Senior practitioners in corporate security have shared with SSR Personnel and Executive Profiles their vision of the future of enterprise risk.
You can watch and read their comments below.
The future of security will be dominated by the need to have physical security capabilities both integrated with, and protected by, cyber/information security capabilities, not only to ensure the security of any component that touches a corporate network (and some that don’t), but also to capitalise on the power of the networked world that facilitates automation, frictionless business activity, demonstrating compliance to policy and regulations, and driving efficiency.
In parallel with the business desire for secure and efficient security environments, there will be further innovation in delivery methodologies, particularly though biometric technologies and the adoption of cloud computing (including the challenges that go with this). While increasingly accepting facial recognition (and other biometric technologies), national restrictions on identity related data transfer will however create barriers to further innovation.
In a true security culture every employee plays a vital part: Werner Cooreman, group security director, Solvay
Technology evolution over the past decade has brought significant change to business, but also to the security risks businesses encounter. Expansion of cloud technologies, in combination with artificial intelligence (unleashed on all that cloud data) and creation of the Internet of Things (once 5G is fully deployed), will multiply the vulnerabilities. And security threats are already taking big advantage of the expanded attack surface of companies as a result.
Taking a holistic enterprise security risk management approach has become the only way to stand a chance of increasing a company’s security resilience. Focusing on mitigation of priority security risks (be them cyber, physical or other in nature), whilst enhancing the capacity to rebound from inevitable incidents, will be essential. And so the successful security professional will be able to drive a true security culture in which every employee plays a vital part in the security program.
Organisations must consider partnerships in a world of change and increasing sophistication: Sir Rob Wainwright, ex-Europol, now partner, Deloitte NW Europe
In rapidly changing markets, innovation-driven growth is a key factor in business success, and reputation is essential in maintaining it.
Effective cyber risk management gives companies the confidence to take full advantage of technological opportunities, while evolving securely.
It is important that organisations consider partnering in a world of change and increasing sophistication, hence my being part of Deloitte Cyber Strategy, which offers a managed services approach to drive progress in a dynamic, digital world. It is important to have an agile approach to cyber threats whilst understanding that it is the future of commerce.
Resilience means understanding risk appetite and having appropriate mitigation: Adam Mallalieu, VP corporate security, GSK
Global security risks continue to be affected by numerous factors, manifesting in terror threats, political uncertainly and security risks to people, places, data and products. Controversial national elections, protests and national tensions continue to act as a reminder of the tinderbox of socio-political and economic issues that resonate globally.
Social tensions continue to drive increased nationalism, populism and far-right political groups into action, resulting in challenging operating environments for multinationals and in some cases increased far right terror threats. The broader terrorism threat globally remains. Both state and non-state actors, including criminal groups and activists, will look to continue to exploit weaknesses as cyber threats develop alongside new technological innovation.
Successful cyber-attacks on sensitive information will erode trust in governments and large companies who fail to protect their information effectively, with increased risks around individuals with access to sensitive areas, information and systems.
Future Security roles – will require a broader understanding of the risk spectrum (i.e. physical / human / tech). Practitioners will need business knowledge that will enable the agenda of the business.
Resilience – Understanding the business risk appetite and having appropriate mitigation in place to deal with incidents as they occur. Pragmatic proportionate solutions and well understood / trained CCM capabilities.
IoT – it is a reality and needs to be factored into the security design framework. AI / increased robotics etc will redefine ways of working (such as manufacturing) bringing new risks and opportunities. Exciting times ahead.
Integration of intelligence from open and closed sources is vital: Michael Barley, senior security adviser, Sky
The security practitioners approach internally, now and going forward, needs to be as a business partner rather than a provider of services. Greater integration in the day to day business is key. Security should be so embedded in the business that it works to take the risks out in order to help protect the bottom line.
Greater integration of intelligence from open and closed sources is vital so that a ‘connected intelligence’ network is established. This is fundamental to helping protect the brand and reputation of the business.
Identifying where the next threats come from; is it in the growth of economies from the Far East? By 2050 China and India’s economies will be bigger than all the G7 countries. We may see a shift of global power away from the Atlantic to the Pacific.
How much of a security issue will climate change become compared with 10 years ago? Countries and companies that can adapt will survive, those that can’t will suffer.
There’s demand for culturally attuned individuals with foreign language skills: Eduardo Jany, executive officer, global security, Bloomberg Inc
The security field is one that is constantly evolving at a rapid pace. Whether you are seeking to engage in physical security, investigations, cyber security or protective services; each of these areas relies heavily on technology. Today’s security practitioners must have a solid understanding of their organization’s needs, their environment and an ability to look at things holistically, to determine what is available, what can be most reasonable and most practical.
AI and automation combined with the IoT can mean improved efficiency and savings. The future of security operations, however, will not be one where machines or robots will be in total control. Machines will never deliver empathy or be capable of making decisions with flexibility based on the spirit of the law versus the letter of the law.
