Given all of today’s current and recurrent issues, are we able to realistically plan to protect ourselves against the possibilities and realities of security risk? Is it in fact realistic in any way to think that we can effectively protect or otherwise prevent our organisational assets from encountering harm? Phillip Wood examines the task in front of practising security professionals.
As a discipline, security management is becoming more and more challenging. Multiple risks, multiple adversaries and the intricacies of our own organisations – and, indeed, the contexts within which they operate – can combine (and, indeed, be conflated) to offer confusing and worrying dilemmas for members of the management team.
The idea of prevention and protection is core to the security-related concepts of deterrence, detection, delay and other ‘d’s. Keeping adversaries outside our organisations and at a safe distance seems to make good sense, while preventing them from considering our assets is an essential element to be found at the very core of sensible, risk-based security.
Whether we decide to deceive the adversary to some extent by not revealing the full value of our assets (which, of course, is becoming much more difficult to do in ‘The Information Age’), or we put in place a demonstration or illusion of significant protective strength and security in order to push the threat elsewhere, the point is there are things that we can do.
However, once the adversary decides to make their move, and ‘attack’ us as a target, then that element of protection is probably largely redundant. We should then consider the nature of our asset protection.
Is it well-planned or is it a conglomeration of ad hoc and vendor-recommended and provided solutions that have been procured and installed at the best possible price? Do our security teams fully understand their roles, and do we as organisations really comprehend the multiple routes and potential points of failure that the determined adversary will be able to exploit in order to reach the target and remove – or otherwise degrade – our assets?
Even with the increased and improved general security awareness that seems to accompany the increasing cyber threat (as a prime example of prevalent risk) and perhaps the more visible – but abstract for many – threat of terrorism, the suspicion is that the ability to put in place effective protection for our assets isn’t complete in many businesses.
Business continuity approach
One matter to consider is whether we take another look at what security means and assess its overall aim in support of organisational resilience and continuing capability. Leaving crisis management to one side for this discussion, let’s consider the business continuity approach as something that’s fully complementary to effective security.
Perhaps, with an improved understanding by practitioners of both disciplines, we may be able to develop something that’s much more holistic and provides more protective value for the organisation than the current bifurcations of effort afforded to them.
I’ve had many discussions with business continuity specialists – not to mention acting as ‘referee’ during arguments involving them and security professionals – as to the primacy and requirements for interoperability between them. The separation is clear and defined, at least for those who specialise, although for those outside of these specialisms the distinction may be somewhat less clear.
This distinction becomes even more blurred when we consider that both disciplines have a requirement to recognise the fact that assessing risks is something that plays a legitimate part in the effective planning of organisational resilience.
However, the emphasis on risk assessment between the two is significantly different. Simply put, in the world of security, risk management leads. The attempt to understand the combinations and predicted elements of probability and impact, and of the ability to put in place controls, is at the core of risk assessment. When effective, it can provide the security planner with an estimate of the potential problems to be mitigated.
Clearly, some will be more obvious and evident than others. If you hold large amounts of cash in the retail sphere, for example, it would be sensible and appropriate to consider the risks from adversaries who’ll be looking to steal your money.
Levels of complexity
The levels of complexity that may be allied to security risk analysis and management can vary greatly. However, whatever the complexity, you may struggle to find a security professional who disregards the risk-based approach as the less than optimal one for achieving effective planning and management.
At the other end of the scale are the business continuity people: the ‘shock absorbers’. In their world (like security a sub-discipline of organisational resilience), the accurate assessment of impact is the key to success. The principle that the organisation needs to understand the criticality of the various elements of its business – what it does and the products and services needed to maintain overall survival – underpins business continuity.
The fact that there are threats and risks out there is accepted, as is the fact that the organisation needs to keep doing what it does in the short, medium and long-term and at variable levels of capability and complexity. Business continuity is all about time, with maintenance of products and services an absolute requirement for the end user. In short, the organisation has to do all it can to recover.
A good sporting analogy here is provided by boxing. Our organisation is in the ring. It’s fit, trained and motivated. We know that the opposition – our adversary – has a mission to cause us damage and overcome our defences.
As an organisation, despite all of our preparations, training and defensive skills we know that some attacks will overcome them and pass through to the target. Given that, in most cases, we will neither be inclined to mount an offence ourselves or be capable of doing so, we understand we may be hit hard. We may even be out of action, or our overall capability at least lowered at some points.
However, we need to maintain our capacity and beat the count. We need to reach the end of the contest without being knocked out.
Tension between disciplines
The tension between the disciplines of security and business continuity remains. There’s an understanding in the former that the attacks will come and the defence needs to be impermeable. Business continuity aims to absorb the punches, perhaps knowing where they’re coming from, and also recognises that ‘taking one on the chin’ does more damage than any blow sustained to the ribs. There are priorities to be set out not only for defence, but also in understanding that there are some areas of the business which are simply more important or critical for survival than others.
This leads us neatly towards an interesting question: ‘Is risk management of a comparable priority to impact assessment for organisations that aim to be properly resilient?’ In terms of another question: ‘Is there some benefit in rethinking elements of the whole concept of risk-based security towards the development of an impact management security process?’
There are some careful thought procedures required here. First, to even consider this idea we should be fully prepared to shed some of our mental baggage. Can we overcome our desire to push back the adversary and reallocate our time and efforts towards something that’s more impact resistant?
Of course, in the world of black and white choices we could perhaps take a view that one approach is better than the other. In reality, we should be fully prepared to understand life’s complexities, but there are different views.
Renowned resilience academic Professor Edward Borodzicz argues: “It’s pertinent to point out here that much of the literature and research has perpetuated – and continues to perpetuate – a split between prevention and response. This is particularly surprising considering that neither community could exist without the product of the other.”
This ‘split’ in views is further exemplified by those who dismiss risk analysis methods in relation to business continuity management. For example: ‘…They fail because the probability of occurrence for the rarer events is always a guess. Mathematical analysis methods may give a pseudo-scientific exactitude to the results, which are only based on guesswork, while the analysis of risk is a means to an end, not an end in itself. Without action it’s pointless.’
Beyond the parochial approach, then, we do have some hills to climb. Are business continuity and security complementary in more ways than we think? Probably. Are our fixed, parochial and blind approaches towards our ‘own’ disciplines a barrier to the effective progress of ideas? If we look at the last example – replace the word ‘risk’ with ‘impact’ and the words ‘guess/guesswork’ with ‘effective predictive analysis’.
To my mind, they’re equally applicable.
Phillip Wood MBE MSc is Head of the School for Management and Professional Studies and Head of Department for Security and Resilience at Buckinghamshire New University