The new normal reimagines the process for assessing business risk
As the country continues to struggle to slip into a semblance of new normal for business, and organizations to move beyond the lingering devastation of the COVID-19 crisis, the dynamics of what constitutes risk and how it should be mitigated continue to evolve. Work-from-home has become the new default model for business -- at least in the short term. Depending on cloud services and expansion of cybersecurity risk has increased. Traditional distributed security controls and policy management are being tested by more stringent identity management infrastructure, and the new reality of cyber and physical security threats has forced a more robust strategy for proactive risk assessment and mitigation employing advanced analytics and AI.
Risk’s Wild Ride
So, if you think the last 20-plus months have been a wild ride for security, risk and business operations, most security professionals are saying “you ain’t seen nothing yet.”“To say the last year and a half has been challenging would be an understatement,” declares Ty Richmond, President of Allied Universal Risk Advisory and Consulting Services, whose team will be in Orlando this week for GSX 2021 at Booth #901. “Not only has it been a challenging 20 months, but I'm also not sure the next 20 months aren't going to be just as challenging as we move into a kind of the new normal. My sense is this is going to continue to be a crisis scenario and we need to remain nimble and adaptive and think out of the box on how we come back to work and work in the future and deal with the areas of our discipline.”
Richmond knows of what he speaks and riffing off the old Joni Mitchell song “Both Sides Now”, he has seen risk from both sides now. His cumulative years as a senior security leader at organizations like Mesa Petroleum, Mary Kay, HP/Agilent Technologies and Sony Pictures provide him a keen end-user perspective that has served him well as he transitioned into more consultative roles with Andrews International and now at Allied Universal for almost a decade. He has observed the disfunction some organizations have experienced during the pandemic from either being ill-prepared with their cyber and risk mitigation strategies or just totally lacking any preparation at all.
“It has been a very interesting period to observe those organizations that really and truly understood enterprise risk and were forward-thinking in terms of the different type of situations that they encountered. And those that had plans that were very thoughtful and looked at it from a more systematic approach with people, processes, and programs. These groups were proactively communicating on the front end, both internally within their own organization and then with their partners on the back end because service providers today have a natural extended relationship with their organizations. Most (service-providers) have extended operations that involve partners, suppliers, different variations of supply chain, processing and vendors that quite literally help organizations run the infrastructure in some of the specialty areas that help run their business,” Richmond says.
He adds that these types of organizations have a resilient mindset that looks at risk proactively and has an awareness of the situation to determine, "What do we need to be doing to build a process and an approach and mitigate the impact to our corporation, our clients, and kind of our value chain overall?"
“Because we are as large as we are, and because we have geographical coverage around the world, as well as possessing a variation of services and products that support over 400 of the Fortune 500, we see some of the best of the best in the world in how they deal with (risk). It has been very enlightening, very refreshing and actually advantageous to us as a service provider to see how our very progressive customers do this and see what happens to those that aren't proactively thinking and are now in a catch-up mode and quite frankly, have seen their businesses suffer because of it,” Richmond says.
Risk Strategy Must Consider the Human Element
Richmond also reminds his team that they mustn’t underestimate the human toll the pandemic has taken on their clients when assessing their risk dashboards and charting a mitigation course. The unique nature of the COVID crisis has affected each organization they serve in different ways.“I still talk to customers daily. I have family, friends and colleagues that I also interact regularly. Sometimes I think we don't appreciate the human impact all of this has on a business. Because we have our own personal experiences with (COVID), and that in itself has been dramatic some situations, I think this is something that we took for granted initially. However, we have now evolved an understanding that we must be more flexible and adaptive regarding how we should work differently,” continues Richmond. “That internalization of this (crisis) in corporations has also led to working with your suppliers differently; how you involve them in the process, how you lean on them but at the same time being respectful of their own situation.
“Now if you just take that whole scenario that I gave you and you lay it over a business (operational model), then you think about all of the intricacies of a company's business and workflow and how that extends across different suppliers and supply chain, it just compounds the complexity of the whole risk situation. It takes a lot of openness and creativity to continue to adapt to risks that are constantly changing and that we have to adapt to weekly.”
When an organization is looking to improve its business continuity by leveraging or simply implementing business intelligence and analytics to its operational process, the conversations with C-level management are crucial, according to Richmond. Creating a risk assessment plan and the subsequent mitigation strategies take appropriate investment for business intelligence and internal investigative infrastructure, which in turn require a top to bottom leadership approach.
“We've probably done more security assessments in the last 24 months that were foundational to the issue at hand than we've done in the previous 24 months. I truly think the reason why is multifaceted, but number one is the environments have changed dramatically and I think people are trying to assess that new environment, their new situation. They're also trying to determine how to budget for what they need to be able to manage this risk and this exposure while realizing it is going to change and it's going to adapt,” says Richmond.
About the Author:
Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes magazines Security Technology Executive, Security Business and Locksmith Ledger International and top-rated webportal SecurityInfoWatch.com. Steve can be reached at [email protected]