Security professionals; real persons, capable of exceptional communications will be in high demand. While many organizations favour prior service military or law enforcement members for their internal security roles there is something of an emerging market for bright individuals who are adaptable, culturally attuned, forward thinking and technically adept, especially if they embrace diversity, possess foreign language skills and demonstrate respect, integrity, compassion and ethics.
It’s almost impossible to isolate businesses and systems from the outside world: Niall MacGinnis, director of group security, Sky
The future of security can be summed up in one word: technology. Technology will be the biggest asset to securing businesses and organisations and also pose the biggest threats. The CSO of today, and certainly of the future, needs to be able to understand technologies as they develop and keep, and open and flexible mind set on how they are used.
They don’t need to be coding experts or have PhDs in robotics but they do need to grasp the key opportunities and the key risks of emerging technologies both hardware and software based, covering all aspect of security form remotely monitoring sites at virtual control room to understanding how artificial intelligence can enrich the picture we see and help to identify the real nuggets in a mass of data.
At the same time CSOs must have a firm grasp on the risks that technologies pose by people wanting to cause damage to the business. It is almost impossible to isolate businesses and systems from the outside world and the key skill that will be in demand is the judgement to focus on issues that really matter and calmly navigate executive through inevitable incidents and crises without drama.
Practitioners will need operational experience, risk and business qualifications and analytics knowledge: Toby Harding, head of security services, UK & MEA, Credit Suisse
There is no doubt that we are on the cusp of the next revolution, however this will be asymmetrical and complex in its evolution with the possibility of following down blind alleys remaining very real. As security professionals it is our duty to both embrace and temper these technological advances with good practice of the core principles of security risk management and remain driven by operational requirements.
As a security professional who cut his teeth in Iraq and Afghanistan during the infancy of the profession it has been great to see standards and governance becoming increasingly more recognised. The continuation of this is crucial for security practitioners to maintain value, however it will not be enough.
In this age of information businesses will become increasingly more demanding and will expect a holistic approach to risk management. Tomorrow’s security practitioner will be a rounded individual with both risk and business management qualifications with an understanding in software development and data analytics combined with operational experience.
Sound judgement, business acumen and an entrepreneurial approach will however continue to lead the way.
Organisations will bounce back to pre-defined operation levels more efficiently: David Clark CSO & head of logistics, Francis Crick Institute
The internet of things will continue to impact the security industry wherein the convergence of multiple technologies, real time analytics and artificial intelligence will all contribute to the increasing prominence of technology in the security industry. Security roles will become more based around enterprise risk management, through the continued development of Chief Risk Officers working alongside Chief Security, Financial and People Officers.
Roles within the security industry will also be more equal, diverse and inclusive, where more women and individuals from a diverse range of backgrounds will continue to lead. Teams will be more collaborative and perform better as a result; which will also make organisations more resilient.
This means that organisations will bounce back to their pre-defined level of operation more efficiently following disruptions and where possible – improve on their practices. Through efficient crisis management procedures using more effective communication tools, this will also make organisations learn from their mistakes more readily – and in doing so they will become more resilient.
In fraud and cyber, we must find acceptable ways of ‘fast time’ sharing information of suspected and actual perpetrators: Don Randall MBE, ex-Bank of England, now senior consultant, Bivonas Law
Terrorism both National and International continues and will remain for many years to come , knife and gun crime increases daily , fraud and cybercrime is at an all-time high and law enforcement admits it can’t cope and one force admits it writes off circa 45% of all crimes within 24 hours.
Therefore, the need to expand the accepted and established public/private partnerships is fundamental across the full spectrum of all preventative, investigative and private / public prosecutions. An open mind is required in order to support the enforcement agencies and the barriers of commerciality need to be crossed.
We should maximise on the regulated security industry companies and personnel and find additional vehicles and empowerment to capitalise on their skills and more importantly their 24 x 7 presence. In the arena of fraud and cyber, respecting the regulatory and data protection requirements, we must find acceptable ways of ‘fast time’ sharing information of suspected and actual perpetrators of these criminal activities.
How will robotics, drones and the security operative interact? John Sheeran, head of regional security & senior VP, EMEA, Northern Trust Corporation
The days of gates, guards and guns are long gone, replaced with facial recognition, biometrics and other state of the art physical security detection systems however, what cannot be replaced is the human element. The human will always be required as the start and end user to influence the systems we are using as the security landscape changes on an unprecedented basis.
We already have the ability to use our company access cards on our smart phones, however, the need in the modern corporate world to demonstrate that individuals within a building are indeed authorised to be there can only be verified by physical interaction and ( bio metric) identification – the wearing of badges – where does the smart phone fit in here?
The increased use of drones had radically changed the security landscape; the surveillance of an area can be done in minutes and not hours, streaming live footage to the user. Intelligence and communications are the areas needed to improve.
The vast amount of companies who provide so many different varieties of intelligence information some of which, is open source and available to all.
