Threat and risk management is arguably the most prevalent topic of 2021, and for good reason. Threats seem to be creeping around every corner of business and our daily lives in a time of uncertainty and fear. The security and risk management professions are in the spotlight, and performance matters more than ever. Corporate security spend is projected to increase again after already increasing for decades. A topic rarely considered in this time of technology innovation, political maneuvering, and information lethality is what happens when we overcorrect. In the risk and action climate of today, we can see many examples of solutions being worse than the threat itself. Just as important as knowing when and how to act is knowing when not to act and how to ignore certain risks. Overreacting to intelligence, or not fully understanding context, can cause a crisis in itself.
In 2020 and 2021, many global and domestic threats have been politicized and used for information warfare purposes. The quick spread of information and connectivity of people through devices has created a fertile ground and a valuable attack surface for those that recognize its potential. The ability to change perceptions and belief through constant bombardment of content and psychological conditioning has made security and risk management especially challenging. Real and emerging threats are hard enough to deal with—adding perceived threats and social pressures as program influencers just adds to the complexity. Now, security and risk stakeholders (hereafter dubbed SRM professionals) must predict threat perception and corporate reactions to social contexts. Collective government and civil reactions to threats (of real impact or not) must now be considered in program development and implementation. The COVID-19 reaction is a perfect and timely example. When programs fail to account for these pressures and requirements, the blame will fall solely with its architects.
Given the above, when we look at threat assessment related to risk assessment across the organization, we must do more than monitor all threats, real or perceived. We must understand what the threats mean in terms of real vulnerabilities and potential to cause impact. Understanding known and still unknown or emerging threats is obviously important. However, when we can, we must know why we these threats are worth analyzing and what can possibly be done to remove, mitigate, or manage the threats, if anything. It stands to reason that some threats can be understood and analyzed, even predicted, but when must risk management actions and security resources actively be applied to them? This is a separate question that is rarely given adequate analysis.
Further, security and risk practitioners, as part of their job, should examine the possible remedies and controls in detail before applying them. As SRM professionals we can become target fixated and conveniently forget the second and third order effects of these measures on the health and performance of the organization. In some cases, doing nothing might be the right answer, but it must be communicated to leadership as a well thought-out analysis, not as an afterthought. We owe it to organizational leadership to help them make the right strategic and operational decisions based on all available data in order to minimize the exposure to threats while maximizing the productivity and success of the company.
Security Risk Management is more than “whack a mole,” and some moles need to be ignored if it means we can spend the resources and energy elsewhere or limit the disruption to the organization. Too many times we implement draconian policies or create disadvantageous situations for our companies in response to isolated and low-order threats. Such overreaction most commonly occurs merely to showcase the value of the program, in response to social or governmental constructs, or as a knee-jerk attempt at liability control. There are other ways to demonstrate the strategic value of security and risk management programs, and dealing with threats in silos via a “show of force’ is almost always the wrong response that will often lead to its own disaster. Many times, the responses create negative outcomes that far outweigh any benefits or positive risk management. We call this toxic SRM.
Toxic security and risk management can kill a company just as quickly as erroneously ignoring a crisis. A healthy program will allow time for, and value, a multi-level analysis of threats and their corresponding risks. It will often realize when the program measures are ineffective or create unintended consequences that make them unworthy of implementation. These programs will discern between real and perceived threats and view them in the context of both organizational priorities and related threats. The success of these programs will be measured not by how many “threats” are avoided, but by what impacts they have made on the supported business and their opportunities to succeed. SRM is not a cost center, and those that still view it as such are woefully behind the times. It is a strategic imperative and should form the center of the organizational decision-making complex.
We won’t always successfully separate perception from reality. We will be wrong sometimes. The worst thing we can do is to make a bad situation catastrophic. Just as doctors follow the mantra, “Do no further harm,” security and risk practitioners should be the voice of reason in the company when unwise or reactionary impulses are floated and build consensus. Business leaders, in turn, must listen to their SRM experts and weigh the analysis provided to them as objectively as possible. All of this requires sound intelligence and a full understanding of the threat context. We will discuss “threat and risk context” and why it’s important to SRM in another article. Risk intelligence is more than a GIS, data feed, or an assortment of potential threats. It is the collection, analysis, interpretation, and actioning of all available data in context with the goal of understanding risk exposure and supporting organizational decisioning.
Please get in touch. We want to hear from you and how you navigate the real from perceived to avoid “toxic risk management.” Follow Alpha Recon for more insights and discover how our technology can help implement your program following SRM principles.