Background

We’ve assisted innumerable enterprises and Government entities over the years, and several common themes continue to arise in relation to both cyber and protective security, and effective security risk management (SRM) and assessments (SRAs).

The Effective Security Risk Management & Governance List

Straight to it…here are the top 10 security risk and governance-related issues that we have found, and a synopsis of the recommendations we’ve made to address them:

1. Governance: The absence of effective security governance tends to be a root-cause issue, which ultimately influences the effectiveness of all cascading security risk management controls. Planning a policy, framework, plan/manual, procedures etc. hierarchy, which integrates within and supports broader organisational objectives is critical for program support…and ultimately its success.

The role of the entity will in most circumstances have a significant influence on the need for security; this should not detract from ensuring that such planning is performed, and that a risk-based approach is taken thereafter.

It is also key that governance is reviewed periodically, that control over changes is assured, and that any documentary changes acknowledge the cascading effects that they could have.

2. Security Training: every significant entity has multiple personnel demographics, and each should receive nuanced training content based on their function. The usual categories include: general employees; contractors; those with security risk management-related roles and senior stakeholders. The timings, channels used and content delivered should be considered in view of this.

3. Security Risk Management: in the absence of diligent planning, security risk management can easily become ad-hoc. Entities should consider when, at what level (i.e. strategic versus operational) and to what scope such assessments should be performed. They should also consider program methodologies and criteria to be applied (internal risk criteria is usually preferred) and enshrine this within a Security Plan.

4. Stakeholder Engagement: gaining the confidence of senior stakeholders within the organisation is critical for genuine success. There is a significant degree of careful stakeholder management that should be factored into this process.

Demonstrating that the security program is not over-egging the risk environment for leverage is a key message. External stakeholders, such as regulators and industry forums are also key for stakeholder management and contemporary knowledge.

5. Internal Communications: the ability to exploit the power and capabilities of internal communications support and mediums is often overlooked. A (suitably) prominent presence on the entity’s INTRANET, coupled with assistance in developing the security communications strategy and a plan is the type of support that should be available.

Communications initiatives such as ‘Spotlight On’, or ‘Security Focus for the Month’ can have a big impact on take-up. Articles (structured such as this, but tailored to the audience) should also be considered.

6. Process Integration: we often see a lack of integration between security risk management and Human Resources/People and Culture in particular. A classic case is where an employee is investigated and their employment is terminated, but security is not informed (in may cases security is not even part of the investigation).

Access card recovery and acquittal, security clearance assurances/debriefs and other needs are routinely overlooked when security is not an integrated part of the process. Ensuring accurate entries against employee records for security training that has been completed is also much easier when security and people management systems are well integrated…doing so will often involve previous stakeholder management efforts.

7. Technology and Systems: entities are getting better, but many have not taken up technology to support various security functions. From incident reporting to security risk platforms, many are yet to enjoy the efficiencies and benefits of aggregating data automatically.

Traditional systems, such as CCTV, access control and intrusion detection also lag as budgets are stretched. In the interim entities should look for the business cases that support such expenditure and promote them in the context of their own organisation.

8. Accountability: With regards to non-cybersecurity practices, a valid question is whether an entity’s peak security manager can possibly assure security across an often geographically dispersed environment.

It is often recommended that security managers seek to implement accountability for security outcomes by business areas/units, versus the centralised accountability model. This is not always easy, but the argument of “security is a cost of your business line doing business” becomes much easier, espcially when backed up by effective collaboration.

If successful, it can be enlightening to see how serious achieving security risk management outcomes can suddenly become, and how much time can be freed up for the security manager to do other important things.

9. Incident Management: it is often the case that incidents are not identified, reported/ escalated, categorised and/or responded to in the most effective manner. This issue is relatively straightforward to improve in a documentary/plan/protocols sense, but the challenge comes in achieving organisational awareness, buy-in and change.

Engaging Internal Communications can be key in this, as mentioned earlier; so too are exercises, tests and training.

10. Assurance Practices: It is not by coincidence that assurance is last on the list. More advanced security programs have effective elements of all the initiatives mentioned above. What has been apparent however is that each can quickly become out of date and thus ineffective if not continually monitored and improved.

The most common problem goes back to the first point – when changes to governance (policies, plans etc.) are made, the cascading effects are not always identified, and security/security risk management programs become disjointed over time.

This goes to ensuring that assurance practices adopt a quality systems approach; this means that programs should be planned, implemented, reviewed and improved over time, much like the Plan/Do/Check/Act (PDCA) approach. If there is a Security Committee or comparable forum to oversee this, even better.

There are also many more risk/governance issues and recommendations that could be identified and made during an assessment process, but these tend to factor among the recurring themes. We therefore hope that this article can be of use, both to those who manage programs and others who provide advice to them in the process.

Yours in SRM,

Konrad Buczynski

Konrad was a graduate of the Royal Military College Duntroon and served as an Australian Army Officer and telecommunications specialist until 2001. He has helds roles as Director of the Australian Centre for Security Management and Chief Security Officer | Crisis/Business Continuity Program Manager at Thales Australia-New Zealand, the region’s largest Defence Prime Contractor at the time.

A Certified Practising Risk Manager, Registered Security Professional, member of numerous security working groups and technical committees and designer and author of innumerable security risk management programs, Konrad was the architect and co-founder architect of SECTARA. He is a company Principal and SECTARA’s Managing Director.

Did you known that the Security Risk Management Aide Memoire (SRMAM) is free to all SECTARA subscribers (yes, even on the free plan).

How to get started with SECTARA

If you see the same great benefits that we do in SECTARA, there are several methods to get started:

As a valued subscriber, you will be comprehensively supported via our Ticketing System and Knowledge Base, and you can still always contact us direct when you need to.