tactical skills required to carry out their daily security activities and to protect the organization from harm. They must prevent, contain or recover from security incidents in accordance with the security risk management plan that was agreed to by the organization’s executives.
To effectively operate in a risk management environment, your security team needs these skills:
- Be capable of working with all types of people — from line employees to executives — both inside and outside the company.
- Be capable of managing in a fast-moving and continually changing environment and risk landscape. The speed of change in the next decade will only increase as the world enters an unprecedented era of connection and communication. The ability to be nimble and adapt to new situations will be the differentiator between businesses that thrive, survive or fail (that goes the same for internal functions in those businesses)
- Have a willingness to monitor the global risk environment. It will be necessary to stay up-to-date on new threats and the latest mitigation tactics for those threats.
- Be able to quickly assimilate new skills and knowledge to meet changing demand, allowing them to stay ahead of the curve in business in an effort to support the organization no matter the security need.
The good news? As security professionals, we inherently understand the concept of “risk.” We are surrounded by leaders and business partners who also understand these concepts. To align the differences in our approach, we need to adjust our understanding, gain a few more skills and approach our programs with a management mindset similar to the way business looks at risk.
The skills needed to interact in a risk-focused business environment are not hard to learn. With a little effort on the part of the security industry, we can all gain the needed skills to sit confidently in the boardroom and talk about security risk management in the same way as other aspects of the business discuss financial risk management, operational risk management or any other kind of risk management that is integral to the working day.