The word ‘agile’ has been adopted to describe both the expectations of commercial organisations and the working practices of employees. But what does it mean?
Agility is a crucial element in high performance sport. It can be viewed as the ability to rapidly change direction in response to a stimulus, while maintaining ones balance and minimizing the loss of force. For a business this could involve a disruptive event, products becoming obsolete or changes in the expectations and desires of customers. In order to display agility, a business would look to rapidly respond to the changes in order to maintain business as usual, minimise revenue loss and missed business opportunities. Security Risk Management professionals offer experience in a number of areas which can add value to the development of agility within a business, particularly when the stimuli that warrants a response is a malicious action or threat.
Security Risk Management professionals can identify potential threats and hazards, support business continuity planning, the development of effective crisis management procedures within organisations and offer advisory assistance to support the construction of a resilient business architecture. In order to minimize potential value leakage from advice provided by Security professionals, organisations may benefit from consulting them at the earliest opportunity. Rather than wait until the latter stages of organizational design processes, more benefit may be gained from interaction during the design of an organisations operating model. As the operating model acts as bridge between strategy and operational processes, the security strategies of an organization could be integrated into this stage of business design, alongside the formation and definition of its overarching principles, processes, governance and culture.
The security strategy will cover a number of areas. While the key theme will be to protect the organization and its assets, a multifaceted approach will include the provision of physical security to its employees, locations and tangible assets, and the security of its information. Although the proportion of focus will differ dependent upon the business type and its activities, business functions in the majority of organisations are often inseparable from the information communication technologies (ICT) that support them. The effects of business disruptions to ICT are no longer limited to mere inconvenience. Within the United Kingdom, the reliance upon online trading applications, big data storage and customer relationship management systems leaves businesses that do not follow appropriate information security strategies open to falling foul of the Data Protection Act (1998) and the approaching requirements of the General Data Protection Regulation (GDPR), which will apply from May 2018. Similarly, organisations that do not provide adequate protection and training to ensure the physical safety and security of employees may not meet the requirements of the UK Health and Safety at Work Act (1974) and in particular the Management of Health and Safety at Work Regulations (1999). Board level consideration of Security Risk Management at the earliest stage can help to avoid this.