I meant to write this piece a few months back, focusing on the first part. However, with the developments around COVID-19, I thought the second point was also relevant and timely. Plus, I thought it might do some good, but I’d love to know what you think. Please send me an email with your thoughts.
Risk and security managers are often faced with the difficult task of defending the success of a risk management program with little or no supporting evidence. Ironically, the more successful a risk management program is, the less evidence there can be to demonstrate its effectiveness. So this success actually increases the perception that the program is unnecessary: after all, why have an expensive security program when you have few, if any, significant incidents?
There will always be some data. The number of people caught pilfering from the company is a hard metric, as is the downtime from an effective cyber attack.
But as you move away from the defeat / disrupt end of the protective spectrum towards defense and deterrence, the data become fuzzier, if there’s any available at all.
This is where a lot of your program has its effect, but it can be hard to link the reduction in incidents to the effectiveness of the program directly.
“Half the money I spend on advertising is wasted; the trouble is I don’t know which half.”Attributed to John Wanamaker, founder of Macy’s department store
Initially, there will be ‘before and after’ data to use for comparison, but it only takes a few months for the ‘before’ picture to be forgotten and demands for cost-cutting to set in. Reminding people to think about their LoI (loss on investment) instead of their RoI can be effective. Unfortunately, that’s doesn’t always work and successful programs are often dropped because the lack of incidents is seen as a lack of threat, rather than the result of successful mitigation. The resultant increase in incidents can then be attributed to a lack of competence in the team who are now, in effect, being punished for their previous success.
(Hey, no-one said this job was easy or fair.)
We’re seeing something similar in response to the coronavirus in the US. Movement restrictions, school closures, and social distancing are beginning to help in even the hardest-hit areas. Unfortunately, some are taking this as evidence that the threat was never as bad as feared. Some are even claiming that all of this was (and is) unnecessary.
The problem is that the threat is unchanged. And we still have no cure, no vaccine, and limited intensive care beds. Easing restrictions without some other combination of mitigation measures will cause more flare-ups requiring more restrictions. Some view the choice as binary: we are either open or closed, but it’s not as simple as that. Unfortunately, some leaders and decision-makers lack the imagination or creativity needed to think beyond these two choices.
What does this mean for us as risk managers?
One, I think we are in an excellent position to raise people’s awareness of what an effective mitigation program looks like alongside the dangers of dropping one. We need to be stressing that the absence of incidents does not mean an abatement of the threat.
Two, we are creative problem solvers, used to having to determine which of a series of bad options is the least bad overall. This puts us in an excellent position to help our leadership – whether that’s at the organization, community, or government level – to make difficult decisions.
Three, we understand the need for cooperation and finding common ground. It’s no secret that the US is riven by partisanship but, like all of our big challenges, COVID-19 doesn’t have a red or blue answer. Despite the loud voices that try to claim otherwise, neither party has a monopoly on expertise, competence or good ideas: we need everyone at the table to fix this. I’ve always found risk and security managers to be great at knowing people in all corners of the organization. Let’s harness some of that.
Finally, we get $h!t done. And if there’s a time for getting $h!t done, it’s now.
Phew! Politics, cursing (sorry Mum), and risk management. Hopefully also some food for thought.
Image from The Simpsons, (C) Matt Groening, 20th Century Studios.