If you stand still long enough, you will see everything go around again
It is an increasing expectation that everyone should be innovative and creative. We attend professional conferences and prepare to be both informed and inspired by the thought and transformational leaders of the day (and often of yesterday), ready to sell you their next book on a model they developed or preparing for a consultancy career, after a life in the shadows of another organisation.
Hold onto the thought of leadership, as we will come back to it.
The security industry has rightly grown at an exponential rate, with increasing geopolitical and social instability, as well as the dwindling resources of public services resulting in the need for governments to place increased responsibility on private organisations to care for themselves, or to face legal and financial consequences should they fail to do so. Over twenty years ago, the UK saw the introduction of licensing for door supervisors (bouncers) and a number of private physical security services in the UK which resembled military operations in Northern Ireland, during The Troubles. Physical security matured, adopting a layered approach, which is very similar to the defence in depth approach to trench warfare. Then we suddenly realised that the threat had morphed into a digital domain and organisations were exposed to terms like Cyber, firewalls and hackers and quickly took to hiring experts in Java : Phython: C+, in order to protect their digital networks. Cyber became so big that some of you forgot about physical security for a while. After 10+ years of Cyber Security becoming so frequently spoken about that people started to ignore the word, we started to consider something new. People. The security industry is suddenly talking about the Human Factor, Insider Risk and Insider Threat. At one point, Cyber Insider was adopted in an attempt to make people aware. We have had malicious actors (unhappy employees or thieves), infiltrators (spies) and exploited individuals (the vulnerable), for quite some time. Recently, the words unwitting and inadvertent threat actors have been adopted and people are increasingly awarding themselves the protected title of Psychologist, by talking about the behavioural based programmes, they have designed which will save organisations from this new threat. Only, it’s not new. Espionage is one of the oldest acts.
Let’s not forget that people are your threat actors. They are also your defenders. They are always your vulnerability. The newly discovered group of unwitting / inadvertent actors are also not new. It’s not a new phenomenon that people may not have been trained effectively or have been trained but chosen not to follow the procedures they were taught. Or they forget. Not particularly ground breaking but it seems to be a growing area of expertise. With the security field quickly filling with experts in a wide range of areas, we are starting to see a growth in people suggesting that physical, cyber and personnel security should all work together in a harmonious and holistic way. Security convergence has been around for some time, but perhaps now we are starting to see its benefits.
Don’t misinterpret this piece of writing as a criticism of efforts to professionalise and to mature our approach to security, rather it aims to stress that in an attempt to create something new, we are in danger of over complicating things. There is definitely a need to be more effective at linking the security landscape, but in striving to sound like we have created something unique or the next model or catchphrase, we may be missing something critical. Security is about choice. This can be interpreted as decision making, which, if someone consistently demonstrates that they make effectively, is associated with positive leadership. Effective choices / decision making / leadership is at the core of all successful activities, security and otherwise.
Having the fortitude to look at situations differently and to communicate a perspective and potentially a story or potential scenario based on an analysis of available information, can support intelligence - led decisions . This provides context to environments and supports the completion of processes to identify threats, vulnerabilities and business impact, enabling risk-based decisions to be made. From here on in, if they so choose, organisations can form Agile teams or a network of teams, meet for daily Stand-Ups, iteratively developing, delivering and implementing security programs, to protect people, assets and reputation. There are plenty of models available to guide this, but they all fundamentally should consider the same question.
What is the effect I am trying to achieve?
Let’s focus on that for a moment, rather than the approach. Organisations and security leaders need to think about that more, rather than the number of phrases and frameworks that they can quote. Perhaps then, we may also be more successful in developing the unicorn we all seem to be chasing, a positive Security Culture. I have previously written and spoken about the importance of getting people to care, so it is nice to hear people from an audience repeat it.
But what does that mean I ask?
When we lift the bonnet, the same people that speak about a positive Security Culture, don’t know. The reason is; it’s not about security. Security is a result. It’s about people. People building relationships with other people, getting to know them, providing guidance they can adopt and follow, teaching and coaching them how to do something safely and securely, role modelling appropriate behaviours, helping them when they get things wrong and then making the decision, if required, to use technology and business processes to investigate incidents and to manage performance, on the behalf of a team and wider business, when things repeatedly go wrong.
This is where the change takes place. The emotional intelligence displayed by individuals who lead and their experience of dealing with the varied guises of people can’t be replaced by AI / ML / Automation / rehashed models or frameworks. You don’t necessarily need to spend lots of money to improve your security. Rather than repeat the same message, we can get more out of people by improving our ability to communicate the right choices and to lead them in the right direction. Experienced leaders are needed who can be confident in their actions and words. Perhaps then, we might start to really improve our ability to mitigate the risks caused by people, regardless of whatever label we attach to it.
So let try something new
Rather than keep quiet, lets talk with each other about risks, share best practices and share what works for you. ERG Step-Up can meet with groups, be that Tech Start-Up Accelerators, Small, Medium or Large businesses, industry and research groups or academic networks. We can meet and talk, but crucially we can leave you to become self-sufficient, supported by your own internal ERG Security Champions who can continue to speak with you as your peers and colleagues and lead you to become a more secure group or organisation.
By Stepping - Up, we can help to keep each other, our assets and our IP, safe and secure
Get in touch to discuss the actual changes you need to make to improve your security, through the ERG Step-Up Programme.