Linda Howson provides some advice to security professionals on how to communicate risk scenarios and encourage buy-in to security planning to other stakeholders in the business.
Linda Howson
“The only constant in life is change” – Heraclitus, the Greek philosopher.
It is perhaps rather ironic that since Heraclitus walked the earth, this quote has been replicated and regurgitated in numerous forms but, for many, is only just becoming an acknowledged reality. The constant adjustment and the consequential level of uncertainty is gradually gaining acceptance as the “new normal” after more than a year of the pandemic. This extraordinary normality has created unprecedented challenges for businesses, ranging from exciting opportunities, to simply ensuring business continuity.
Even before the pandemic, the dynamic characteristics of business strongly influenced organisational operations, the effects of which are not lost on risk and security professionals. For some, this variability is fascinating and captivating; for others, it is experienced as unstable and unmanageable. The pandemic has caused an accelerated frequency of change, transforming the world of risk and security.
Having dealt with the inevitable “firefighting” required to address the initial pandemic situation, some security professionals have spent recent months adapting existing strategies and policies to cope with the “new normal”, while others have finally gained the opportunity to start afresh.
Though the allure of developing a security strategy from scratch may initially seem attractive, it is a difficult, lengthy, and complex task involving a considerable number of stakeholders. The process itself requires the generation of large quantities of data, which, in turn, needs to be processed and analysed, before the actual creative process can begin. In the real world, security professionals do not have the luxury of starting with a clean slate, instead inheriting an operational situation, complete with history and associated baggage. Whatever the case, very often the reasoning driving choices and decisions is lost in the midst of time, leaving only the remaining operational processes and procedures behind.
Theoretically, this does not pose a significant problem if the business, and all the associated environments in which it operates, never changes. Unfortunately, Heraclitus makes a valid point and the security challenge becomes apparent.
Given the new normal and the ever-increasing rate of change, how can security professionals adapt and ensure that they remain ahead of the game?
Fortunately, if we look further afield, there are other problem domains that demonstrate comparable characteristics, ranging from weather prediction to stock market forecasting. Weather prediction is a good example of a complex environment which, on first sight, appears chaotic and unpredictable but, in actual fact, behaves according to clear, definable rules. The impression of chaos is generated by the interaction of a wide variety of influencing factors. This is a level of detail that challenges human cognition. However, by creating a virtual model of the physical world and augmenting the model with details of the influencing aspects, it becomes possible to reproduce and justify many weather conditions. Once scientists began to capture weather data and recreate the scenarios in which the data was generated, models began to form that facilitated the understanding of how all the aspects interact and the consequential effect of the interaction.
Imagine adopting the same approach and creating a model of the physical location and structure of your organisation. Your facility team adds building property detail and facility assets. The business managers allocate functions to the relevant spaces and identify the functional roles that operate in the spaces. Your human resources team defines the organisational structure and connects actual employees to functional roles. Security and risk professional specify the required security rules for functional roles and detail the required measures.
It is logical to assume that the quality of the model is entirely dependent on the input received. This is why your company experts are essential in the construction of the model, in much the same way that they are responsible for the organisational operations. This ownership of knowledge and experience means that your personnel are capable of explaining and justifying any decisions or choices made, that have an effect on the organisational operations. The gradual enrichment, through the addition of layers of data and information, and the interconnection of the layers, increases the accuracy and applicability of the model.
Returning to the earlier example of weather forecasting, we are all able to understand the analysis of the complex data performed by our favourite weather reporter. By visualising the resulting conclusions and insights, we are able to understand the consequences of all the influencing aspects without having knowledge or understanding of the underlying theory.
This approach is equally powerful for our security model. By visualising the model output, it is possible to involve all key stakeholders in the analysis process. The virtualisation reflects real life, allowing the stakeholders to identify the areas which are affected by their input and, consequentially, the information which interacts with the input of others. It is this confrontation that creates a solid platform for communication and collaboration.
Additionally, as with the weather, it becomes not only possible to interpret the information but also provides the potential to predict and anticipate. By defining the potential risk scenarios and playing these out within the confines of the security model, we gain further insights which allow the refinement of earlier choices and implementations. The model provides an environment in which we can visualise, test, verify and validate decisions before making any investment. This significantly simplifies the process of calculating the return on investment and any accompanying discussions.
Before we all embrace utopia and place our unconditional faith in science, it is perhaps worth noting that, in the words of Alfred Korzybski – Polish/American scientist and philosopher, “the map is not the territory”. The model is a simplified version of reality and, just as you cannot blame nature for not behaving according to the weather forecast, it cannot answer all questions or predict all outcomes. It is wise to accept the inevitability of change and, in doing so, arm ourselves with the tools to make informed decisions when the unexpected occurs. In military language, the model is a force multiplier, placing the emphasis very clearly on the human element in the equation. The security model can provide leverage but the quality of your personnel remains your greatest asset.
About the author
Linda Howson is an innovative team at Nedap, in the Netherlands, working on solutions for the future of access governance. Linda has almost 30 years experience, in a wide variety of industries, ranging from internal research and development, to external client related roles. Recent years have been focussed on concepts related to physical access governance and the impact that this has on business continuity. By working closely with security professionals that are passionate about their chosen career, Linda and Nedap are making headway in creating the solutions for tomorrow.
Connect 2021 is your first major opportunity to come together with the security industry online from 1-30 June!
The month-long online event will give attendees the opportunity to make up for lost time by browsing security solutions, connecting with suppliers and accessing thought-leadership content - all from the comfort of your own home or workplace!
