Sunday, April 15, 2018


THE EVOLUTION OF RISK MANAGEMENT,
WAS DARWIN RIGHT?



In the Theory of Evolution, Darwin suggests that evolution is about survival of the fittest.  Was he right?  While he was talking about the natural world, his theory also applies to the security business.

In order to survive in today’s world businesses must adapt to their environments.  The threats that were around twenty years ago have changed.  They’ve become more sophisticated and must be adapted to.  What worked before won’t necessarily work in today’s world.  Not only have threats scenarios evolved but with the increase in technologies so have a new variety of threats come about. 

It used to be that a person who wanted to commit a breach of security had to be physically present in the space in order to carry out the attack.  That is no longer the case.  Since just about everything that has a moving part to it is somehow connected to the Internet of Things (IoT), a hacker does not have to be present in the physical sense in order to disable a closed circuit television (CCTV) camera, for example.  This means, a new way of thinking about threats, vulnerabilities and risk is necessary.

Threats used to be pretty much two-dimensional.  That no longer is true.  Those involved in the risk management business must think in three-dimensional terms.  In fact, they need to think about security as if it were a cube or box.  It’s six-dimensional and the approach to risk management must be carried-out that way.  This will require, pardon the pun, “outside of the box” thinking.

Additionally, without the “it’s part of the culture” way of doing business threat scenarios will continue to be played out with varying degrees of impact – and, some will be catastrophic.  Since we cannot prevent threats from occurring one hundred percent of the time we have to get the results down to a level that we can accept and handle with available resources.  This requires us to include scenario that are improbable but the results will overwhelm resources.  I call this “impact centric planning”.   I know most of us will not encounter an active shooter situation within our lifetime but active shooter threats must be planned for wherever high concentrations of people gather.  The adage, it won’t happen here cannot be the flavor of the day.  You’re right it probably won’t happen here, BUT if it does?  What will be the impact?

Not only must we deal with threats that are likely but we also must deal with threats that would be catastrophic even though very unlikely.   An excellent example of a highly unlikely event is the Las Vegas shooting incident.  That event was so improbable that if I would have brought it up during a planning session those in the room would have thrown their coffee at me. 

In order to survive, we must ensure we are the fittest.  So, Darwin was absolutely right.