Security Risk Management is SImple, Not Easy
The formula for weight loss is simple. Eat less and exercise more. Simple things aren’t always easy.
The security risk management process is simple. Identify the assets that require protection, assess their vulnerability to relevant threats, and apply control measures that reduce the likelihood and/or impact of an event. Simple. Not easy.
What do these two examples have in common? Mainly human behavior. People are creatures of habit and more likely to do what they have done in the past. More specifically people will often re-prioritize their actions (or inaction) based on whether they are being observed.
As security management is scaled-up to multi-national or global levels the number of people involved increases significantly. More stakeholders, more staff, more visitors, more security suppliers, and more threat groups result in increased complexity.
The challenge is universal. Building a single house is comparatively much easier than building a skyscraper, even though the fundamental processes of design, engineering, permitting, and construction are conceptually the same. Primarily because more people are involved in the process.
Despite the inherent simplicity of the security risk management process, complexities invariably arise when scaling to include dozens of projects, locations, or sites, representing thousands of assets exposed to innumerable threats. Yet, this is precisely the challenge that Chief Security Officers face every day. To be effective at scale CSOs require visibility and accountability at all levels. They need real-time insight on work-in-process and the status of critical tasks and performance of control measures.
Ultimately stakeholders and participants in the security management process need to be held accountable for completing their assigned tasks and activities. Visibility sets the stage for accountability because tasks and actions that are visible are the ones that tend to get completed. It’s just human nature.