Security Risk and Governance – We’ve consulted with innumerable enterprises and Government entities over the years, and several common themes continue to arise in relation to both cybersecurity and protective security risk assessments (SRAs).

Straight to it…here are the top 10 security risk and governance-related issues that we have found, and a synopsis of the recommendations we’ve made to address them:

1. Security Governance: The absence of effective security governance tends to be a root-cause issue, which ultimately influences the effectiveness of all cascading risk controls. Planning a policy, framework, plan/manual, procedures etc. hierarchy, which integrates within and supports broader organisational objectives is critical for program support…and ultimately its success.

The role (purpose) of the entity will in most circumstances have a significant influence on the need for security; this should not detract from ensuring that such planning is performed, and that a risk-based approach is taken thereafter.

It is also key that governance is reviewed periodically, that control over changes is assured, and that any documentary changes acknowledge the cascading effects that they could have.

2. Security Training: every significant entity has multiple personnel demographics, and each should receive nuanced training content based on their function. The usual categories include: general employees; contractors; those with security-related roles and senior stakeholders. The timings, channels used and content delivered should be considered in view of this.

3. Security Risk Management: in the absence of diligent planning, security risk management can easily become ad-hoc. Entities should consider when, at what level (i.e. three-lines of defence/strategic-operational-tactical) and to what scope such assessments should be performed. They should also consider program methodologies and criteria to be applied (internal risk criteria is preferred by default) and enshrine this within a Security Plan.

4. Stakeholder Engagement: gaining the confidence of senior stakeholders within the organisation is critical for genuine success. There is a significant degree of deliberate stakeholder management that should be factored into this process.

Demonstrating that the security program is not ‘over-egging’ the risk environment for leverage is a key message. External stakeholders, such as regulators and industry forums are also key for stakeholder management and contemporary knowledge.

5. Internal Communications: the ability to exploit the power and capabilities of internal communications support and mediums is often overlooked. A (suitably) prominent presence on the entity’s INTRANET, coupled with assistance in developing the security communications strategy and a plan is the type of support that should be available.

Communications initiatives such as ‘Spotlight On’, or ‘Security Focus for the Month’ can have a big impact on take-up. Articles (structured such as this, but tailored to the audience) should also be considered; it is also recommended that the tone of messaging reflect less stick and more carrot (e.g. “how security can help”).

6. Process Integration: we often see a lack of integration with Human Resources/People and Culture in particular. A classic case is where an employee is investigated and their employment is terminated, but security is not informed (in may cases security is not even part of the investigation).

Access card recovery and acquittal, security clearance assurances/debriefs and other needs are routinely overlooked when security is not an integrated part of the process. Ensuring accurate entries against employee records for security training that has been completed is also much easier when security and people management systems are well integrated…doing so will often involve previous stakeholder management efforts.

The IT function is another area that is historically difficult to integrate with, but it is also an area where great synergies can be achieved, and where there can be significant operational (e.g. integrated policies) and tactical (e.g. physical security) overlap.

7. Technology and Systems: entities are getting better, but many have not taken up technology to support various security functions. From incident reporting to security risk platforms, many are yet to enjoy the efficiencies and benefits of aggregating data automatically.

Traditional systems, such as CCTV, access control and intrusion detection also lag as budgets are stretched. In the interim entities should look for the business cases that support such expenditure and promote them in the context of their own organisation.

8. Accountability: With regards to non-cybersecurity practices, a valid question is whether an entity’s peak security manager can possibly assure security across an often geographically dispersed environment.

It is often recommended that security managers seek to implement accountability for security outcomes by business areas/units, versus the centralised accountability model. This is not always easy, but the argument of “security is a cost of your business line doing business” becomes much easier, especially when backed up by effective collaboration (and senior executive support).

If successful, it can be enlightening to see how serious achieving security outcomes can suddenly become, and how much time can be freed up for the security manager to do other important things.

9. Incident Management: it is often the case that incidents are not identified, reported/escalated, categorised and/or responded to in the most effective manner. This issue is relatively straightforward to improve in a documentary/plan/protocols sense, but the challenge comes in achieving organisational awareness, buy-in and change.

Engaging Internal Communications can be key in this, as mentioned earlier; so too are exercises, tests and training.

10. Assurance Practices: It is not by coincidence that assurance is last on the list. More advanced security programs have effective elements of all the initiatives mentioned above. What has been apparent however is that each can quickly become out of date and thus ineffective if not continually monitored and improved.

The most common problem goes back to the first point – when changes to governance (policies, plans etc.) are made, the cascading effects are not always identified, and programs become disjointed over time.

This goes to ensuring that assurance practices adopt a change management through quality systems approach; this means that programs should be planned, implemented, reviewed and improved over time, in the way that the Deming cycle (Plan/Do/Study/Act (PDSA [yes it has been updated from PDCA]) accommodates. If there is a Security Committee or comparable forum to oversee this, even better.

There are numerous other security risk/governance issues and recommendations that could be identified and made when performing a risk assessment, but these tend to factor among the recurring themes. We hope that this article may be of use, to both those who manage security programs and others who provide advice to them in the process.

Yours in security,

Konrad Buczynski

Industry Risk is Australia’s shining light in solutions for Protective Security and Business Resilience. We welcome opportunities to assist entities in getting to a security baseline, then helping guide them in more advanced endeavours.