Security Risk Management (SRM) has been stuck in a static, programmatic approach for several decades. The procedures employed by corporates in the UK may well be out of date and unfit for purpose in the security threat landscape. Traditional methods often have the potential to waste limited security resources and cause potential disruption to the organisation, says Paul Mercer, pictured, Managing Director, of software firm Hawk sight.
Over the past 20 years, businesses have witnessed a decline in the size of their security personnel. This indicates that organisations are either not aware of the risks or not taking the risks seriously. The most common threats to security for a business are both physical and cyber but traditionally these have been handled in silos. It is essential for businesses to include Security Risk Management (SRM) as part of their business strategy, to mitigate loss of revenue, reputational issues and time spent on resolving security related concerns away from the core running of the business.
Why aren’t businesses taking security seriously?
The reticence of integrating effective SRM into the day to day running of a company may well be down to a lack of understanding of the function and the people who deliver it. Many businesses struggle with SRM due to the style of communication used by former military or police personnel who have tried to adapt skills learnt whilst in uniform to the corporate environment. Secondly, assessing global threats requires a large amount of people. By implementing a risk assessment manually, the ability to report in real-time hinders informed decision making.
Finally, by implementing an analogue procedure to SRM reporting means that there is a greater risk of non-compliance for businesses, and the potential threats to a company increases exponentially.
The opportunity of digitalisation in increasing security
Organisations are beginning to observe the benefits that digital technology can bring in optimising their SRM processes. Managing the organisation’s SRM in the cloud will reduce delays and disruption and improve communication and understanding. Information stored locally on laptops and personal devices is not accessible to everyone, increasing the time it takes to analyse and report threats to your business effectively.
A data-led approach is essential in responding to the ever changing threats environment. Digitalisation of security risk management will enable business leaders to mitigate and manage multiple global threats simultaneously, by drawing on a team of specialists that are able to access risk insights from anywhere in the world.
Rather than having security professionals as a separate cost centre, digital SRM specialists will add value across the organisation helping leaders to make timely and informed decisions, while supporting business continuity.
Digital SRM not only results in savings in time and cost for an organisation but it enables more accurate reporting to improve standards of compliance. A concise and visual reporting process as a result of using digital SRM provides peace of mind for the organisation, mitigating current and future threats to the business.
The use of a digital SRM platform will provide access to on-demand training for regular security updates. By developing an e-learning package, the quality and accuracy of reporting can be easily assured.
Digital SRM platforms are also easily integrated with existing Enterprise Risk Management (ERM) frameworks, enabling corporates to enhance the overall risk management effectiveness and cost-savings through cooperation.
Finally, digital SRM technology will lead to significant business benefits. According to a study of workflows, we were able to identify a cost saving of 63% in the time taken for the creation of an initial assessment and a reduction of 89% for updates.
Beyond digital
It is essential that digital is a supporting component in improving security risk management. However, it is also crucial for organisations to analyse the way in which they are communicating: Creating a standardised approach to managing risk.
This will ensure that all security team members are carrying out SRA in the same way, building continuity and accuracy in security risk reporting across the enterprise portfolio. It is crucial that security teams use a logical and standardised risk assessment process, free of military-style terminology.
Before embarking on digitising your SRM, organisations need to implement a standard risk assessment process to remove confusion and time wastage. This consists of a seven-stage future-proofed process, to help corporates mitigate their threats and vulnerabilities.
About Paul Mercer
Paul Mercer is Founder and Managing Director of Hawk Sight Security Risk Management Ltd, specialising in digital security risk management. After serving in the Royal Navy, Paul has over 20 years’ experience as a security advisor working across Asia, the Middle East and Africa. He has acted as security advisor to global corporates, major events including Abu Dhabi Formula One, INGOs, NGOs including the British Council in Nigeria, the Carter Centre, the United Nations, the international oil company Schlumberger, and a Candian consortium extractive company.
He has consulted in operational and security risk management, crisis management and emergency response, business continuity, journey management, urban security hardening, deep desert and maritime security.
Paul holds a Master’s degree in International Politics from the University of Glasgow and is a member of the register of Chartered Security Professionals (CSyP).