Jan 12, 2022

Security is about much more than having the best software and appliances protecting your systems and data. The old dictum of focussing on people, processes and technology has never been truer than today. Faced with increasingly sophisticated, well-equipped, and highly resourced attackers, today’s enterprises must take a complete, end-to-end approach that engages users, looks at how specific tasks are done, and how technology can work alongside people as they do their work. In the modern enterprise, security is no longer just about information systems. Business risk is everywhere. A recent report by the World Economic Forum pointed to several major risk areas ranging from infectious diseases and climate change through to cybersecurity and brand and reputation risk. Security is about more than technology – it’s about addressing enterprise-wide risk. “We often look at a specific risk, as it happens, and we tend to fixate on that rather than taking a more strategic view,” says Gav Schneider, the Chief Executive Officer of the Risk 2 Solution Group. “If we look at the pre-COVID era, most businesses were fixed on the idea of certainty, a three to five year planning cycle and trying to create structure.” Dr Schneider says that even in the face of rolling waves of disruption such as travel bans, vaccine rules and lockdowns, leaders have been able to make significant decisions about everything from onboarding new staff to managing and protecting critical data and physical assets. This has enabled organisations to flex their adaptive muscles in new ways to overcome the challenges, giving them confidence to face new challenges and opportunities in the future. Decision fatigue around critical business risk management affecting our leaders is a significant issue. Business leaders have needed to make quick and accurate decisions on several issues, many of which with no precedent and it’s led to many of them suffering through these often exhaustive and stressful situations. “We weren’t prepared to send thousands of workers home with the vulnerabilities on their mobile phones and home networks. We’ve had to move very quickly to enable this,” says Megan James, the Director for Public Sector in the ANZ region for Dataminr. Business leaders need the support of colleagues and reliable data to help make critical decisions around risk and to stay ahead of rapidly unfolding events, so they can act fast once an event strikes. Risk management is no longer a ‘box-ticking exercise’ but a must-have business function. That means having data and systems that allow people to discover potential threats, place those in a business context and support them so they can collaborate to manage those emergent situations. Perhaps the silver lining to the pandemic cloud is that savvy organisations have established those systems. As we ease out of the pandemic, they have a risk playbook that enables them to adapt to whatever new risks emerge. While we may be better placed to manage this pandemic, the risks organisations continue to face are more varied and significant than ever before. It’s vital that businesses use the learnings from the last 18 months to ensure they are prepared for future emerging risks such as climate change, health, cyber and corporate risks. The broad scope of risk Boards are now taking a more converged approach to risk and seeing the broader landscape rather than risks in silos. We have learned that a public health crisis impacts everything from staff mobility through to real estate prices. Businesses that take a siloed approach to risk management will find themselves blindsided unless they consider their environment more broadly. “Boards and management teams are starting to take a converged approach. They’re looking at the landscape in its entirety as opposed to looking at risks in a very siloed manner,” explains Andrew Webster, the Chief Risk officer at Aussie Broadband. While there are many people that say a global pandemic was inevitable, no-one foresaw the exact timing of COVID-19. And the same can be said of other major events such as earthquakes, pandemics, bushfires and ransomware attacks. The question all business leaders want to answer is what’s the next crisis? And are we prepared for the ‘unpredictable'? “There’s a lot more thought about that converged risk lens. It's about understanding the full picture.” adds Webster. “That means everything from the nature of the incident through to the risks to your people, assets, finances, and reputation. This takes us beyond a survival mindset into resilience – being able to continue operating in spite of the disruption.” Critical decisions around incidents are often made in an ad hoc way. Gut feel and experience tend to take over as many leaders lack the data to know when an incident will occur so they can prepare. But if unpredictable events happen regularly, then it becomes possible to have be prepared to respond in a way that is predictable and understood by all stakeholders. Resilience is the real goal It is impossible to anticipate and mitigate every risk. The focus on compliance is on ensuring we are ready for reasonably foreseeable events. This is important but it’s only a starting point. Organisations must prepare for when it doesn’t work. This shifts the focus to business continuity and incident response underpinned by intelligence-driven decision making. Decision-making is about much more than having access to data, explains Webster. He says the aim is to take data and turn it into information that provides value for the specific situation. That relies on analysis to create knowledge – which is information in the context of the current situation – to make better decisions. Organisations must take a proactive approach to identifying and mitigating risks by using data to understand the environment you operate in and prepare for incidents proactively. Being too compliance-focussed can get in the way of this. Compliance sets a minimum acceptable standard. While that is important, it may not be enough to offer you real resilience in the face of high-impact events. Managing an incident is about getting the best from your people, process, and technology at the right time to better manage risk. And while looking back at history to reflect and learn from your responses to past incidents is important, history may not be a great predictor for what incidents you need to protect against in future. Moving forward The first step in establishing greater resilience and preparing for the risks of the future is to start talking about risk in the boardroom, in the C-suite and at the coalface of your business. Identify the risks in your supply chain and establish whether there is an over-reliance on technology. Conduct an audit so you really understand what your essential services are and the partners you work with so you can address full supply chain risk. Invest in people by building their skills and using systems to complement and support them. Information is power – get the right information to the right people quickly so they can identify and manage a risk before it escalates and put early warning systems in place. The priority in an incident is on protecting people and assets as well as the company’s reputation and bottom line. In October 2021, Dataminr was alerting customers about the Melbourne earthquake 15 minutes before government agencies published information. That information came with analysis which gave organisations intelligence so they could act appropriately. For example, people in high-risk situations could be moved to safety faster. “Information is power,” says James. “Using data from social media, sensors and other sources allows us to inform customers of escalating incidents so they can prepare and respond appropriately.” The future of security in the modern enterprise is about using data to understand the threat environment you operate in, taking a holistic view of the world and not splitting risks into operational silos. You may not be able to prevent a major incident from occurring but knowing if an incident is likely to occur and having plans in place to manage your response is the secret to building resilience so you can move forward and continue successfully operating. We continually hear about how our world is moving into a ‘new normal’. That new normal isn’t specifically about the pandemic. The new normal is a world where disruptions can be expected faster than before. Organisations need rapid access to data so they can conduct analyses and make decisions quickly in order to continue, and even thrive, in the face of disruption. Related: