As executives, consultants or experts responsible for managing security-related risk – whether we are mapped to the Security organization or to functions such as HR, Legal, Compliance or Business Continuity – we are acutely aware that risk isn’t static or simple. It’s dynamic – and complex.
But for us to be successful in our positions as the principal champions of prevention – which is hard enough in of itself to measure – we are often challenged to help stakeholders without our experience in security to understand that risk isn’t theoretical. It’s tangible. And very, very real.
How do we do this in a compelling manner? Each situation and organization is different. But I have found these tips and tactics to be successful. It’s like a carpenter’s tool box. Sometimes you have to just try a different hammer.
Tip #1: Emphasize that Risk is about Threats, Vulnerabilities and Consequences
Risk gets real when you break it down. At Hillard Heintze, we use the definition of risk outlined by the Department of Homeland Security (DHS) in its 2013 publication, National Infrastructure Protection Plan (NIPP). This framework assesses risk as a function of three factors: threat, vulnerability and consequence.
Whether you’re “managing up” to the executive level, “across” the company’s business lines or functions, or “down” through your direct reports and theirs, get your teams to be specific about the list of threats you’re trying to address. Then identify your vulnerabilities. Finally, do the same for your consequences. At our firm, we have a highly structured methodology that extends this process to quantification, but if you’re doing it on the fly, try to be specific about these three drivers of risk even if you can’t apply a quantitative measurement.
Tip #2: Prioritize What You’re Trying to Protect
Risk tangibility becomes more obvious when the team realizes it doesn’t have enough resources (e.g., time, people, budget) to reduce risk wherever it resides. Deciding what risks cannot be fully addressed – particularly expressed in terms of likely consequences — will get your stakeholders’ attention. Ensure your analysis captures your core assumptions and constraints, applies a risk score to each threat and generates a prioritized list. Document your inputs because you may be called upon to defend your analysis and recommendations as well as any risk management plans you generate as a result of this exercise.
Tip #3: Remind Your Audience that People – and Behavior – Often Drive the Lion’s Share of Risk
The most tangible embodiment of risk is people. In fact, the risk most often overlooked by corporate leaders, and under-managed, is the workforce. For example, if employees aren’t guided by clear security-related policies, and trained on them, they won’t always realize how even small actions – positive or negative – can have enormous implications for security-related risk management. On the positive side, this behavior might take the form of “see something; say something.” On the negative side, it could be courteously holding open an access-controlled door for someone who may be an unauthorized individual with malicious intent. People-related risk also includes areas such as insider threats and fraudulent actions by an employee with access to critical or sensitive information or systems – as well as workplace violence either threatened or carried out by a terminated employee or the partner of an employee in an abusive domestic relationship.
Tip #4: Strive to Measure Risk Wherever You Can
Measured risk is more tangible than risk described in qualitative, subjective terms. I touched on this in Tip #2. The holy grail of risk measurement might be, for example, a major study that identifies the probability of a given security threat or event by a legitimate, independent authority using inputs consistent with your organization and risk environment. It’s relatively easy to identify this for weather risks, crime levels by jurisdiction and frequency for types of accidents. But your in-house methodology will be challenged to quantify the consequences of a major cyber-hack of your R&D facility without a relatively complex risk model and sophisticated algorithms. Bottom line? Your stakeholder audience is more likely to grasp the tangibility of risk if you pull out an objective yardstick.
Tip #5: Visualize Countermeasure Impacts on Risk Levels
Give risk a shape and a color. Translate your prioritization of security-related risk and its subcomponents – threats, vulnerabilities and consequences – to graphics. Visually demonstrate the current state and future state of the risk (e.g., as a quantitative metric or a simple five-level scale from Significantly Reduced, Reduced and No Change to Improved and Significantly Improved) as a result of your countermeasures.
In sum, as corporate security experts and executives, the more “real” we can make risk appear – or any one of its components – through tactics such as deconstruction (Tip #1), prioritization (Tip #2), embodiment (Tip #3), measurement (Tip#4) and graphics (Tip #5) – the more likely we are to protect people, performance and brands.