The world is rapidly changing, and the threats to business and government are changing with it. This is particularly true for the threats to physical and information security systems in our companies and government agencies. To mitigate threats today and tomorrow, we need to change how we think about and address security. That means moving away from “standard” security compliance approaches to adopt an advanced risk-informed type of compliance that requires risk-informed mindsets and risk-informed organizational cultures.
Security compliance in some way, shape, or form is a business requirement. As threat concerns grow more ubiquitous, security compliance has become a business task that informs and impacts decisions pertinent to everything from asset management, human resources, operations, IT systems, partnerships, and environmental concerns. The intent of compliance is to establish a minimum security baseline for each organization. In many cases, the effort lives more in standardized checklists and contracts than becoming an underlying focus of the organization.
Here’s the thing: threat actors don’t care about your compliance checklist (except maybe to know how to innovate to stay a step ahead of you). The threat actor understands that you are not flexible enough to react quickly to them, and that the “one-size fits all” approach to security in your organization will allow them to target your security gaps.
While security compliance can reduce risk to an extent, the standards do not go nearly far enough to protect the organization from external or internal risks, which are significantly more fluid. What we need is risk-informed compliance that allows for a customizable approach to security.
The Risk-Informed Mindset
Being risk-informed means that everyone applies critical thinking to security risk instead of just complying with a checklist. That’s because the threat can emerge out of gray spaces and be hard to nail down. Threats can be anything from geopolitical and geosocial events to the people you hire, the processes they engage, and the technology they use. Most importantly, they are unique to every organization – which means that having a risk-informed mindset requires that the response must be unique to the organization.
Creating a risk mindset and culture across the organization, teams, and individuals means proactively considering what could go wrong, the likelihood of that risk, and the potential consequences. It means understanding and addressing emerging risk in new ways.
Building a Risk-informed Culture
Some degree of security risk mitigation is already a part of almost every organization today. What we need to do now is build on the legacy mindset to create a new risk-informed culture in our organizations.
One of the first steps in building an effective risk-informed organization is to acknowledge the degrees to which threats should be evaluated mathematically, conceptually, or via some other approach. It’s impossible to evaluate every type of risk in the same way, just as it is impossible to assume that threat looks the same for every organization.
This is where a cultural risk mindset is particularly valuable. Every member of the workforce should know his or her role and responsibilities in identifying and addressing risks. They should understand what is meant by the threats, vulnerabilities, and consequences that define the risks. They should know that critically thinking about security is everyone’s job. By eliminating departmental or functional stovepipes, teams and individuals across the organization can think and collaborate in the process of spotting, scoring, prioritizing, and mitigating particular security risks. This mindset should acknowledge that each organization is unique, even from location to location, and replace a check-the-box effort with a focused risk-informed approach.
From a human capital standpoint, developing a risk-informed culture can lead to other strengths for the organization. For one, risk-based decision-making becomes a natural part of the culture, extending its impact by empowering everyone to collect, evaluate, and share intelligence to accomplish the shared objective. These expectations and values are more likely to produce critical thinkers who can extend that ability to other roles important to the Future Proof® capabilities of the organization.
As the pace of change and the threat universe continue to grow, government and private industry organizations must find ways to function with greater awareness and agility. Understanding that threat is fluid and its sources are incredibly difficult to pin down, organizations have to be nimble. The answer is not found in engaging more resources to mitigate risk, nor is it in engaging predetermined security compliance checklists. It is found in identifying new ways for your people and resources to work smarter and more cross-functionally within your unique structure.
It’s time to protect your organization from internal and external threats by applying the right solution to the right problem in the most efficient manner possible.