Finally, robotics is certainly a feature of the future in the security arena. Will they replace front line security officers? Can they respond as effectively to an incident (if programmed correctly by a human, maybe?). How will robotics, drones and the security operative interact? What platform, what communication system?
A resilient organisation looks at the topic through a holistic and risk-based lens: Kevin Allchorne, regional head, corporate security & safety, UK/EMEA, Aon
Security is such a diverse topic in the world today, that it is likely to see the role and responsibility of security managers evolve further. Organisations are heavier focused now on risk than ever before, so at foundational level, it wouldn’t surprise me to see organisations looking for risk management qualifications ahead of security specific qualifications when recruiting for security managers or functional leads in the future.
To compliment that risk management approach to security, skills and experience in many areas including physical, investigations, crisis/incident management, cyber, protection, resilience and business continuity are likely all to become required to progress to the top roles within an organisation, and depending on the scale of that organisation, specialists/SME’s within each of those areas would typically be seen reporting into that overall functional lead/risk manager.
A resilient organisation is one that looks at the topic through a holistic and risk-based lens. Minds naturally sway towards technology, data centres and cyber when you mention the word resilience, which often exposes other key elements of resilience; such as a lack of knowledge sharing between employees or the lack of testing of response and recovery procedures.
Finally, a mature program of employee awareness – to ensure incidents are reported consistently and as soon as possible is key to an organisations level of resilience, as this provides the opportunity to contain and control the incident and prevent wider impact – which may lead to reputational, financial or regulatory consequences.
Threats are diversifying – the security sector must respond in kind: Rick Mounfield, chief executive, Security Institute
When a team is created to address a problem in business, the diversity of that team will have a positive impact on the solutions they develop. If every member of that team is the same age, gender, played the same sports and had the same interests, the answers to the problem they are addressing will invariably be the same.
The Security Industry suffers from this very problem. Mostly middle aged, white men, ex Military or Police. Whilst there will always be a need for such men, future threats require more variety in skills and thought leadership.
Not only tech-savvy security specialists but also different ways of thinking. The answer to the future problems need to be considered by diverse teams that are balanced to include women, members with disabilities, a variety of social and cultural upbringing that ensures that the risk appetites vary and the solutions to problems are extensive. Threats are diversifying, the Security sector must respond in kind.
Cultural change is needed to acknowledge security as a cost-effective business benefit: Kevan McCrone, senior consultant, Corprisk
Today’s security world and the future threat picture presents interesting challenges & opportunities. Education of personnel is essential, so their commitment to academic qualification, training and involvement in multi-agency exercises where valuable learning enhances staff confidence, knowledge and organisational learning.
An organisation’s investment in response capability to any emergency situation will pay dividend in terms of a quicker return to normality and protection of brand. This is achieved in development of meaningful business continuity and incident response plans that address the likely threats and risks.
Engagement with emergency services, other agencies and local neighbourhood yield significant benefits in intelligence sharing, a collaborative approach in mitigating risk and provide confidence of levels of preparedness during crisis.
Security solutions, exploring and developing technological advances and identifying talented professionals to lead into the future, will certainly offer reassurance to asset owners and other interested parties. However, success will necessitate widespread cultural change to acknowledge security as a cost-effective business benefit.
Most board members want evidence of strong operational resilience across the business: James Mulheron, technology, cyber and data risk professional
Emerging technologies, big data, advanced analytics and a deluge of regulation has changed forever how businesses need to address future cyber and technology risk landscapes. The threat landscape is changing daily and with that comes the need for individuals of strategic mind-set and with a broad range of technology and data expertise to take hold of the organisations technology risk portfolio and provide the Board with appropriately risk assessed and commercially viable solutions.
Cyber threats resulting in breach or data loss and infrastructure failures impacting the business objectives are not new areas of risk to most organisations, however, the impact of these threats to the P&L objectives of the organisation are more severe than ever for both financial and reputational reasons.
The CISO of tomorrow needs to be ahead of the game to secure the top positions within the best employing organisations. No longer can he or she just focus on technology/cyber infrastructure design or static compliance reporting against audit or regulatory needs. The best individuals will be commercially astute, experts in risk management and be in a position to weigh up cost investment and savings against likelihood of loss vs threat vectors.
Being in a position to assess the value of risk [cost] the organisation faces to then be in a position to advise on pragmatic mitigation and associated cost of doing so can be worth more to an organisation than a new portfolio of paying clients.
Most board members want evidence of strong operational resilience systems and processes that encompass the DNA of every aspect of the business; this is now becoming a prerequisite requirement to be the best CISO.
The pace of innovation in the technical space including the speed with which security manufacturers upgrade/change their systems will creating cost and integration challenges for businesses.
But the sea change will come when the young replace hardware devices, with their own person embed smart chip or coated nerve surgically implanted integrated network, making communications seamless and never requiring batteries as they personally act as the device and the battery. Having good and bad intentions, we need to keep pace with change.
We thank all those that have contributed to this article.